Who Is Now Covered by NIS 2? Why Most Mid-Sized Companies Can’t Assume Exemption
The short answer: If your company employs more than 50 staff and exceeds €10 million in turnover, NIS 2 almost certainly applies to you-regardless of whether you previously counted as “critical infrastructure.” Under NIS 2, the European Union has abandoned the older, narrower focus of “vital operators only.” This was not a minor regulatory tweak but a deliberate scaling of scope to target mid-market and digital-first organisations whose operational risks can ripple across entire supply chains (NIS 2 Article 3, nis-2-directive.com).
This means fast-growth SaaS vendors, manufacturers, research, logistics, IT service firms, and any entity providing essential B2B infrastructure-whether or not their logo appears on a government “critical entity” list-are swept up if they cross the size or turnover threshold. The most common mistake? Believing “we’re too small” or “not essential,” and only realising differently after receiving a supplier questionnaire or a formal audit letter.
The companies that quietly assume We’re too small; this isn’t about us, are often the first to be blindsided when they receive the compliance audit notice.
Don’t rely on “sector exemptions” or legacy definitions. NIS 2 directly references both headcount and turnover and, via national “Annex II” sector expansions, captures businesses in production, digital, research, advisory, and even auxiliary roles (ENISA, National Transposition). “Not listed” or “not essential” is not a shield-most mid-sized organisations will, at minimum, be classified as “important” entities under the Directive’s definitions.
Mid-Market Inclusions: Real-World Example
A 60-person digital health company that builds scheduling tools for EU hospitals may not operate wards, but is a backbone supplier for a regulated sector. That status alone triggers important entity status under NIS 2-even before considering turnover. From 2024, this company must maintain evidence files, live risk registers, training logs, and prove executive oversight-ready to satisfy event-driven audits at any moment.
Book a demoHow Do “Essential” and “Important” Entity Labels Shift NIS 2 Requirements?
The “essential” (Annex I) and “important” (Annex II) designations under NIS 2 determine how a company is supervised, not whether it needs to meet baseline requirements. The days of escaping this regime because you “aren’t energy or telecom” are over. Essential status is reserved for the most mission-critical sectors-power, digital infrastructure, finance, health. Yet, “important” status brings in manufacturers, food production, IT SaaS, logistics, research, and myriad B2B services (NCSC Ireland).
Key distinction: Essential entities are proactively inspected and subject to regular audits, while important entities face reactive, “event-driven” audits (e.g., after a breach, complaint, or major incident) (ENISA).
What’s not different? The technical and governance requirements. Both groups must:
- Maintain top management accountability
- Live-manage risk registers and asset inventories
- Promptly report security incidents (24 hours initial, 72 hours full)
- Conduct regular policy reviews, change logs, and staff training.
Important status is not a compliance downgrade; incident-driven audits tend to happen at the most stressful times-during or after a breach, not at a predictable annual checkpoint.
Table: NIS 2 Entity Types and Their Core Obligations
| Entity Label | Core Obligations (sample) | Oversight Type |
|---|---|---|
| Essential | Risk register, incident response plan, SoA, board review | Proactive, routine audit |
| Important | Same as Essential (no “lite” standard) | Reactive, event-driven |
Unless you can prove you are below every threshold, operate on an “included until proven excluded” approach and keep live documentation market-ready.
Master NIS 2 without spreadsheet chaos
Centralise risk, incidents, suppliers, and evidence in one clean platform.
Why “Small” Suppliers and SaaS Vendors Still Get Caught by NIS 2
It’s a persistent myth: if you’re not “critical” and have <50 staff or <€10m turnover, you’re entirely out of scope. In reality, the compliance net is broader and more dynamic. Regulators routinely add smaller suppliers whose products or services underpin covered entities (e.g., single-source SaaS providers for healthcare or financial services, bespoke manufacturers supporting public infrastructure, logistics companies with a national footprint).
Here’s how smaller firms find themselves regulated:
- Exclusive supplier/outsized impact: If you alone supply a government, hospital, or grid operator, NIS 2 applies regardless of size.
- Supply chain risk: If a tier-1 customer is covered, their “important entity” status can be used as a lever to require evidence and pass down obligations.
- Incident-driven escalation: A security breach or even a near-miss can result in your addition to a national register after the fact.
- National override: Some EU countries expand coverage to any sector with major local risk-a Belgian or Irish SaaS supporting transport or education may find itself listed.
