Back to all articles
Compli.st Journal#NIS 2#Compliance#PME#EU Regulation

NIS 2: Complete Guide for SMBs and Startups in 2026

Complete NIS 2 guide for SMBs and startups: obligations, timeline, penalties, and how to automate compliance in 2026.

CS

Compli.st Team

Security & compliance experts

Published
Reading time

3 min read

What Is the NIS 2 Directive?

The NIS 2 Directive (Network and Information Security 2) is the European Union's most ambitious cybersecurity legislative framework. Adopted in December 2022 and transposed into national laws since October 2024, it replaces the original NIS Directive of 2016 by significantly expanding its scope.

Where NIS 1 covered only around 300 entities in France, NIS 2 applies to over 15,000 organizations, including for the first time SMBs and startups operating in critical sectors.

Who Does NIS 2 Apply To?

NIS 2 distinguishes two categories of entities:

Essential Entities

  • Energy: electricity, gas, oil, hydrogen
  • Transport: air, rail, maritime, road
  • Health: hospitals, laboratories, medical device manufacturers
  • Digital infrastructure: cloud providers, data centers, DNS, domain name registries
  • Public administration
  • Drinking water and wastewater
  • Space

Important Entities

  • Postal and courier services
  • Waste management
  • Chemical manufacturing
  • Food industry
  • Manufacturing (medical devices, electronics, machinery, vehicles)
  • Digital providers: marketplaces, search engines, social networks
  • Research

Size threshold: companies with more than 50 employees or over €10 million in annual revenue are covered. Some entities are covered regardless of size (DNS providers, domain registries, trust service providers).

Key NIS 2 Requirements

1. Governance and Management Accountability

NIS 2 requires management bodies to approve cybersecurity risk management measures and oversee their implementation. Executives can be held personally liable for non-compliance. They must also undergo cybersecurity training.

2. Risk Management

Entities must implement proportionate technical, operational, and organizational measures, including:

  • Risk analysis policies and information system security
  • Incident handling
  • Business continuity and crisis management
  • Supply chain security
  • Security in network acquisition, development, and maintenance
  • Encryption and cryptography policies
  • Human resources security and access control
  • Multi-factor authentication (MFA)

3. Incident Reporting

NIS 2 imposes a three-step notification system:

  1. Early warning within 24 hours: initial notification to the competent authority
  2. Detailed notification within 72 hours: initial assessment of the incident, severity, and impact
  3. Final report within 1 month: detailed description, probable cause, remediation measures

Automate Your Security Questionnaires

Compli.st answers your ISO 27001, SOC 2 and GDPR questionnaires in minutes using AI.

Try for Free

4. Supply Chain Security

This is one of the major changes. Entities must assess and manage risks related to their suppliers and service providers. In practice, this means:

  • Assessing the security posture of your critical suppliers
  • Including security requirements in contracts
  • Continuously monitoring third-party risks

Impact for SaaS startups: even if your company isn't directly subject to NIS 2, your regulated clients will send you security questionnaires to verify your compliance. The pressure comes through the supply chain.

Penalties

  • Essential entities: up to €10 million or 2% of global annual turnover
  • Important entities: up to €7 million or 1.4% of global annual turnover

Beyond fines, authorities can impose injunctions, mandatory security audits, or temporary suspension of certifications and authorizations.

How to Prepare

Step 1: Determine If You're in Scope

Check your sector and size. Even if not directly subject, your regulated clients will demand security evidence.

Step 2: Conduct a Gap Analysis

Map your existing security measures against NIS 2 requirements. Identify priority gaps.

Step 3: Build on Existing Frameworks

If you're already ISO 27001 certified or SOC 2 compliant, you have a solid foundation. NIS 2 aligns closely with these frameworks.

Step 4: Automate

NIS 2 compliance requires extensive documentation and continuous monitoring. Automation tools like Compli.st centralize evidence, automate security questionnaire responses from regulated clients, and keep your compliance posture up to date.

Conclusion

NIS 2 represents a paradigm shift for cybersecurity in Europe. For SMBs and startups, compliance is no longer optional — it's a business prerequisite. Companies that anticipate and automate their compliance will gain a decisive competitive advantage.

Start your NIS 2 compliance journey with Compli.st →

Keep learning

Hand-picked playbooks from the team

Curated by Compli.st strategists so you stay in the flow.

Ready to automate trust?

Move from endless questionnaires to answers in hours.

Connect your policies, controls, and our AI to deliver customer evidence on the very first security follow-up.

Try Compli.stSchedule a demo

“Compli.st replies to customer questionnaires in under 24 hours. It became our secret weapon during enterprise closes.”

Security Lead · B2B SaaS scale-up