What Is NIS2 and Why Does It Matter for SaaS?
The NIS2 Directive (EU) 2022/2555 is the EU's updated cybersecurity law. It replaces the original NIS Directive (2016) and brings significantly broader scope, higher minimum security requirements, and personal liability for management. EU member states were required to transpose NIS2 into national law by 17 October 2024.
Unlike the original NIS Directive which focused mainly on critical infrastructure operators, NIS2 explicitly includes cloud computing services, managed service providers (MSPs), and digital service providers in its scope. If you run a SaaS platform or cloud service used by EU businesses, you may be in scope.
Are You In Scope? Essential vs Important Entities
NIS2 creates two tiers of entities, with different obligations and fine levels:
| Category | Who Qualifies | Key Sectors | Max Fine |
|---|---|---|---|
| Essential Entities | Large organisations (250+ employees or €50M+ revenue) in critical sectors | Energy, transport, banking, health, digital infrastructure, cloud computing, public administration, space | €10M or 2% of global annual turnover |
| Important Entities | Medium organisations (50-249 employees or €10M–€50M revenue) in the same sectors | Same sectors as Essential, plus waste management, food, chemicals, postal, digital providers | €7M or 1.4% of global annual turnover |
For SaaS specifically: Cloud computing services (IaaS, PaaS, SaaS), managed service providers, and managed security service providers are explicitly in scope under Annex I (Essential) or Annex II (Important) depending on company size. Digital marketplaces and search engines are also covered.
If you're under 50 employees and under €10M revenue, you're likely outside scope — but NIS2 still affects you indirectly, because your customers who are Essential or Important Entities must verify their supply chain security (including your service).
NIS2 Art. 20: Management Accountability — The Most Important Change
This is the provision that got executives' attention. Under Art. 20:
- Management bodies (boards, directors, senior executives) must approve the cybersecurity risk management measures implemented under Art. 21
- Management bodies must oversee implementation of those measures
- Management bodies can be held personally liable if a breach results from their failure to oversee cybersecurity adequately
- Management bodies must undertake security training — and ensure staff do too
This is a fundamental shift. Under the original NIS Directive, cybersecurity was a technical team concern. Under NIS2, it's a boardroom concern. CEOs and directors who claim ignorance of their company's security posture are not protected.
The 10 Article 21 Cybersecurity Measures
Art. 21 requires entities to implement "appropriate and proportionate technical, operational, and organisational measures" in 10 specific areas. "Proportionate" means the measures should reflect your risk level, size, and sector — but the 10 areas are non-negotiable:
| Art. 21 Ref | Requirement | Key Controls |
|---|---|---|
| Art. 21(2)(a) | Risk analysis and information system security policies | Risk assessment, security policy, regular review |
| Art. 21(2)(b) | Incident handling | IRP, incident classification, root cause analysis, incident log |
| Art. 21(2)(c) | Business continuity, backups, crisis management | BCP/DRP, RTO/RPO, tested backups, crisis escalation |
| Art. 21(2)(d) | Supply chain security | Vendor register, security requirements in contracts, annual reviews |
| Art. 21(2)(e) | Security in acquisition, development, and maintenance of IS | Secure SDLC, vulnerability scanning, pen testing, patch management |
| Art. 21(2)(f) | Policies to assess effectiveness of cybersecurity measures | Cybersecurity metrics, KPIs, internal audit |
| Art. 21(2)(g) | Cybersecurity hygiene and training | Annual security training, phishing awareness, role-specific training |
| Art. 21(2)(h) | Policies on cryptography and encryption | Encryption at rest (AES-256), TLS 1.2+ in transit, key management |
| Art. 21(2)(i) | HR security, access control, asset management | RBAC, least privilege, asset inventory, offboarding procedures |
| Art. 21(2)(j) | Multi-factor authentication and secure communications | MFA on all critical systems, PAM for privileged accounts, secure messaging |
Article 23: Incident Notification Timeline
NIS2 introduces a strict three-step incident notification process for significant incidents:
- Early warning — 24 hours: Notify your national CSIRT or competent authority within 24 hours of becoming aware of a significant incident. This is a simple initial alert — no full analysis required yet.
