Is NIS 2 Really Changing the Meaning of ‘Critical’-And Why Should Every Organisation Pay Attention?
The European map of “critical infrastructure” is being rewritten-and the lines are now drawn closer to everyone’s doorstep. The NIS 2 Directive no longer targets just classic power and utility giants; it has swept an astonishing range of digital platforms, SaaS payment companies, mid-size manufacturers, and logistics suppliers into the regulatory net. Today, it’s not the sector label or company size that triggers ‘critical’ status, but your organisation’s embeddedness in the flow of the economy and society. A seemingly inconspicuous service provider or supplier may carry silent, outsized influence-one whose disruption could ripple rapidly through entire communities, cities, or hemispheres.
A single overlooked supplier can ripple disruption far beyond its own size.
This paradigm shift points to a simple reality: criticality is now determined by dependence, not by scale. Imagine a cloud database provider used by dozens of hospitals, or a digital billing firm powering food distribution. If they stumble, entire sectors feel the impact. These cross-links mean that even the smallest “node” in the network could become the trigger for sector-wide disruption or regulatory scrutiny.
What makes an organisation critical today?
- If others rely on your continuous service for health, public safety, or the economy-even indirectly-you are on the radar.
- Annex I and II of NIS 2: are living documents: what was “non-critical” yesterday might be central tomorrow as digital dependencies deepen.
The new definition of ‘critical’ is less about what you do, and more about what would happen if you suddenly stopped.
Businesses that once considered themselves out of scope are discovering that demand for just-in-time delivery, remote working, and advanced cloud services has put them at the centre of the resilience conversation. Supply chain, digital infrastructure, and public services now operate as an integrated mesh-a disturbance in any strand quickly spreads across the whole fabric.
A first timer might think, “We’re too small to matter.” In reality, NIS 2’s logic is brutal in its clarity: if your operational disruption would create public or sectoral pain, you’re now considered critical. That means procurement, risk, and compliance can no longer see themselves as simple functionaries. Underlying these regulatory mandates is a recognition that today’s economy is so deeply interconnected that fragility anywhere exposes everyone.
Who Qualifies as ‘Essential’ or ‘Important’ Under NIS 2-And Why Does Categorisation Impact Your Organisation?
NIS 2’s biggest move isn’t just a technical upgrade-it’s a wholesale reclassification of who matters most in society’s digital and physical backbone. Essential and important entities form the twin pillars of this regime, and the lines can blur more quickly than many realise.
Essential entities now include companies that provide energy, water, health, finance, digital infrastructure (e.g. cloud, DNS), key logistics, and large digital providers. But even less visible players-those running outsourced tech or logistics for a hospital, manufacturer, or government-may fall under this bracket if their disruption would be felt by many.
Important entities are the specialist partners, regional hubs, or digital linchpins whose failure could have unexpected cascading effects. These might be three or four steps removed from the “front lines”-but a disruption along the chain can send tremors through multiple sectors and jurisdictions.
Classification is now a living process-what you were last year may not be what you are tomorrow.
How does this process work?
- Mapping against the NIS 2 Annex: is the first step-but interpretation is ongoing and contextual.
- Risk-based assessment: follows: can your failure trigger a systemic or critical effect, directly or by domino?
- Cross-border impact: is core: a supplier in one country with clients in another can find itself under multiple classifications and obligations.
Finance and operational teams often assume “we’ve ticked the box at HQ, so we’re compliant everywhere.” NIS 2 dismantles that comfort. Every branch, subsidiary, supplier, and even major contractor is now under individual review. You could be “essential” in one context, “important” elsewhere, and “out of scope” in another.
Why does this matter?
- Regulators and boards expect constant review: Static “once-a-year” mappings are replaced with live entity classification checks.
- Non-compliance is not a minor slip: It invites direct sanctions, fines, and possible public exposure of failings-potentially with director-level accountability on the line.
