EuroComply
Créer un compte

NIS2 for SaaS Companies

NIS 2 reaches B2B SaaS through two pathways: as a digital-service provider (online marketplaces, online search engines, cloud computing — listed in Annex I) where the SaaS itself is the regulated entity, and as part of the supply chain of in-scope customers, where contractual obligations cascade down via Article 21(2)(d).

Does NIS2 apply to saas companies?

It depends. Cloud computing service providers are essential entities under Annex I irrespective of the supply chain. Other SaaS may fall in scope as digital service providers, or face contractual flow-down obligations from in-scope customers.

  • Cloud computing services are 'essential entities' under Annex I, point 8 — independent of whether your SME size profile would otherwise apply
  • Default size threshold (Article 2(1)): ≥ 50 employees or > €10m turnover. SMEs may still be in-scope when designated as critical by a member state
  • Supply-chain security: even out-of-scope SaaS providers face cascading contractual obligations from in-scope customers under Article 21(2)(d)
  • Incident reporting timeline (Article 23): 24-hour early warning, 72-hour notification, 1-month final report — apply to the regulated entity, not its suppliers, unless contractually flowed down
Source: Directive (EU) 2022/2555 — EUR-LexReviewed:

Who does NIS2 apply to?

NIS 2 covers medium-sized and large entities operating in 18 sectors listed in Annexes I and II, split into 'essential' and 'important' categories with different supervision regimes. Size-cap thresholds and sector-specific exceptions apply.

  • Essential entities: energy, transport, banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, space (Annex I)
  • Important entities: postal/courier services, waste management, chemicals, food, manufacturing, digital providers, research (Annex II)
  • Default size threshold: ≥ 50 employees or > €10m annual turnover
  • Specific entities are in-scope regardless of size (e.g. providers of public electronic communications networks, qualified trust service providers)
Source: Directive (EU) 2022/2555 — EUR-Lex — Articles 2 and 3 (Scope and entity categorisation)Reviewed:

What are the penalties for NIS2 non-compliance?

Penalties differ by category. Essential entities face higher caps; important entities face lower caps. Member states must also provide for repressive measures including, in the most severe cases, the temporary suspension of management functions.

Maximum fineEssential: €10 million or 2% of global turnover. Important: €7 million or 1.4% of global turnover.
Source: Directive (EU) 2022/2555 — EUR-Lex — Article 34 (General conditions for imposing administrative fines)Reviewed:

When does NIS2 apply?

NIS 2 entered into force on 16 January 2023. Member states were required to transpose it into national law and apply the measures from 18 October 2024. Transposition speed varied: some states (e.g. Belgium, Croatia) met the deadline; others (e.g. Germany, France) transposed later, creating fragmented application in 2025–26.

  • 2023-01-16 — Entry into force
  • 2024-10-17 — Transposition deadline for member states
  • 2024-10-18 — Date from which national measures must apply
Source: Directive (EU) 2022/2555 — EUR-Lex — Article 41 (Transposition)Reviewed:

How to report a significant incident under NIS 2

Article 23 prescribes a three-step incident notification timeline. The notification flows through the entity's designated national CSIRT (or, where applicable, the competent authority).

  1. 1

    Early warning within 24 hours

    Submit an early warning to the CSIRT within 24 hours of becoming aware of the significant incident, indicating whether the incident is suspected to be caused by unlawful or malicious acts or could have a cross-border impact.

  2. 2

    Incident notification within 72 hours

    Within 72 hours, submit an incident notification updating the early warning, providing an initial assessment of the incident — including its severity, impact, and where available, indicators of compromise.

  3. 3

    Intermediate report on request

    On the CSIRT's request, submit an intermediate report on relevant status updates.

  4. 4

    Final report within one month

    Within one month of submitting the incident notification, submit a final report covering a detailed description of the incident (severity, impact, root cause, mitigation, cross-border impact if any).

18 sectors

Number of sectors NIS 2 covers across its Annex I (essential entities — 11 sectors) and Annex II (important entities — 7 sectors), expanding the original NIS Directive's coverage from 7.

Directive (EU) 2022/2555, Annexes I and II

Next step — classify

Walk through the NIS 2 scope decision tree

Targeted next step for saas companies based on NIS2 scope.

Walk through the NIS 2 scope decision tree

Full NIS2 compliance guide for all sectors and personas.

NIS2 guide

For informational purposes only. This is not legal advice — consult qualified legal counsel.

Last reviewed: · Editorial policy