We thought we were just a small supplier-then our biggest client began sending compliance questionnaires about our incident log and training. Within days, their compliance team confirmed we had to meet NIS 2 evidence standards. (SaaS CEO testimonial, anonymised)
Table: “Inclusion Triggers” for Small and Mid-Sized Entities
| Trigger Type | Example / Scenario | Impact |
|---|---|---|
| Size threshold | >50 staff, €10m+ turnover | In scope |
| Sector Annex I/II | Mid-market manufacturer, sector SaaS, logistics | In scope |
| Sole/critical role | Exclusive digital supplier for public health system | Regulator classification |
| Supply chain link | B2B SaaS to a regulated bank, hospital | Contractual inclusion |
| Incident escalation | Breach triggers regulator onboarding | Event-based application |
| National expansion | Belgium adds key suppliers not on EU list | In scope |
If any box is checked, assume you must prepare for NIS 2 compliance-don’t wait for a formal notification.
What Penalties-and Operational Risks-Do Mid-Sized & “Important” Entities Actually Face?
Compliance gaps under NIS 2 are now business-critical liabilities. Fines can reach €7 million or 1.4% of global turnover-substantial even for high-growth SaaS and sector suppliers. Yet the penalty of missed contracts, deal delays, or reputational damage is often higher and more frequent.
Two unique risk elements now define the operational landscape:
- Event-driven audit risk: Important entities are not inspected “by appointment”-the first review often comes amid a crisis, after a breach, or when a key customer demands evidence at speed.
- Evidence-on-demand culture: Insurance renewals, M&A events, or third-party procurement processes increasingly ask for NIS 2-aligned risk registers, incident logs, policy approvals, and management meeting notes *before* any regulator arrives.
It’s never the proactive compliance review that’s the real threat-it’s the unexpected event or questionnaire after an incident.
Companies operating in a “just-in-time” evidence culture risk missing more than fines. They are exposed to lost contracts, delayed onboarding, and a sense of operational chaos when evidence can’t be retrieved.
Slash the Risk With Daily-Readiness
Your best defence is a “living” ISMS-real-time risk registers, incident logs, policy approvals, and board engagement evidence, ready to showcase on demand to any stakeholder, regulator, or procurement team.
Be NIS 2-ready from day one
Launch with a proven workspace and templates – just tailor, assign, and go.
Why Live Evidence-and Not Just Audit Files-Now Sets the Pace for Procurement and Partnerships
NIS 2 has made evidence an everyday requirement, not just a regulatory one. Your readiness is measured by your ability to surface risk registers, incident logs, management approvals, and training records well before any formal audit occurs.
Procurement teams, partners, and insurers now expect:
- 24-hour incident notification & 72-hour detail: No delays tolerated.
- Live risk management dashboards: To demonstrate ongoing, not annual, oversight.
- Staff training and acknowledgement logs: To ensure policy awareness.
- Immediate response: Stakeholders have zero patience for “please wait while we assemble evidence” delays.
If there’s a failure to provide this kit, potential partners move on. Odds are, your largest B2B customers will be your first source of demand for live NIS 2 compliance-not a government agency.
The real compliance deadline is not the legal enforcement date, but the day your largest customer asks for cyber evidence.
Readiness Tactic: Build your “evidence box”-an up-to-date risk register, incident logs, signed policies, and board meeting records-then maintain it as a live artefact, not a static audit file.
ISO 27001 and ENISA: The Shortcut to NIS 2 Compliance Proof
For most mid-sized and important entities, the fastest (and most regulator-credible) route to compliance is operationalising ISO 27001:2022 controls in line with NIS 2 and ENISA guidance. Over 90% of technical and process requirements in NIS 2 directly correspond to established ISO controls, making ISO 27001 the practical baseline for readying evidence (ENISA, iso.org).
What matters most: Automated Policy Packs, evidence logs, real-time dashboards, and traceability features that align ISO control requirements with NIS 2’s live-evidence culture. ISMS.online is designed to create this bridge-offering ENISA-aligned templates, live risk registers, automated workflows, and dashboards to centralise compliance management.
ISO 27001–NIS 2 Bridge Table
| Expectation | Operationalisation | ISO 27001 / Annex A Ref |
|---|---|---|
| Risk register, asset mapping | Dynamic risk modules | Cl 6.1.2, 8.2, A.5.7, A.5.9 |
| Board engagement & oversight | Policy approvals, Management Reviews | Cl 5.1, 9.3, A.5.5, A.5.36 |
| Incident log/reporting | Automated incident workflows, logs | A.5.24–A.5.26, 6.1.3, 8.2 |
| Evidence of policies/controls | SoA linkage, policy changelog | 6.1.3, 8.3, A.5.31, A.5.35 |
| Training and awareness | Logs/assignments audit, completion logs | 7.2, 6.3, A.6.3 |
These live, cross-mapped controls satisfy both regulatory expectations and procurement due diligence.
All your NIS 2, all in one place
From Articles 20–23 to audit plans – run and prove compliance, end-to-end.
