Key Takeaway: NIS2 generally does not apply to small enterprises (under 50 employees and under EUR 10M turnover). But there are important exceptions, and even out-of-scope SMEs face NIS2 obligations indirectly through their customers' supply chain requirements.
Most guidance about NIS2 is written for large enterprises. That leaves many SME owners and managers asking a simple question that turns out to have a surprisingly complex answer: does NIS2 apply to us?
This article cuts through that complexity. It explains who is in scope, who is out, where the exceptions are, and what a realistic first 90 days of NIS2 compliance looks like for a smaller organization that is within scope.
The size rule: the general threshold
NIS2 applies to medium and large entities in certain sectors. The EU definition of a medium entity is an organization with at least 50 employees OR at least EUR 10 million in annual turnover. Organizations below both thresholds are generally out of scope.
The sector requirement: size alone is not enough
Meeting the size threshold is necessary but not sufficient. You must also operate in one of NIS2's covered sectors. NIS2 Annex I and II define two tiers:
Annex I: highly critical sectors
- Energy (electricity, oil, gas, hydrogen)
- Transport (air, rail, water, road)
- Banking and financial market infrastructure
- Health (hospitals, labs, pharmaceuticals)
- Drinking water and wastewater
- Digital infrastructure (DNS, cloud, data centres)
- ICT service management (B2B)
- Public administration
- Space
Annex II: other critical sectors
- Postal and courier services
- Waste management
- Chemicals manufacture and distribution
- Food production and distribution
- Manufacturing of critical products (medical devices, electronics, machinery)
- Digital providers (online marketplaces, search engines, social platforms)
- Research organizations
Exceptions: when small organizations ARE in scope
NIS2 includes carve-outs that pull certain small organizations into scope regardless of size. These are the scenarios where a small organization can find itself directly subject to NIS2:
Sole providers of critical services
If you are the only provider of a critical service in your member state, or if your disruption would have a significant societal or economic impact, national authorities can designate you as in scope regardless of size. This primarily affects niche infrastructure providers in smaller member states.
Trust service providers
Qualified trust service providers under eIDAS (certificate authorities, electronic signature services, etc.) are subject to NIS2 regardless of size, because their services underpin the security of digital transactions across the EU.
Top-level domain (TLD) registries and DNS service providers
Due to the critical nature of DNS infrastructure for internet stability, all DNS service providers and TLD registries fall within NIS2 scope regardless of their headcount or revenue.
National designation at member state discretion
Member states can designate additional entities, including smaller ones, if their services are deemed critical at national level. Check your country's NIS2 transposition law for any sector-specific expansions.
The indirect obligation: even out-of-scope SMEs are affected
If your customers are NIS2 entities, their supply chain obligations flow down to you contractually. You may not be legally required to comply with NIS2, but you will be practically required to demonstrate security standards if you want to keep those contracts.
What NIS2 customers will ask of their suppliers
SMEs that prepare proactively will be better positioned to win and retain contracts with regulated customers.
If you are in scope: a practical 6-step starter path
If you have determined that NIS2 applies to your organization, here is a realistic starting path that reflects the constraints of a smaller team and budget.
Confirm your designation and register
Identify your national NIS2 authority and determine whether you are an Essential Entity or Important Entity. Register with the relevant authority as required by your member state's implementation. Most countries have opened registration portals.
Perform a gap assessment against Article 21
Article 21 lists 10 minimum security measures. For each one, assess your current state honestly. You do not need external consultants for this first pass. Assign a responsible person and work through the list systematically over 2-4 weeks.
Fix the basics first
Most SMEs have the biggest gaps in multi-factor authentication, patch management, and incident response procedures. These are also the lowest-cost fixes. Prioritize them before investing in complex or expensive tools.
Write a simple incident response procedure
A 2-page document is better than nothing. Cover: what counts as a significant incident, who decides, who is the 24-hour notification contact at your national authority, and who inside your organization leads the response. Test it with a tabletop exercise.