- Business risk is exponential: A new contract, acquisition, merger, or infrastructure deal can reclassify your entire operation overnight.
| Expectation | Operationalisation | ISO 27001 / Annex A Reference |
|---|---|---|
| Know entity type & risk | Annual/ongoing review of business units, suppliers, sites | 4.1–4.2, A.5.2, A.5.3 |
| Prove scope evidence | Maintain mapped register, portals, and public statement | A.5.9, A.5.12, Statement of Applicability |
| Show board sign-off | Document risk acceptance and classification reviews | 5.3, A.5.4 |
| Monitor scope changes | Trigger SoA/evidence review post-org change/incident | 6.1.3, A.5.35, A.5.36 |
| Trigger | Risk Update | Control / SoA Link | Evidence Logged |
|---|---|---|---|
| Sector change | Update entity map | A.5.12, A.5.35 | New register, SoA |
| Org restructure | Site scan, risk review | 4.3, A.5.3 | Board minutes, audit |
| M&A event | Dual-class review | A.5.4, A.5.9 | Integration report |
The lesson: your place in the NIS 2 universe is volatile, not fixed. Teams must design for agility, not just compliance.
Master NIS 2 without spreadsheet chaos
Centralise risk, incidents, suppliers, and evidence in one clean platform.
What Makes Supply Chain and Vendor Risk the Hottest Topic in NIS 2?
NIS 2 enshrines supply chain and vendor risk as existential issues. The scary truth: most incidents that cause regulatory pain and operational crisis begin out-of-sight in a supplier, sub-contractor, or software dependency.
Gone are the days of “set-and-forget” vendor reviews at onboarding. NIS 2 requires live, continuous, evidence-backed oversight-and not just of direct relationships. Any service or tool, no matter how remote, can inject vulnerability.
A chain is as strong as its most neglected link.
Micro-case: Why minor suppliers can trigger major pain
A regional logistics firm supporting health providers across two countries suffers a ransomware hit, due to a breach at its third-tier DevOps vendor. Patient transport freezes. The incident cascades across health, government, and finance sectors, fuelling multi-country audits and stakeholder outrage. What started as a minor oversight rapidly escalated into sector-wide crisis, with every upstream and downstream client drawn into a regulator’s lens.
mermaid
flowchart TD
you["Your Org"] --> v1["Tier 1 Vendor (Cloud)"]
you --> v2["Tier 1 Vendor (Logistics)"]
v1 --> v3["Tier 2 Vendor (Support)"]
v1 --> v4["Tier 2 Vendor (Security)"]
v2 --> v5["Tier 2 Vendor (API)"]
v4 --> v6["Tier 3 Vendor (DevOps)"]
v6 -.-> breach["Potential Breach Hotspot"]
ISMS.online Actions:
- Every supplier entry triggers risk registration: -not just at onboarding, but with every change in process, product, or contract.
- Quarterly reviews and real-time evidence refreshes: -move vendor management from annual paperwork to live dashboards and automated alerting.
- Incident escalation drills: -turn every new risk into a pathway for strengthening not just your shield, but your partners’ too.
| Supply Chain Pressure | ISMS.online Process | ISO 27001 / Annex A Reference |
|---|---|---|
| New supplier onboarded | Add to risk register, due diligence | A.5.19, A.5.20, SoA |
| Supplier breach incident | Immediate risk review, reclassification | A.5.21, A.5.25 |
| Quarterly review | Automated scorecard update, evidence | A.5.22, A.5.35 |
| High vendor risk | Board/leadership notified for action | A.5.21, A.5.29 |
| Trigger | Action | Control/SoA Link | Evidence Logged | Risk Level |
|---|---|---|---|---|
| New vendor | Risk register, SLA test | A.5.19, A.5.20, SoA | Supplier record, SLA | Standard |
| Supplier incident | Impact/risk update, BCP docs | A.5.21, A.5.25 | Incident log, BCP update | Elevated |
| Quarterly risk review | Update scorecards, dashboards | A.5.22, A.5.35 | Meeting minutes, logs | Baseline |
| Risk flag triggered | Escalate/document exception | A.5.21, A.5.29 | Exception report | Critical |
The hard truth: if you neglect supply chain controls, you absorb your vendors’ risk-plus, potentially, the fines and fallout for a whole sector.
How Do NIS 2, DORA, and National Cyber Laws Collide-And Where Are Companies at Greatest Risk?
It’s a dangerous myth that regulatory obligations are neatly siloed. The real landscape is a labyrinth-with NIS 2, DORA (finance), the Cyber Resilience Act, and a thicket of national frameworks converging on the same companies, yet with contradictory reporting timelines, incident definitions, and board engagement requirements.
It’s easy to miss the deadline-but that’s exactly what regulators are watching for.
The day a fintech is hit with a cross-border cyber incident, the clock starts ticking on multiple mandatory notification windows-often with minor differences in document and board review requirements. Miss a single one, and both national and sectoral regulators may launch duplicate audits, pressuring your board and risking reputational and financial harm.