Turn Traceability into a Competitive Advantage: Daily, Audit-Ready, and Board-Proven
Seamless, automated traceability is now a commercial asset-not just a regulatory requirement. Firms using a modern ISMS automate incident-to-risk linking, policy updates, and evidence capture-enabling audits, customer reviews, or investor checks without scrambling.
Traceability: From Trigger to Evidence
| Trigger | Risk Update | Control / SoA Link | Evidence |
|---|---|---|---|
| Phishing attack | Phishing risk | A.5.7, A.5.9, A.7.7 | Incident log, risk register, SoA |
| Data privacy contract | Privacy risk | A.5.34, A.5.35 | DPA mapping, audit log |
| Password update | Access control | A.5.17, A.8.5 | Policy changelog, SoA approval |
With ISMS.online’s automated incident, risk, and policy mapping, our GRC team can field audit requests or supply chain evidence checks with a click. No more wild evidence hunts. (senior GRC feedback, anonymised)
This isn’t just for regulatory audits: business development, M&A, strategic partnerships, and even insurance renewals increasingly require instant evidence delivery.
Workflow: Incident or requirement triggers are instantly logged; risks are updated and controls mapped in real-time; evidence (logs, approvals, SoA) is accessible to stakeholders or auditors with no preparatory firefighting.
Why Early NIS 2 Readiness Is a Growth and Trust Lever for Mid-Market Leaders
Compliance is no longer box-ticking-it’s a market expectation, a board risk, and a lever for reputation. Mid-sized and supply chain companies that treat NIS 2 as an always-on practise-building evidence, dashboards, and engagement as part of BAU-not only avoid fines but accelerate deal flow and earn preferential treatment from customers, insurers, and investors.
Proactivity positions you as a market setter, not a follower. Companies already using ISMS.online to automate their compliance loops report faster contract win rates, smoother M&A and procurement cycles, and fewer last-minute surprises (itgovernance.eu, enisa.europa.eu).
The companies treating compliance as a living loop, not just a checkbox project, set the market agenda and win trust by default.
When you own your readiness, you set the rules with clients, not the other way around. Your board no longer “hopes” for compliance-they can prove it, every day.
Secure Your NIS 2-Readiness-Every Day, Not Just Audit Day
No business that crosses the NIS 2 threshold-by size, sector, or supply chain exposure-should gamble with “wait and see.” The new compliance landscape is constant, competitive, and evidence-driven.
ISMS.online operationalises ISO 27001–NIS 2 requirements, automates evidence and incident logging, creates ENISA-mapped dashboards, and keeps your “evidence kit” ready before the market ever asks. From initial gap analysis to management review and live risk modules, our platform streamlines compliance so you’re audit-ready on demand and never lose a contract or reputation for lack of proof.
You gain confidence from evidence at your fingertips-long before regulators, buyers, or partners ever ask for it.
Take action before the next event, contract, or customer forces your hand. Make compliance your engine for eligibility, resilience, and commercial advantage.
Secure your NIS 2 readiness with ISMS.online-move ahead, stay ready, and grow with confidence.
Frequently Asked Questions
Who must comply with NIS 2-Are both mid-sized and large companies in scope?
If your company has 50 or more employees and an annual turnover above €10 million, and you operate in a sector covered by NIS 2, you’re now in scope-whether you’re a leading national utility or a digital-first SME. The Directive divides organisations into “essential” (Annex I: health, finance, energy, transport, more) and “important” (Annex II: digital providers, SaaS, manufacturing, postal, research, and others), but both face nearly identical cyber and governance requirements. The main difference is regulatory scrutiny: essentials undergo more proactive supervision, importants see periodic/reactive checks-but nobody is beyond compliance.
NIS 2 closes the loopholes-mid-sized tech firms now face the same security obligations as the country’s biggest banks and hospitals.
NIS 2 Applicability Table
| Staff | Turnover | Sector | Entity Type | In Scope? |
|---|---|---|---|---|
| ≥250 | > €50m | Annex I (health/energy/etc.) | Essential | Yes |
| 50–249 | > €10m | Annex II (digital/SaaS/etc.) | Important | Yes |
| <50 | ≤ €10m | Any | Micro/Small | Rarely* |
*National authorities can still include smaller/sole providers-always check local guidance.
Source: NIS 2 Article 3
What employee and turnover thresholds define an “important entity” under NIS 2?
An “important entity” under NIS 2 is a company with 50–249 employees and annual turnover (or balance sheet total) above €10 million operating in a sector listed in Annex II (such as SaaS, digital infrastructure, postal, or research). This aligns with the standard EU definition for mid-sized businesses. Even if you fall slightly outside these figures, regulators may include you if you’re a sole or critical provider in your industry. True micro and small businesses (below these thresholds) are exempt except when identified by national authorities. If your business supports clients in NIS 2 sectors, failing to check means risking last-minute compliance surprises.