Get management formally involved
NIS2 makes management personally liable. Your CEO or board needs to formally approve your cybersecurity policy and receive regular updates. Document this approval. This is not a technicality: in enforcement actions, it is the first thing regulators check.
Address your critical suppliers
Even as an SME, NIS2 requires you to manage supplier risk. Start with the three to five most critical vendors, ask them for evidence of their security practices, and add basic security clauses to contracts when they come up for renewal.
Cost-effective measures: getting most compliance for least cost
High-impact, low-cost measures for SMEs
Free or low-cost
- Enable MFA on all critical systems (often free in existing tools)
- Enable automatic updates for OS and applications
- Write and communicate a password policy
- Use ENISA's free NIS2 guidance and NCSC resources
- Document your backup procedure and test it
Moderate investment, high return
- Password manager deployment (reduces breach risk significantly)
- Endpoint detection and response (EDR) for all devices
- Annual security awareness training (phishing simulation)
- Expert-led gap assessment and compliance roadmap
Proportionality principle: NIS2 explicitly requires regulators to apply measures proportionate to the size, nature, and risk profile of the entity. Smaller in-scope organizations are not expected to implement enterprise-grade controls. Demonstrating good-faith effort and continuous improvement matters as much as achieving a specific technical benchmark.
Frequently asked questions
Does NIS2 apply to small businesses?
NIS2 generally does not apply to small enterprises with fewer than 50 employees and under EUR 10 million in annual turnover. The directive targets medium and large entities in covered sectors. There are important exceptions, and even out-of-scope SMEs face NIS2 obligations indirectly through their customers' supply chain requirements.
What are the NIS2 size thresholds?
Small enterprises with fewer than 50 employees and under EUR 10 million turnover are generally out of scope. Medium entities with 50 to 249 employees or EUR 10 to 50 million turnover are important entities if in a covered sector. Large entities with 250 or more employees or over EUR 50 million turnover are essential entities if in a covered sector.
When are small organisations included in NIS2 scope despite their size?
Small organisations can be pulled into scope if they are sole providers of a critical service in their member state, qualified trust service providers under eIDAS, top-level domain registries or DNS service providers, or designated by member state discretion as critical at national level. Check the country's NIS2 transposition law for sector-specific expansions.
How does NIS2 affect SMEs that supply larger regulated companies?
Even if NIS2 does not apply directly, customers who are NIS2 entities will flow their supply chain obligations down contractually. Expect security questionnaires, contractual clauses on incident notification and right to audit, requests for ISO 27001 or SOC 2 evidence, and periodic re-assessment. SMEs that prepare a light assurance pack win contracts faster.
What are the first steps for an SME that is in scope for NIS2?
Six practical steps: confirm designation as essential or important entity and register with the national authority, perform a gap assessment against Article 21's 10 minimum measures, fix the basics first including MFA, patch management, and incident response, write a short incident response procedure, get management to formally approve the policy, and address your top critical suppliers.
Does the NIS2 proportionality principle reduce SME obligations?
Yes, on the depth of controls, not on the list of measures. Article 21 requires all 10 measures for every in-scope entity, but authorities apply proportionality to scale: a medium important entity can document a three-page cryptographic policy where a large essential entity has twenty pages. The measures themselves cannot be skipped.
Do SMEs have to report NIS2 incidents within 24 hours?
Yes, if the SME is in scope. Article 23 deadlines, 24-hour early warning, 72-hour notification, and one-month final report, apply equally to important and essential entities regardless of size. A small in-scope entity needs a documented incident procedure, a named incident commander, and national CSIRT contact details ready before an incident occurs.
Need clarity on whether NIS2 applies to you?
We help smaller organizations determine their NIS2 obligations, prioritize the right controls, and build a compliance roadmap that fits their budget and team size.
Book a free consultation