NIS2 for SMEs: do you have to comply?

NIS2 is a new European cybersecurity law, and many business owners are wondering: is NIS2 mandatory for SMEs? The short answer: directly for some companies, and indirectly for many more through their customers and clients. In this article, we calmly explain what NIS2 is, who it applies to, and how, as an SME without its own IT department, you can get the basics in order.

What exactly is NIS2?

NIS2 stands for the second Network and Information Security Directive, a European directive intended to strengthen the digital resilience of businesses and organisations. It is the successor to the first NIS Directive from 2016. The goal: to better protect critical sectors and their suppliers against cyberattacks, because a disruption or hack at one party can have major consequences for society as a whole.

The directive raises the bar on three points:

• More sectors are covered than under the old NIS law.
• Stricter requirements for risk management and security.
• Personal accountability for directors.

Important to know: NIS2 is a directive. Each EU country must translate the rules into its own national legislation. In the Netherlands, this is done through the Cybersecurity Act (Cyberbeveiligingswet).

Who does NIS2 apply to? Essential and important entities

NIS2 divides organisations into two categories, and the difference lies mainly in supervision and penalties.

Essential entities

These are organisations in sectors that keep society running. Think of:

• Energy and water
• Transport
• Healthcare
• Digital infrastructure (such as data centres and cloud providers)
• Banking and financial markets
• Government

These entities are subject to the strictest supervision, with checks both before and after the fact.

Important entities

This is a broader group of sectors that are also socially relevant, but just slightly less critical. For example:

• Postal and courier services
• Waste management
• Food production and processing
• Manufacturing of certain goods (such as medical equipment, electronics, machinery)
• Digital providers (such as online marketplaces and search engines)
• Chemicals

For important entities, supervision applies mainly after the fact, so after an incident or report.

The size threshold

Whether your company falls directly under NIS2 also depends on its size. The directive is essentially aimed at medium-sized and large organisations: roughly from 50 employees or more than 10 million euros in turnover. If you operate in a designated sector and exceed that threshold, then NIS2 is directly mandatory for your SME.

Not sure which category you fall into? On our page about NIS2 compliance we explain the steps in more detail.

Why smaller SMEs are affected after all

This is the crux for many business owners. You might think: "We only have 25 employees and we're not in one of those sectors, so NIS2 doesn't affect us." That's often not quite true.

That's because NIS2 requires large and essential organisations to also have the security of their supply chain in order. This means they will scrutinise their suppliers, service providers and partners. Do you supply products or services to a hospital, an energy company, a large manufacturer or the government? Then they may require you to demonstrably have your security in order.

In practice, you see this reflected in:

• Additional questions or questionnaires in tenders and quotes.
• Security requirements being included in contracts.
• Requests to demonstrate how you handle data breaches and incidents.

This is how, as an SME, you end up confronted with NIS2 anyway, indirectly through the chain. Those who respond to this in time have an edge with large clients. Those who ignore it run the risk of missing out on contracts.

The core obligations of NIS2

If your organisation falls under NIS2 directly or indirectly, it comes down to three pillars.

1. Risk management and appropriate measures

You must map out the digital risks to your organisation and take appropriate measures. Think of:

• An up-to-date security policy and risk analyses
• Access management and strong authentication (such as multi-factor verification)
• Backups and a recovery plan after incidents
• Supply chain security
• Employee awareness and training

The measures must be proportionate to the risks. A small business doesn't have to do the same as a multinational, but the basics must be sound.

2. Incident reporting obligation

NIS2 has a strict reporting obligation. A significant security incident must be reported quickly to the regulator, with an initial report within 24 hours and a more detailed report within 72 hours. This calls for arrangements made in advance: who notices an incident, who assesses it and who files the report?

3. Director liability

This is perhaps the biggest change of all. Under NIS2, directors are personally responsible for overseeing cybersecurity. The board must approve the measures, monitor them and undergo training. In the event of negligence, directors can be held personally liable, on top of substantial fines for the organisation. Cybersecurity is therefore definitively a board-level matter, not an IT detail.

The state of play in the Netherlands

In the Netherlands, NIS2 is being translated into the Cybersecurity Act (Cyberbeveiligingswet). The European deadline for implementation was 17 October 2024, but the Netherlands did not meet that deadline. At the time of writing, the law is still being processed and implementation is expected during the course of 2025.

So should you wait before taking action? That's not wise. The substantive requirements are largely fixed, and large clients are already imposing security requirements on their chain. On top of that, getting your security in order takes time. Those who start now avoid stress and last-minute rush later.

Want a concrete step-by-step plan? Then read our earlier article NIS2: how to prepare.

A brief aside: ISO 27001 versus NIS2

We often get asked whether ISO 27001 is the same as NIS2. In short: they overlap, but they are not identical.

• ISO 27001 is an international standard for information security for which you can voluntarily get certified. It describes how you structurally organise security with a management system.
• NIS2 is a legal obligation that requires you to take appropriate measures, report incidents and hold the board accountable.

The good news: if you already work according to ISO 27001, you have a large part of the NIS2 measures already in place. Conversely, working on NIS2 puts you well on your way towards a possible ISO certification. They reinforce each other.

Reassuring: getting the basics in order is very doable

NIS2 may sound daunting, but at its core it comes down to something every company should want: setting up your digital environment neatly and securely. For most SMEs, that's perfectly achievable, especially with the right help.

At IT-gemak, we help SMEs get those basics in order step by step:

• With our IT security we ensure appropriate technical and organisational measures.
• With a security check we map out where you currently stand and what still needs to be done.
• With all-in IT management we take care of management and monitoring for you, for one fixed rate and with one fixed team.

That way, you not only meet the requirements but also work more comfortably and securely. No complicated projects, just pragmatic steps that fit your organisation.

Ready to get started with NIS2?

Want to know whether NIS2 is mandatory for your SME, either directly or through your clients, and what the smartest first step is? We're happy to think along with you, free of charge, in plain language and with no obligations.

Schedule a no-obligation advisory consultation and discover how to get the basics in order before your customers or the law require it.