ISMS.online Tactics:
- Assign compliance champions to each major framework-instead of placing the burden on one ‘compliance team’.:
- Automate incident log reminders and notification timelines for every relevant legislation (NIS 2’s 24/72/30 hour cycle; DORA’s multi-step progression).:
- Consolidate risk and evidence registers in living dashboards, updated in real-time and accessible to compliance, legal, and IT.:
| Law/Framework | Notification Window | Who Must Sign Off | Documentation/Proof |
|---|---|---|---|
| NIS 2 | 24h/72h/30 days | Board/Director, CISO | Risk register, incident logs, SoA |
| DORA | 1h/3h/7h/30 days | Risk/Compliance, IT/Security, Board | Audit logs, technical + board info |
| National laws | Variable | Local DPO/Board/IT | Local reports, translation logs |
The mistake? Believing “technical depth” is enough. The actual differentiator is timely, aligned, and audience-appropriate reporting-supported by living evidence, accessible when the auditor or regulator comes calling.
Be NIS 2-ready from day one
Launch with a proven workspace and templates – just tailor, assign, and go.
What Kind of Risk, Incident, and Board Evidence Must You Provide Under NIS 2?
Under NIS 2, static compliance is dead. Annual reviews and after-the-fact evidence sprints won’t survive regulatory scrutiny. The expectation is for real-time, living evidence-digital logs, time-stamped board review records, incident triggers, and audit-ready supplier data-capable of being surfaced within hours, not weeks.
The regulator doesn’t want to see policies-they want to see what actually happened.
You’re now required to:
- Log every risk decision, supplier change, or incident in near-real time.:
- Maintain granular, time-stamped management review notes with clear director engagement.:
- Document board interventions, even where organisations are decentralised or cross-border.:
| What Must Be Proven | ISMS.online Implementation | ISO 27001 Reference |
|---|---|---|
| Real-time risk and asset updates | Automated asset/risk journals | A.5.9, A.5.12 |
| Incident notification (24/72/30-hour cycle) | Live-triggered incident workflow | A.5.24, A.5.25 |
| Quarterly board engagement evidence | Indexed, time-stamped reviews | 9.3, A.5.35, A.5.36 |
| Supplier change triggers evidence | Vendor risk mapping + audit trail | A.5.19–A.5.22, SoA |
Practitioner insight:
A CISO at a European cloud provider explained, “Quarterly drill logs and live supplier evidence are not just CYA-they’re what stopped our last audit from becoming a penalty storm. Every change now gets logged immediately, with cross-reference to the Board agenda. That single discipline cut our time-to-audit-proof from weeks to hours.”
Does ISO 27001 Cover Your NIS 2 Duties-And Where Are the Gaps?
ISO 27001 is the foundation for a strong security management regime. It guides policy, sets review cycles, and helps automate evidence collection. But NIS 2 demands more: living, time-locked, and board-driven proof, plus granular incident and supply chain transparency-often on tight deadlines.
ISO 27001 gets you culture; NIS 2 demands proof.
Key gap areas:
- Rapid incident reporting: ISO 27001 provides for plans and responsibilities, but NIS 2 enforces the 24-hour reporting cycle, escalation protocols, and cross-border response mechanisms.
- Board-level documentation: Clause 9.3 addresses management review cadence, but NIS 2 wants date-stamped records, board sign-offs, and detailed intervention evidence.
- Supply chain control: Annex A covers vendor risk, but NIS 2 expects granular and continuous tracking, with evidence for every supplier-including tier 2/3-often through real-time dashboards and automated notifications.
| NIS 2 Requirement | ISMS/Operational Step | ISO 27001 Ref | Remaining Gap |
|---|---|---|---|
| 24-hour incident alert | Triggered protocol, live logging | A.5.24, A.5.25 | Timeline and escalation |
| Board intervention | Time-stamped review, sign-off | 9.3, A.5.36 | “Live” logs, role evidence |
| Ongoing vendor review | Continuous mapping and proof | 5.19–22, SoA | Scope, frequency, linkage |
If your company operates internationally, the application of ISO controls must reflect local differences in structure and documentation. English logs may need translating; physical drill reports must tie into digital asset evidence; signatures trace responsibility.
All your NIS 2, all in one place
From Articles 20–23 to audit plans – run and prove compliance, end-to-end.
Does ‘Living Evidence’ Make the Audit Harder or Simpler-And What Changes for You?
