Disclaimer: This article is practical guidance, not legal advice. NIS2 is a directive implemented through national law, so details can vary by country.
For many organisations, NIS2 decisions start with assumptions:
“We’re too small.”
“We’re not critical infrastructure.”
“No authority has contacted us.”
Those assumptions get stress-tested fast—when a customer asks for NIS2 alignment, procurement requests evidence, or leadership needs to sign off on risk without a clear view. This article gives you a plain-English scope test to reach a directional answer and move from uncertainty to an evidence-ready plan—without over-engineering.
“NIS2 usually applies if you operate in a covered sector (Annex I/II), meet the typical “medium-sized” thresholds or are part of a larger group, and fall under a Member State’s jurisdiction based on establishment or the way services are provided. Even if you’re legally out of scope, many SMEs still feel NIS2 pressure through supply-chain due diligence, customers asking for NIS2-style proof before contracts are signed.”
TL;DR
- NIS2 is an EU directive implemented via national law; Member States had to transpose it by 17 October 2024 (with practical differences by country).
- Scope is usually determined by sector → size/structure → jurisdiction.
- “Out of scope” doesn’t mean “no impact”—vendor assessments often demand NIS2-style evidence.
- If your scope is unclear, aim for a defensible position: document your reasoning and prepare proportionate proof.
- A 30-day plan gets you from “Do we apply?” to “We can show control when asked.”
What is the NIS2 Directive?
NIS2 (Directive (EU) 2022/2555) updates the EU’s cybersecurity baseline for organisations that provide services critical to the economy and society. It expands scope, clarifies accountability, and raises expectations around risk management, incident readiness, and governance.
Important: because NIS2 is a directive, each Member State implements it through national law—so registration processes, supervisory authorities, and enforcement mechanics can differ by country.
Who does NIS2 apply to? The 3-part scope logic
Sector check: Annex I vs Annex II
NIS2 starts with a sector-based classification defined in Annex I (sectors of high criticality) and Annex II (other critical sectors).
- Annex I (often “Essential Entities”) includes sectors such as energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, public administration, space (exact definitions matter).
- Annex II (often “Important Entities”) includes areas such as postal/courier, waste management, chemicals, food, manufacturing of critical products, and certain digital/service categories.
Size & structure check: entity vs group vs subsidiary
As a rule of thumb, NIS2 focuses heavily on medium and large organisations—but “size” is not always assessed in isolation. Depending on how services are delivered, scope discussions often involve:
- the individual legal entity,
- the corporate group, and/or
- a subsidiary that actually operates the covered service.
Jurisdiction check: where and how you operate
NIS2 jurisdiction can depend on establishment and national implementation. In addition, certain in-scope entity types not established in the EU may be required to designate an EU representative (Article 26), which can also determine jurisdiction.
Practical takeaway: avoid simplistic logic like “we have EU customers so NIS2 applies.” Instead, confirm:
- what entity type you are (Annex definitions),
- where you are established / how services are provided, and
- which Member State’s implementing law governs your situation.
A 2-minute scope test (directional, not legal advice)
Use this quick check to reach one of four outcomes: likely in scope, unclear, likely out of scope but pressured, or likely out of scope (monitor).
| Quick Question | Yes | No | Not sure | What This Usually Means | What To Do Next |
|---|---|---|---|---|---|
| Do we operate in a sector that appears in NIS2 Annex I or II (or our customers operate there)? | ⬜ | ⬜ | ⬜ | Sector is a strong scope signal | Map your services to Annex definitions + national law |
| Are we typically “medium-sized” or larger (or part of a group that is)? | ⬜ | ⬜ | ⬜ | Size or group structure may trigger NIS2 | Check group structure + which entity delivers the covered service |
| Are we established in an EU Member State (or otherwise under an EU Member State’s jurisdiction for in-scope services)? | ⬜ | ⬜ | ⬜ | Jurisdiction determines supervision and registration routes | Identify relevant Member State(s); confirm local authority/process |
| Would a cyber incident at our company significantly disrupt customers or critical services? | ⬜ | ⬜ | ⬜ | Criticality increases expectations and scrutiny | Assess business impact + dependencies; document rationale |
| Are customers already asking about NIS2, questionnaires, incident reporting, or evidence? | ⬜ | ⬜ | ⬜ | You may be commercially impacted even if out of scope | Prepare a proportionate evidence pack to reduce deal friction |
*Mostly “Yes” → You are likely in scope (Essential or Important)
Mix of “Yes” and “Not sure” → Scope is unclear
Mostly “No”, but customer pressure = Yes → Likely out of scope legally, but expected to align
All “No” → Likely out of scope for now, but monitor changes
What Happens If You Are In Scope?
If your organisation is in scope for NIS2, the expectation is not perfection — it is control, accountability, and evidence. Regulators are looking for how decisions are made, owned, and proven.
