← Back to blog
Security

NIS2 for SMEs: what the European cybersecurity directive means concretely for your business

By Zarioh Digital Solutions6 min read
Share
NIS2 for SMEs: what the European cybersecurity directive means concretely for your business

NIS2 is in force but continues to be underestimated by Dutch SMEs. Who actually falls under it, which technical measures are mandatory, how does the reporting obligation work, and what does personal director liability mean? A practical analysis.

NIS2 entered into force across Europe on 16 October 2024. The directive obliges organisations in eighteen designated sectors to implement cybersecurity measures, report incidents, and demonstrably maintain their security. Yet at the start of 2026, many Dutch SMEs are still operating without having assessed whether NIS2 applies to them. That assessment is going wrong more and more often.

The reasoning 'we are too small for NIS2' holds for the majority, but not for all. Smaller organisations that are the sole provider of an essential service, suppliers in the supply chain of an essential entity, and businesses active in specific sectors can sometimes fall squarely under the directive. And even for organisations formally outside scope, the technical measures prescribed by NIS2 are increasingly imposed as a minimum standard by large clients and insurers.

Who falls under NIS2?

NIS2 distinguishes two categories. Essential entities are large organisations with more than 250 employees or annual revenue above fifty million euros in ten critical sectors: energy, transport, banking, financial market infrastructure, healthcare, drinking water, wastewater, digital infrastructure, public administration, and space. Important entities are medium-sized organisations with fifty to 250 employees or revenue of ten to fifty million euros in eight additional sectors: postal and courier services, waste management, chemicals, food, production of critical products, digital services, and research.

For SMEs, two situations are particularly relevant. First, the supply chain: do you provide IT services, software, hardware, or managed services to an essential entity? If so, your customer will not overlook you when assessing their supply chain, and increasingly they are contractually obliging suppliers to NIS2-compliant security. Second, the sole provider: is your organisation the only provider of a service in a critical sector in a particular region? In that case, even a small organisation can be designated as essential by the supervisory authority.

What obligations apply?

NIS2 prescribes ten categories of risk management measures. Risk analysis and information security policy, including procedures to systematically map threats and vulnerabilities. Incident management with an established process for detection, response, and recovery. Business continuity, back-ups, and recovery plans that have been demonstrably tested. Supply chain security, including assessment of the security practices of suppliers. Policies and procedures for systems at the procurement stage. Vulnerability management and coordinated disclosure. Cryptography policy for encryption and key management. Personnel security and awareness training. Access management and access controls. Use of multi-factor authentication for all systems within scope.

For an SME, this does not need to become a heavy compliance exercise. What it does require is that policy exists, that measures have been demonstrably taken, and that a responsible person has been designated. The NCSC provides practical basic guidelines that serve as a starting point.

Technical measures that affect your security

Concretely, NIS2 compliance for most SMEs means that a number of technical foundations must be in place. Multi-factor authentication for all accounts with access to business systems, including suppliers and external administrators. Network segmentation so that an attacker who breaches one system does not immediately reach the rest of the environment. Patch management with a documented cycle for updating operating systems and applications, preferably within a fixed period after publication of a security update.

There are also requirements for back-ups. The storage location must be separate from the primary environment, preferably offline or in a separate cloud environment. Recovery must be periodically tested, not only for the back-up itself but also for recovery time. Vulnerability scanning, at minimum quarterly, to timely detect known weaknesses in your network and systems. And logging of security events so that in the event of an incident you can reconstruct what happened and when.

Incident reporting obligation

One of the most concrete obligations in NIS2 is the reporting obligation for significant incidents. An incident is significant if it seriously disrupts the provision of your services, affects a large number of users, or could potentially affect other entities in your sector. Think of ransomware that took your systems offline, a data breach that exposed sensitive customer data, or a prolonged outage of a critical system.

The timeline is tight: within 24 hours of discovery, you must submit an initial report to the relevant supervisory authority, in the Netherlands the NCSC for essential entities and the sectoral regulator for important entities. Within 72 hours, a more detailed report follows with the nature of the incident, the probable cause, and the number of affected users. Within one month, you submit the final report with the complete analysis, the measures taken, and the lessons learned. Organisations that miss these deadlines or fail to report a notifiable incident risk a separate sanction on top of any fines for the underlying shortcoming.

Director liability: new and serious

One of the most significant elements of NIS2 is the personal liability of directors. The directive requires that managers be actively involved in approving cybersecurity measures and overseeing their implementation. For serious violations, a supervisory authority can impose a temporary ban on holding managerial positions. For many businesses this is new territory: cybersecurity now formally sits at board level, not just with the IT department.

The maximum fines are substantial. For essential entities they run up to ten million euros or two percent of global annual revenue; for important entities up to seven million euros or 1.4 percent. As with the GDPR, the lower amount applies to smaller organisations, but the threshold for formal enforcement is lower than under the original NIS directive. The Dutch Inspectorate for Digital Infrastructure and sectoral regulators are now operational with their enforcement powers.

How do you build a solid foundation?

Five steps to establish a workable NIS2 foundation within three months. First, determine your scope: do you fall under essential, important, or outside NIS2? Use the self-assessment tool on the NCSC website or have this assessed by an IT partner familiar with the directive. Second, create an overview of your current security measures against the ten NIS2 categories. A simple spreadsheet suffices for this initial gap analysis.

Third, prioritise the basic technical measures: multi-factor authentication for all accounts, a tested back-up plan, patch management, and logging of security events. These four measures address the biggest risks and are prudent regardless of NIS2. Fourth, document the policy. This does not need to be an extensive certification exercise, but an information security policy and an incident response procedure must exist. Fifth, discuss NIS2 with your suppliers and incorporate security requirements in your new contracts.

NIS2 is not an administrative burden you can ignore. It is a minimum standard that makes your organisation resilient against the most common threats, and one that is increasingly required by clients, insurers, and contracting authorities. Want to know whether your organisation falls under NIS2 and how to meet the obligations practically? Contact Zarioh for a no-obligation assessment.

Z

Zarioh Digital Solutions

IT specialists from Utrecht, the Netherlands. We help businesses with Microsoft 365, AI agents, hosting and telephony — and share what we learn in practice. Follow us on LinkedIn

Related articles

← Back to all articles
Share