NIS 2 rewrites the compliance rhythm: gone are the days of evidence “sprints” in the weeks before audit. Auditors and regulators expect the proof of compliance to be a living, instantly retrievable record, spanning risk, incident, asset, and board actions-ready not just at annual review, but at any moment.
Surviving the audit isn’t the real goal-living compliance is.
The upshot for compliance teams and security leaders is twofold:
- Preparation is perpetual-not event-based.: Living registers and dashboards are your new audit defence.
- Transparency is now a competitive asset.: Raising a gap and documenting its correction is rewarded, not penalised.
Practitioner Action Plan:
- Automate policy, incident, and evidence logging: Connect every major operational change to central, searchable workflows.
- Schedule quarterly drills and proof checks: Retain artefacts, feedback, and corrective actions for quick retrieval.
- Escalate visible gaps: Proactive issue flagging often results in regulatory leniency-compared to concealment.
A pan-European research consortium offered a telling example: after exposing a breach through a minor supplier, they faced a full-scope audit. But by presenting a unified register of live risk, incident, supplier, and board updates-traceable through ISMS.online-the audit closed in weeks, not months, and the consortium’s “living compliance” approach became a model for critical infrastructure peer groups.
Accelerate Your NIS 2 Journey-Build Living Compliance with ISMS.online
The latest expansion of NIS 2, the evolving definitions of “critical” and “essential” entities, and intensifying supply chain and vendor scrutiny mean compliance is no longer just about passing audits-it’s a living, company-wide discipline that transforms how you measure, log, and report risk.
With ISMS.online as your operational partner, you can:
- Create and maintain real-time entity and supply chain maps,: evidencing your current regulatory scope at any moment.
- Automate risk, incident, and asset logs: to capture every board intervention, technical update, or supplier modification as it happens.
- Build audit-ready, living dashboards: integrating registers, management reviews, drill artefacts, corrective logs, and board-level interventions-eliminating the last-minute “evidence sprint.”
Now is the moment to swap static compliance for living assurance. Book a guided session with our experts to map your current footprint, test-drive evidence workflow, and walk away with an actionable, board-ready path to NIS 2, ISO 27001, and supply chain resilience. Own your compliance destiny, safeguard your partners, and unlock “living evidence” as your next competitive edge. Let’s write your resilience story now.
Getting through the audit is just a checkpoint-building living compliance is the real legacy.
Frequently Asked Questions
How does NIS 2 redefine “critical” sectors and organisations, and who’s now in scope?
NIS 2 transforms the definition of “critical infrastructure” from a closed club of national utilities into a living organism-capturing thousands more companies whose disruption could ripple through Europe’s modern economy. Today, your organisation is likely considered “critical” if it builds, enables, or underpins services in health, transportation, food, energy, cloud, digital platforms, logistics, local government, research, or national supply chains. Even regional firms, “secondary” providers, or technology suppliers are within scope if a major failure could impact essential functions.
When a regulator, board, or enterprise customer asks for proof, it’s usually too late to scramble-critical is now contextual, expansive, and self-updating.
ENISA data from 2023 reveals nearly 50% of major incidents originated in overlooked digital or supply chain dependencies-an HR SaaS tool breached, a regional courier hit with ransomware, or a vendor left out of annual reviews. NIS 2 responds by mandating you map your complete dependency network, both upstream and downstream, revisiting it after every major contract, growth event, or new sector partnership. Your regulatory exposure isn’t static; as sectors in Annexes I and II change, or your service profile grows, your “critical” status can flip overnight.
Who falls under NIS 2 from 2024 onwards?
- Digital backbone: cloud providers, managed service/SaaS, domain registries, online platforms, digital logistics
- Supply/food/transport: producers, shippers, couriers, distributors, import/export chains
- Public/essential utilities: hospitals, labs, research orgs, water/electricity, municipal authorities
- Sector/region linchpins: regionally unique suppliers whose outage would disrupt key operations-even if not “nationally” famous
The smartest move: audit where you sit on the sector maps quarterly and proactively align with updated customer/regulator signals. As leadership roles and business models shift, systems like ISMS.online keep your “scope status” live, not guesswork.
How do “essential” and “important” classifications change your organisation’s NIS 2 duties and scrutiny?
