NIS2 and SMEs: does your business fall under the directive?

NIS2 is the successor to NIS1 and significantly widens the scope. Many SMEs in "ordinary" sectors now suddenly qualify as essential or important entities.

NIS2 (Network and Information Security Directive 2) has been in force since October 2024. The Netherlands completed its implementing legislation in 2025. For SMEs, the key question is: does it apply to me?

The scope in 2 layers

• Essential entities: sectors such as energy, water, banking, healthcare, and digital infrastructure. Typically organisations with > 250 employees or > €50M in turnover.
• Important entities: broader — postal services, chemicals, food, manufacturing, ICT services, research, and digital providers. From > 50 employees or > €10M in turnover.

What do you actually need to do?

• Risk analysis and an ISMS (overlapping with ISO 27001).
• Incident reporting obligations: early warning < 24h, incident report < 72h, final report < 1 month.
• Supply-chain security — your suppliers must also be adequately secured.
• Staff training, with particular focus on management.
• Mandatory cyber hygiene measures (MFA, backups, patching, segmentation).

Enforcement

Fines of up to 2% of global turnover or €10M (whichever is higher). Personal liability for directors is explicitly part of the framework.

Where do you start?

If you already have ISO 27001, you are 70–80% of the way there. The gap mainly lies in incident reporting timelines and supply-chain security. Without ISO, pursuing certification or building a documented ISMS is the recommended starting point.