---
url: https://eurocomply.app/regulations/nis2/persona/sme-saas
canonical: https://eurocomply.app/regulations/nis2/persona/sme-saas
title: NIS 2 for SaaS Companies — EuroComply
regulation: NIS 2
regulationNumber: (EU) 2022/2555
celex: 32022L2555
persona: SaaS Companies
personaSlug: sme-saas
inForceDate: 2023-01-16
applicationDate: 2024-10-18
sourceUrl: https://eur-lex.europa.eu/eli/dir/2022/2555/oj
lastReviewed: 2026-05-12
author: EuroComply Team
license: CC-BY-4.0
---

# NIS 2 for SaaS Companies

NIS 2 reaches B2B SaaS through two pathways: as a digital-service provider (online marketplaces, online search engines, cloud computing — listed in Annex I) where the SaaS itself is the regulated entity, and as part of the supply chain of in-scope customers, where contractual obligations cascade down via Article 21(2)(d).

## Does NIS 2 apply to saas companies?

It depends. Cloud computing service providers are essential entities under Annex I irrespective of the supply chain. Other SaaS may fall in scope as digital service providers, or face contractual flow-down obligations from in-scope customers.

**Key considerations:**

- Cloud computing services are 'essential entities' under Annex I, point 8 — independent of whether your SME size profile would otherwise apply
- Default size threshold (Article 2(1)): ≥ 50 employees or > €10m turnover. SMEs may still be in-scope when designated as critical by a member state
- Supply-chain security: even out-of-scope SaaS providers face cascading contractual obligations from in-scope customers under Article 21(2)(d)
- Incident reporting timeline (Article 23): 24-hour early warning, 72-hour notification, 1-month final report — apply to the regulated entity, not its suppliers, unless contractually flowed down

## Underlying NIS 2 facts

**Full name:** Directive (EU) 2022/2555 of the European Parliament and of the Council on measures for a high common level of cybersecurity across the Union.

**Maximum fine:** Essential: €10 million or 2% of global turnover. Important: €7 million or 1.4% of global turnover..

**Key dates:**

- 2023-01-16 — Entry into force (Article 45)
- 2024-10-17 — Transposition deadline for member states (Article 41)
- 2024-10-18 — Date from which national measures must apply (Article 41)

## Recommended next step

[Walk through the NIS 2 scope decision tree](https://eurocomply.app/decide/nis2/essential-or-important)

## Related EuroComply resources

- Full NIS 2 compliance guide: [/regulations/nis2](https://eurocomply.app/regulations/nis2)
- Markdown companion: [/regulations/nis2.md](https://eurocomply.app/regulations/nis2.md)

## Source

Authoritative text: [(EU) 2022/2555 — EUR-Lex](https://eur-lex.europa.eu/eli/dir/2022/2555/oj) (OJ L 333, 27.12.2022, p. 80–152).

---

Informational only. Not legal advice — consult qualified legal counsel.

Last reviewed: 2026-05-12 by the EuroComply Team. License: CC-BY-4.0.