NIS 2 splits regulated organisations into “essential” (immediately systemic impact) and “important” (key but less visible), each with explicit obligations. Essential entities-energy grid operators, hospitals, rail, major digital platforms-face year-round, proactive supervision: scheduled audits, control evidence on demand, and regulator check-ins tied to incident or risk posture changes. “Important” entities includes digital supply chain, cloud, logistics, regional utilities: they face identical requirements for risk, supply chain, and incident reporting, but their audits are event- or complaint-driven.
| Entity Status | Core Duties (NIS 2) | Oversight Mode |
|---|---|---|
| Essential Entity | Live mapping/logs, real-time risk updates | Proactive-scheduled audits, spot checks |
| Important Entity | Same, incl. board accountability | Reactive-triggers after incidents |
Crucially, as your business grows, merges, or wins new enterprise/critical accounts, you may shift from “important” to “essential” – this must be reviewed every quarter or after any material change. Failing to update status exposes directors and boards to liability and fines. Regulators are watching for companies riding just under thresholds or failing to retag themselves after strategic wins.
Static spreadsheets are a compliance red flag; living, auto-updating risk maps are the new gold standard.
Why does supply chain/vendor risk dominate NIS 2-and what practical steps keep you compliant?
The new digital perimeter isn’t at your firewall-it winds through every third-party and service provider, often several steps away from your contract desk. Over 45% of critical incidents in Europe the last year started with “hidden” supplier weaknesses, per ENISA. Under NIS 2, you must:
- Maintain a live, digital supplier register: Automated platforms ensure every new supplier, software, cloud tool, or logistics partner is tracked-no more annual spreadsheet reviews.
- Tier supplier reviews by risk: Focus on those whose failure knocks out your critical services first, but sweep up all minor contracts regularly-regulators have seen threat actors leapfrog “low-tier” vendor gaps.
- Mandate evidence refreshes every quarter (or faster): Policy is clear-“audit on demand” means logs must be ready, not backfilled.
- Break silos with cross-team responsibility: IT, procurement, compliance, legal-each must feed live data to the central register.
| Step in Supplier Risk | How to Operationalise | ISO 27001/NIS 2 ref. |
|---|---|---|
| Supplier onboarding | Add to live digital register | A5.19, A5.21 |
| Due diligence & renewal | Timestamp contract and review logs | A5.20, A5.21 |
| Incident tracing | Link events to supplier digitally | A5.24–A5.26 |
Delay here directly links to fines or business interruption-your audit trail must span all vendor relationships, ready for regulator or enterprise customer review at any time.
How can you tackle overlapping regimes (NIS 2, DORA, Cyber Resilience Act) in one compliance system?
Cross-regulation is the new baseline: most IT/critical orgs now face NIS 2, DORA, the Cyber Resilience Act, and sector/national add-ons, sometimes with conflicting deadlines and reporting triggers. The practical solution is to build a single compliance record system (like ISMS.online) that:
- Maps each risk, supplier, incident, and control to every relevant regime in parallel, based on unique IDs and tags;
- Tracks reporting deadlines by law/policy (e.g., DORA’s 24h incident window versus NIS 2’s 24/72h) so nothing is missed;
- Consolidates evidence collection-no double entry or contradictory logs.
| Law/Area | Focus | Reporting Window | Unique Features (Example) |
|---|---|---|---|
| NIS 2 | Digital/infra/supply | 24/72h | Board logs, chain mapping |
| DORA | Finance/ICT | 24h (can be less) | Financial/ICT focus, TPRM |
| Cyber Resilience Act | Products/services | Sector-specific | Software lifecycle, firmware |
If you’re tracking compliance separately for each regime, you risk missed notifications and costly “audit drift.” A unified system is now a board-level asset, not a luxury.
What is “living, real-time evidence” under NIS 2, and what do European auditors actually demand?
Auditors and regulators now expect digital, time-stamped logs-not end-of-year backfills. Every control, supplier event, policy update, and incident must create an instantly retrievable record. A living audit trail matters more than a static one; your organisation must prove, at any point:
- Supplier onboarding, contract updates, and offboarding: Tracked with dates, approvals, and reviewer logs.
- Board/C-Suite meeting minutes: Captured and stored with versioning, signature, and decision logs.
- Training and staff/supplier acknowledgements: Tracked per person, with evidence of scope.
- Incident or breach workflow: From trigger to closure, all steps timed, assigned, and logged.
A living compliance system is now both a shield against fines and a reputational moat in Europe’s risk-aware marketplace.
