NIS2 directive for SMEs: does it apply to you and what must you do?
NIS2 (Directive EU 2022/2555) requires organisations in designated sectors to implement cybersecurity measures and report incidents. Direct scope starts at medium-sized businesses (50+ employees or >€10M revenue). Smaller SMEs are affected indirectly via supply chains.
- NIS2 (Directive EU 2022/2555, Dutch implementation: Cyberbeveiligingswet) applies directly to organisations in designated sectors that meet the medium-sized business threshold: 50 or more employees OR annual turnover or balance sheet total exceeding €10 million. Micro- and small businesses (under 50 employees AND under €10M) fall outside direct scope, except for specific critical infrastructure. Verify the current sector classification and thresholds at rijksoverheid.nl.
- Outside direct scope? You may still be indirectly in scope: organisations subject to NIS2 may contractually require supply-chain partners (suppliers, IT service providers, software vendors) to implement equivalent security measures. This is explicitly stated in Article 21(2)(d) NIS2 (supply chain security). Expect contractual NIS2 requirements from large clients if you deliver software, IT services or digital processes.
- The ten minimum measures of NIS2 (Art. 21 NIS2) overlap strongly with what GDPR (Art. 32 GDPR) already requires: risk analysis, access control, encryption, incident response, back-ups and vendor management. Organisations already GDPR-compliant on information security have a head start. NIS2 adds incident reporting (24-hour initial alert, 72-hour detailed notification, 30-day final report) and active board-level oversight.
Which businesses does NIS2 apply to?
NIS2 (Directive EU 2022/2555) applies to organisations in designated sectors that exceed the medium-sized business threshold: 50 or more employees OR annual turnover or balance sheet total exceeding €10 million. Micro-enterprises (fewer than 10 employees AND under €2 million) and small enterprises (fewer than 50 employees AND under €10 million) fall outside direct scope, unless they operate specific critical infrastructure. The Dutch implementing legislation is the Cyberbeveiligingswet (CBW); verify the current text and your sector classification via rijksoverheid.nl or the NCSC (National Cyber Security Centre). The law distinguishes two categories: essential (Annex I, higher requirements and proactive supervision) and important (Annex II, comparable requirements, reactive supervision).
Which sectors fall under NIS2?
The NIS2 directive distinguishes essential (Annex I) and important (Annex II). Verify the complete sector classification at rijksoverheid.nl.
Essential (Annex I)
Energy (electricity, gas, heating, oil, hydrogen), transport (air, rail, water, road), banking, financial market infrastructure, healthcare, drinking water, wastewater, digital infrastructure (DNS services, TLD registries, cloud computing services, data centres, CDNs, trust services, electronic communications), public administration and space. Organisations in these sectors face proactive ex-ante supervision and higher penalty ceilings.
Important (Annex II)
Postal and courier services, waste management, chemicals, food, manufacturing (medical devices, computers/electronics, machinery, motor vehicles, other transport equipment), digital providers (online marketplaces, search engines, social networks) and research organisations. Organisations in this category face reactive supervision: regulators intervene following incidents, complaints or signals.
Indirect scope: supply chain
Do you supply software, IT services, cloud, SaaS or digital processes to a NIS2-obligated organisation? Your client may contractually require you to implement equivalent measures under Art. 21(2)(d) NIS2 (supply chain security). In practice, expect clauses covering penetration testing, ISO 27001 certification, incident notifications to the client and SLAs for availability and recovery time in your supplier agreements.
What does NIS2 concretely require?
Article 21 NIS2 requires covered organisations to implement ten minimum cybersecurity risk-management measures. Article 23 NIS2 requires incident reporting in three phases.
Ten minimum measures (Art. 21 NIS2)
1. Policies on risk analysis and information system security. 2. Incident handling. 3. Business continuity, backup management, disaster recovery and crisis management. 4. Supply chain security. 5. Security in acquisition, development and maintenance of systems, including vulnerability handling. 6. Policies and procedures to assess the effectiveness of cybersecurity risk-management measures. 7. Basic cyber hygiene practices and cybersecurity training. 8. Policies and procedures on cryptography and encryption. 9. Human resources security, access control policies and asset management. 10. Multi-factor authentication (MFA) and secured communications.
Incident reporting (Art. 23 NIS2)
Significant incidents (attacks disrupting service delivery or affecting personal data) must be reported: early warning within 24 hours of discovery; detailed notification within 72 hours (including initial assessment, severity and indicators of compromise); final report with full analysis and remediation measures within 30 days. Contact point in the Netherlands: NCSC or the sector-specific supervisor. Check current reporting procedures at ncsc.nl.
Management liability
NIS2 introduces explicit management liability: senior management of essential and important entities can be held personally liable if negligence leads to a breach. Managers must complete cybersecurity training, actively steer cybersecurity risk management and approve the ten minimum measures. This is a deliberate policy shift from pre-NIS2 practice, where compliance was almost always delegated to operational IT level without board involvement.
Penalties and enforcement
NIS2 distinguishes two penalty ceilings: essential and important. All amounts are maxima; supervisors assess proportionality.
Essential entities (Annex I)
Maximum penalty: €10,000,000 or 2% of total worldwide annual turnover, whichever is higher. Supervision: proactive ex-ante (audits, inspections, periodic reporting).
Important entities (Annex II)
Maximum penalty: €7,000,000 or 1.4% of total worldwide annual turnover, whichever is higher. Supervision: reactive (following incidents, complaints or signals).
Who enforces in the Netherlands?
The supervisory authority depends on the sector: for most digital sectors this is the RDI (Rijksinspectie Digitale Infrastructuur) or the NCSC in cooperation with sector regulators (DNB for finance, IGJ for healthcare, etc.). Check which supervisory body covers your sector at rijksoverheid.nl.
NIS2 and GDPR: overlap and addition
NIS2 and the GDPR (General Data Protection Regulation) overlap strongly on technical and organisational security measures: Art. 32 GDPR requires 'appropriate technical and organisational measures' to protect personal data; Art. 21 NIS2 requires ten concrete minimum cybersecurity risk-management measures. In practice, most NIS2 measures are also GDPR measures: encryption, access control, incident response, backups and vendor management are mandatory under both frameworks. The key difference: GDPR focuses primarily on protecting personal data and is enforced by the Data Protection Authority; NIS2 is broader (also non-personal systems and service continuity) and enforced by sector regulators. A data breach that also disrupts service delivery may require both a GDPR notification (to the DPA, within 72 hours) and a NIS2 notification (to the NCSC/sector regulator, within 24-hour early warning).
Frequently asked questions about NIS2 and SMEs
Does NIS2 apply to a business with fewer than 50 employees?
What should I do if my client is NIS2-obligated and imposes requirements on me as a supplier?
When must I report an incident under NIS2?
How do NIS2 and GDPR relate to each other?
What is the role of management under NIS2?
How does an SME start with NIS2 compliance?
Want to know whether NIS2 applies to your business and what you need to arrange?
Book a free call. We look at your sector, business size and current IT processes, and advise whether you fall directly in scope, how to assess your supply-chain position, and which steps deliver the most value.
Book a free call →Free and without obligation · Reply within one business day · Fixed price up front, no surprises