- Incident notification — 72 hours: Provide a proper incident notification including initial assessment, severity, indicators of compromise, and any cross-border impact.
- Final report — 1 month: Submit a detailed final report with root cause analysis, severity and impact assessment, mitigation measures, and cross-border context.
What is a "significant incident"? NIS2 defines it as an incident that: (a) causes or is capable of causing severe operational disruption or financial loss to the entity, or (b) has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage.
This threshold is deliberately broader than GDPR's data breach notification trigger. You may need to report incidents that don't involve personal data at all (service outages, ransomware without confirmed data access, etc.).
Who to report to: Each EU member state has a designated national CSIRT and/or competent authority. Find your country's CSIRT via ENISA's CSIRT inventory.
NIS2 vs GDPR: Key Differences
| Aspect | NIS2 | GDPR |
|---|---|---|
| Focus | Cybersecurity of networks and information systems | Protection of personal data |
| Scope | Specific sectors + digital service providers | Any organisation processing personal data of EU residents |
| Incident notification | 24h early warning, 72h notification, 1-month final report | 72h breach notification to DPA (for personal data breaches only) |
| Management liability | Explicit personal liability for management bodies (Art. 20) | No direct personal liability for management (corporate liability) |
| Security standard | 10 specific Art. 21 measures | "Appropriate technical and organisational measures" (Art. 32) |
| Max fine | €10M or 2% global turnover (Essential) | €20M or 4% global turnover |
NIS2 and GDPR are complementary, not alternatives. Most SaaS companies subject to NIS2 are also subject to GDPR. The good news: implementing NIS2's Art. 21 security measures will largely satisfy GDPR Art. 32's requirement for "appropriate technical and organisational measures" — there's significant overlap.
NIS2 Gap Assessment: Know Where You Stand
Before starting any compliance programme, assess your current posture. The ComplyKit NIS2 Compliance Checklist Generator walks you through all 10 Art. 21 requirement areas with control-level questions and generates a scored gap report with prioritised remediation roadmap.
Most early-stage SaaS companies are compliant on some controls (MFA, TLS encryption, cloud backups) but missing policy documentation (risk assessment policy, incident response plan, supply chain security procedures). The gap is often more about documentation than technology.
Practical 6-Week NIS2 Compliance Sprint
- Week 1 — Assess and classify: Run the NIS2 gap assessment. Determine your entity type (Essential/Important/out of scope). Identify your national competent authority.
- Week 2 — Foundation policies: Create or update your Information Security Policy to cover Art. 21 requirements. Draft a risk assessment policy.
- Week 3 — Incident response: Create or update your Incident Response Plan with Art. 23 notification triggers and timelines for your national CSIRT.
- Week 4 — BCP/DRP and supply chain: Create your Business Continuity and Disaster Recovery Plan. Build a vendor register and send Vendor Risk Assessments to critical suppliers.
- Week 5 — Technical controls: Verify MFA is enforced everywhere. Confirm TLS 1.2+ on all endpoints. Review RBAC and access controls. Ensure backups are tested.
- Week 6 — Management sign-off and training: Get management body to approve security measures (document this — Art. 20 requirement). Schedule annual security training for all staff.
NIS2 and Your Customers: Supply Chain Pressure
Even if you're out of scope for NIS2 directly, your enterprise customers who are in scope must verify their supply chain security under Art. 21(2)(d). This means they'll start asking you for:
- SOC 2 reports or ISO 27001 certificates
- Your Information Security Policy
- Your Incident Response Plan and breach notification procedures
- Completed security questionnaires (similar to SIG or CAIQ)
- Contractual security commitments (SLAs, right to audit, breach notification obligations)
Proactively building your NIS2-aligned security programme — even if you're technically out of direct scope — makes you a more trustworthy vendor to EU enterprise customers and reduces sales friction.
⚠️ NIS2 transposition varies by EU member state. While the directive's October 2024 deadline has passed, enforcement timelines differ across countries. Consult qualified EU cybersecurity legal counsel for advice specific to your jurisdiction and sector.