Traceability Table: From Trigger to Evidence
| Trigger Event | Risk Update/Application | Control / SoA Ref | Evidence Logged |
|---|---|---|---|
| Add supplier | Register + risk reviewed | A5.21 | Digital entry, sign-off |
| Board review | Risk and control check | ISO 27001 9.3 | Dated minutes, log |
| New policy/revision | Suitability re-validated | A5.1–5.2 | Versioned policy, new training |
| Breach/incident | Plan triggered + analysis | A5.24–A5.26 | Timestamps, incident workflow |
ISMS.online and similar platforms automate this process, saving 50–70% prep time and making audit day a matter of logging in, not last-minute rework.
How does ISO 27001 enable-yet not guarantee-NIS 2 readiness? Where do most firms stumble?
ISO 27001 offers a rigorous foundation-risk management, documented controls, and recurring board reviews. But NIS 2’s “live” requirements and supply chain transparency layer on a new complexity. Most firms face gaps in:
- Incident reporting timing: NIS 2 expects *immediate* log entries and notifications (24/72h), surpassing ISO’s more lenient cadence.
- Live supplier/evidence logs: Many firms leave supplier logs or risk registers static-even a 30-day lag can fail NIS 2.
- Continuous board accountability: NIS 2 demands regular digital audit trails for board/C-suite engagement; ISO is less specific here.
- Dynamic supplier/service reviews: Event-driven, not just annual or periodic; regulators prefer evidence of “review upon trigger.”
Automated compliance platforms bridge this by maintaining live registers, timestamped actions, and cross-referenced SoA (Statement of Applicability) mappings for both standards.
| NIS 2 Expectation | ISMS.online Feature | ISO 27001 / Annex Ref. |
|---|---|---|
| Live supplier/risk logs | Automated, scheduled registers/logs | A5.19, A5.21, 6.1.2 |
| Incident response | Integrated workflow (alert to closure) | A5.24–A5.26 |
| Board engagement logs | Digital signature, versioned logs | Clause 9.3, 5.1 |
| Third-party monitoring | Automated reviews, alerts, sign-offs | A5.20–A5.21 |
How does leadership turn NIS 2 compliance from cost to competitive edge?
NIS 2 assigns blame and recognition at the boardroom-meaning directors and executives are both liable for and able to champion compliance as a business driver. Boards that treat NIS 2 as living doctrine-logging risk/incident decisions, reviewing dashboards, tracking supply chain, and demanding proofs before deals-move faster, win enterprise contracts, and elevate company value.
Organisations with active board buy-in:
- Approve budgets and security hires more readily.
- Retain staff and suppliers more effectively (engagement through compliance clarity).
- Respond to and close incidents faster.
- Earn procurement trust for enterprise and public sector deals.
By 2024, your compliance dashboard is as vital as any financial statement-leadership on it signals health to the market, partners, and regulators alike.
What is the fastest, most resilient path to NIS 2 compliance and audit/buyer trust?
Accelerate by running a full-scope compliance mapping (entity type, criticality, supplier chain, board status) and by adopting automated, real-time compliance tools. ISMS.online enables guided onboarding, living evidence capture, and at-your-fingertips audit trails for every event, not just yearly reports.
• Map your entity and vendor status quarterly
• Set up automated reminders and workflow escalation for incidents
• Track board and staff engagement digitally, not by email chain
• Ensure evidence is versioned, cross-referenced, and instantly reviewable
Customers routinely see 50–70% less compliance admin overhead, eliminate audit panic, and elevate their regulatory trustworthiness on the first try.
See how other security and risk leaders use ISMS.online to turn compliance into their strategic edge. Don’t wait for a disruption or a request from the board. Lead with living evidence today.
“Are You Critical Under NIS 2?”-Quick Sorting Table
Use this matrix as a first-step triage for your status:
| Your Profile | Your Next Steps | What to Watch |
|---|---|---|
| >250 staff OR €posts above threshold | Sector listed in Annex I/II? | “Essential” entity duties apply |
| Serve/support “essential” customer | Map supply chain, risk, quarterly | Scope can shift quickly |
| Indirect supply to critical sector | Capture reviews upon change, contract | Scope expands with each new deal |
| None of these today | Review on major contracts, M&A, scale | Scope can flip with growth/events |
Lead with Living Evidence-Act Before the Audit
This is your moment to move from spreadsheet snapshots to living, digital compliance-one that builds trust with audits, customers, and boards. Don’t let inaction or siloed evidence leave your organisation exposed; push for tools and reviews that transform compliance from a box-ticking burden into your next growth engine.