“Am I an Important Entity?” Checklist
- 50–249 employees and > €10m turnover/balance sheet
- Operate in an Annex II sector (digital, logistics, manufacturing, etc.)
- Not exempted by local or national law (rare for supply chain-critical roles)
- Support essential sector clients, even indirectly ⟶ expect scrutiny
EU SME Definition & Guidance
Does NIS 2 impact SaaS, MSPs, and technology vendors-even if not named in the law?
Yes-if you meet the staff or turnover thresholds and provide services to any sector named in Annex I or II, you’re swept into NIS 2 compliance. This includes B2B SaaS, managed services, cloud hosting, ecommerce providers, niche digital bureaus, and supply chain tech enablers. Often, your first brush with NIS 2 won’t come via a government inspector but through client procurement teams demanding security, risk, and policy evidence. Even if your company isn’t explicitly listed, tightly regulated customers (e.g., healthcare, energy, finance) will require NIS 2-ready risk registers and audit trails to sign a contract-or renew an existing one.
You’re in the line of defence for your customer-when they become subject to NIS 2, their requirements cascade directly into your operations.
ENISA: NIS 2 National Transposition Map
How do procurement and supply chain requirements force NIS 2 compliance for mid-sized companies?
NIS 2’s influence is cascading through vendor risk assessments, procurement audits, and insurance renewals-not just government enforcement. Regulated clients and even insurers increasingly require up-to-date cyber risk registers, incident logs, signed board policies, and staff acknowledgements. If your business cannot provide instant evidence, contracts stall and deals fall through. In 2025, expect NIS 2 compliance to be a go/no-go criteria for every significant renewal or RFP-especially if your client is subject to sector regulation. For most, the first “NIS 2 moment” arrives as an urgent questionnaire or evidence request, not a court summons.
NIS 2 is now a procurement reality-buyers will demand digital evidence of compliance before you even reach the contract stage.
Supply chain risk, ENISA and sector checklists
Do sector and national variations affect NIS 2 if my company serves clients in several EU countries?
Absolutely. Each EU country is empowered to expand NIS 2’s net, adjust thresholds, or add new critical sectors. For example, Belgium uses decree to broaden scope, Germany can create intermediate categories, and France operates sector calculators that may vary by activity type. If you serve cross-border clients, expect the strictest national rule among your customer base to set your baseline compliance burden. Contracts and insurance policies frequently reference the “highest applicable” requirement across markets. Monitoring national sector lists and updates annually-and reviewing in every major board cycle-is crucial for avoiding surprises.
Compare cross-country NIS 2 obligations: GT Law & ENISA
What’s the fastest way to get audit-ready for NIS 2-especially for mid-size or digital providers?
The most effective starting point is a gap analysis against ISO 27001 and ENISA sector guides. Assign a board-level compliance lead, digitise your risk and evidence management (risk registers, incident logs, policy approvals), and link contracts and supplier reviews directly to NIS 2 and ISO 27001 controls. Platforms like ISMS.online automate policy distribution, workflow tracking, evidence exports, and management reviews-meaning you can respond instantly to audits and procurement scrutiny. Prepare a digital “evidence kit” covering: live risk register, Statement of Applicability (SoA), board and management review logs, policy sign-offs, and incident records.
Bridging NIS 2 and ISO 27001: Audit Operationalisation Table
| NIS 2 Demand | ISO 27001 (Annex A) | How to Operationalise |
|---|---|---|
| Risk register, reviews | 6.1.2, 8.2, A.5.7 | Live risk logs; review at least yearly; map to SoA |
| Incident logs | A.5.24–A.5.26, 6.1.3 | Workflow automation; breach reporting procedures |
| Board oversight | 5.1, 9.3, A.5.5 | Board sign-off and regular reviews |
| Supplier controls | A.5.19–A.5.21 | Track contract terms and supplier assessments |
Why move early-and how does ISMS.online make compliance a growth advantage (not a burden)?
Proactive NIS 2 readiness transforms security from a cost centre to a market advantage: clients, partners, and insurers prioritise vendors who are audit-ready, with digital evidence at hand. You’ll cut procurement cycles, win more business, and handle insurance and regulatory checks with less stress. ISMS.online turbocharges your evidence engine, automating audits, exportable logs, contract case-linking, policy workflows, and readiness dashboards. The result? Teams like yours pass external audits quickly, earn client trust, and are never forced into last-minute scrambles-giving you an edge over slower, less-prepared rivals every time.
Mid-market leaders succeed when board-level evidence and live audit logs turn compliance from a roadblock into your team’s reputation advantage.
Ready for seamless, futureproof compliance? Elevate your audit-readiness with ISMS.online and turn every checklist into a catalyst for business growth.