In practical terms, in-scope organisations are expected to be able to demonstrate that they:
- Know their most critical systems and services: You can clearly identify what needs to be protected first — and why.
- Actively manage cybersecurity risk: Risks are assessed, prioritised, and addressed in a structured way, not reactively or informally.
- Can detect and respond to incidents: You have defined processes to recognise a serious incident, contain it, and escalate it without confusion.
- Can report incidents within required timelines: Roles, responsibilities, and decision paths are defined before an incident happens.
- Control supplier and third-party risk: You understand which suppliers matter, what you expect from them, and how that is checked.
- Have leadership oversight and accountability: Cybersecurity decisions are visible at management level, with documented ownership and approval.
Just as important as the controls themselves is evidence. Authorities and customers will expect you to show how these expectations are met — through policies, decisions, records, and clear responsibilities.
Failure to meet these expectations can result in enforcement actions and financial penalties (up to €10M / 2% of global turnover for Essential Entities and €7M / 1.4% for Important Entities). In practice, the bigger risk is being unable to demonstrate control when asked, by regulators, customers, or your own board.
If you want a practical breakdown of what NIS2 readiness looks like in reality, our guide NIS2 Compliance Readiness for EU SMEs: Practical Guide + Checklist explains the next steps in detail.
If You’re Out of Scope, Why Customers Still Ask for NIS2-Style Evidence
Being out of scope does not remove NIS2 impact. In-scope organisations are expected to manage supply-chain and third-party risk, so they increasingly ask suppliers and service providers to show security evidence.
This is why out-of-scope organisations often see:
- Vendor security questionnaires referencing NIS2
- Requests for incident response and risk-management evidence
- Contract clauses requiring “NIS2-level” security controls
- Tighter procurement and onboarding checks
For leadership teams, the issue is not compliance — it is commercial credibility. Without clear, proportionate evidence, sales slows down, renewals get delayed, and internal teams are forced to improvise answers.
From scope → readiness: a practical 30-day plan
Once scope is clearer, the question shifts quickly from “Does this apply to us?” to “What do we actually need to do — and how fast?” The goal of the first 30 days is not full compliance, but control and direction.
Week 1: Confirm and Document Scope
- Validate sector, size, structure, and EU footprint
- Identify which entities and services are in scope
- Document the reasoning behind your scope decision
Week 2: Establish a Security Baseline
- Identify critical systems and dependencies
- Review existing policies, controls, and incident processes
- Highlight gaps against NIS2 expectations — without over-detail
Weeks 3–4: Prepare for Evidence and Oversight
- Assign clear ownership at management level
- Draft or refine key documentation (risk, incidents, suppliers)
- Decide which gaps to address internally and where support is needed
By the end of 30 days, organisations should be able to explain their NIS2 position confidently, respond to customer or regulator questions with evidence, and prioritise next steps based on risk.
NIS2 Scope: Where Organisations Commonly Get It Wrong
“We’re too small to be in scope.”
Size matters, but it is not the only factor. Group structure, critical services, and supplier roles can bring smaller organisations into scope — or at least under strong customer scrutiny.
“We’re only a supplier, so NIS2 doesn’t apply.”
Even when legal obligations do not apply, in-scope organisations are required to manage supply-chain risk. Suppliers are often asked to meet NIS2-style expectations as a result.
“No authority has contacted us, so we’re fine.”
NIS2 relies on self-assessment. Organisations are expected to understand and register their position proactively, not wait for notification.
“We already have ISO 27001 or GDPR covered.”
Existing frameworks help, but they do not automatically satisfy NIS2. Scope, reporting timelines, governance, and accountability still need to be assessed explicitly.
Each of these assumptions can delay action or create false confidence. A structured scope check replaces opinion with defensible reasoning — which is what regulators, customers, and leadership teams ultimately expect.
Want a clear, defensible answer (without over-engineering)?
Sunbytes Cyber Compliance Readiness helps you move from uncertainty to clarity—then from clarity to evidence.
Scope Confirmation + Mini Gap Scan includes:
- Annex mapping workshop (sector/service-type signals)
- Size/group footprint checklist
- “Likely in scope / unclear / out of scope but pressured” conclusion + rationale
Evidence starter outline (what to prepare next)
If you want a practical next step: request a scope confirmation and mini gap scan.
FAQs
Sometimes. “SaaS” alone is not a reliable scope label. Scope depends on whether your service type matches Annex definitions and your size/group context—plus national implementation.
For certain in-scope entity types offering services in the EU, NIS2 can require designating an EU representative and may establish jurisdiction through that representative (Article 26).
This is increasingly common. In-scope organisations are required to manage supply-chain risk, which means suppliers are often asked to demonstrate NIS2-aligned cybersecurity practices. While this may not be a legal obligation, it becomes a commercial requirement — especially during procurement, renewals, or audits.
Let’s start with Sunbytes
Let us know your requirements for the team and we will contact you right away.
