NIS2 compliance for SMEs
NIS2 compliance for SMEs: scope triggers, essential vs important entities, cybersecurity measures, reporting timelines, supplier evidence and action plan.
Direct answer
NIS2 compliance for SMEs starts with sector and size scoping, then cybersecurity risk management, incident handling, business continuity, supply-chain security, access control and management oversight. Some small companies can be affected directly by sector rules or indirectly through customer supply-chain requirements.
What does NIS2 compliance for SMEs require?
NIS2 compliance for SMEs starts with sector and size scoping, then cybersecurity risk management, incident handling, business continuity, supply-chain security, access control and management oversight. Some small companies can be affected directly by sector rules or indirectly through customer supply-chain requirements.
- Confirm sector and size
- Map Article 21 measures
- Prepare incident workflow
| Transposition deadline | 2024-10-17 |
| Sectors | 18 critical sectors |
| Incident reporting | 24-hour early warning and 72-hour notification model |
NIS2 compliance for SMEs starts with sector and size scoping, then cybersecurity risk management, incident handling, business continuity, supply-chain security, access control and management oversight. Some small companies can be affected directly by sector rules or indirectly through customer supply-chain requirements.
Member states had to transpose NIS2 into national law by this date.
NIS2 compliance for SMEs checklist
Action checklistCheck whether the entity is essential, important, exempt or supply-chain affected.
Articles 2-3
Document policies for risk, incident handling, business continuity, supply chain and access control.
Article 21
Define detection, classification, escalation, notification and final report owners.
Article 23
Key deadlines
| Date | Requirement | Source |
|---|---|---|
| 2024-10-17 | Member state transposition deadlineMember states had to transpose NIS2 into national law by this date. | European Commission NIS2 guidance |
| 24/72 hours | Incident reporting sequenceCovered entities need a process for early warning and incident notification. | European Commission NIS2 guidance |
30/60/90-day action plan
First 30 days
Confirm scope and assign an owner
Evidence needed: Applicability note, business owner, systems or product list, and source links.
NIS2
Days 31-60
Close the evidence gaps
Evidence needed: Policies, supplier records, data maps, technical notes, training records, or process owners.
NIS2
Days 61-90
Prepare for audit or customer review
Evidence needed: Versioned compliance file, action log, exception register, and next review date.
NIS2
Evidence to retain
Applicability decision
Shows whether NIS2 compliance for SMEs applies and why the SME made that decision.
Retain: Scope memo, trigger criteria, country notes, owner approval, and review date.
Action owner list
Regulators and enterprise customers expect named accountability, not generic intent.
Retain: Owner, backup owner, due date, status, and unresolved blocker notes.
Evidence folder
The fastest way to answer customer due diligence is a single audit-ready evidence file.
Retain: Policies, screenshots, registers, exports, supplier responses, and training records.
SME questions answered
Does NIS2 apply to SMEs?
NIS2 generally focuses on medium and large entities in critical sectors, but some smaller entities are included by sector or national designation, and many SMEs are affected through supply-chain requirements.
What should SMEs do first for NIS2?
Start with scope, sector, size and customer exposure. Then map Article 21 controls and build an incident reporting workflow.
Turn this guide into a tracked action plan
Start with the Regulation Checker, save the result, and import the action plan into your EuroComply dashboard when you are ready to assign owners.
Informational only. This page is not legal advice and does not replace a qualified legal review of your business, systems, products or employment practices.