Are we compliant—or are we just assuming we are?
Many EU SMEs believe their cybersecurity is “good enough”: a few controls in place, some policies written, maybe an occasional scan. But when NIS2 enters the conversation, assumptions fall apart, suddenly compliance requires proof, timelines, accountability, and decisions at board level. Vendor questionnaires arrive, customers ask for evidence, and leadership is expected to sign off without a clear view of risk or readiness. Security stops being an IT concern and becomes a business exposure.
This article will explain what NIS2 compliance readiness really means for EU SMEs, who must comply, what regulators and customers expect to see, and how to prepare using a practical, evidence-driven checklist.
TL;DR
- NIS2 is an EU cybersecurity directive (Directive (EU) 2022/2555) implemented via national law. It requires risk management, incident reporting, continuity planning, and evidence you can produce on demand
- NIS2 applies to both Essential Entities (e.g. energy, transport, healthcare, digital infrastructure) and Important Entities (e.g. IT service providers, SaaS companies, MSPs, cloud services, manufacturers and digital platforms). Many SMEs are affected directly or indirectly through supply-chain/vendor due diligence.
- Cybersecurity under NIS2 is a management responsibility, requiring leadership oversight, formal approval of security measures, and accountability for non-compliance.
- Organisations must be able to provide evidence on demand, including policies, risk assessments, incident response processes, supplier security controls, and staff awareness — especially during audits, incidents, or customer due-diligence requests.
- The fastest way for EU SMEs to prepare is through a structured NIS2 readiness checklist, helping teams identify gaps, prioritise actions, and build defensible evidence — download Sunbytes’ NIS2 Readiness Checklist to start preparing with confidence.
What is NIS2 Compliance Readiness?
NIS2 compliance readiness means being able to demonstrate, at any moment, that your organisation can manage cybersecurity risks in a structured, controlled, and accountable way. It goes beyond having security tools or written policies; it requires clear governance, defined responsibilities, tested processes, and evidence that these measures actually work in practice.
For EU SMEs, readiness is not about achieving “perfect security,” but about showing regulators, customers, and partners that cyber risk is understood, owned by management, and actively managed. This includes knowing what assets you protect, how incidents are handled, how suppliers are assessed, and how decisions are documented. In short, NIS2 readiness is the difference between hoping you are compliant and being able to prove that you are.
Why NIS2 Matters for EU SMEs Now?
NIS2 matters now because its scope is broader, and its impact more immediate—than many SMEs expect. While the directive primarily targets mid-sized and larger organisations (50+ employees or €10M+ in annual revenue), smaller entities can still fall under NIS2 if they operate in critical sectors, play a key role in supply chains, or are formally designated as essential or important.
At the same time, enforcement is no longer theoretical. Member States had to transpose by 17 Oct 2024. The Commission opened infringement procedures for failure to transpose/notify transposition measures, so enforcement momentum is real. The European Commission has initiated legal proceedings against countries that missed the transposition deadline, signalling that enforcement is moving forward despite uneven timelines. For organisations, this is the transition period where regulators, customers, and auditors begin asking harder questions, and expecting structured answers.
The consequences of being unprepared are significant. Maximum fines of at least €10m or 2% (essential) and €7m or 1.4%, but for most SMEs, the greater risk lies elsewhere: failed vendor assessments, lost contracts, reputational damage, and leadership being forced to sign off without confidence. NIS2 turns cybersecurity readiness into a measurable business requirement—and the cost of ignoring it is rising fast.
Who Must Comply with NIS2
NIS2 applies more broadly than many organisations expect. For quick clarity, the following entities are in scope:
- Essential Entities: Organisations operating in critical sectors such as energy, transport, banking, financial market infrastructure, healthcare, drinking water, wastewater, digital infrastructure, and public administration.
- Important Entities: Businesses in sectors including IT service providers, managed service providers (MSPs), cloud and data centre services, SaaS platforms, digital marketplaces, online services, manufacturing, logistics, and postal services.
If you’re unsure whether your organisation qualifies as an Essential or Important Entity, our plain-English scope test breaks it down step by step—so you can quickly determine whether NIS2 applies to you.
The NIS2 Compliance Checklist for SMEs
NIS2 compliance requires consistent decision-making, operational discipline, and evidence that security is actively managed. The checklist below reflects how regulators and enterprise customers assess readiness in practice.
Governance and Risk Management
NIS2 requires cybersecurity to be governed, not improvised. SMEs must assign clear ownership at management level, define who is responsible for risk decisions, and ensure cybersecurity is formally reviewed and approved by leadership.
Risk management should be documented, business-aligned, and actively used to prioritise actions—not treated as a one-time exercise. The goal is simple: decision-makers must be able to explain what risks exist, which are accepted, and why.
Cybersecurity Policies and Procedures
Policies under NIS2 are only valuable if they reflect reality. Organisations need clear, up-to-date policies covering areas such as access control, incident handling, and data protection, but these must be directly linked to day-to-day procedures. Regulators and customers will look for alignment between what is written and what is actually done. Policies should be approved, communicated, and reviewed regularly—otherwise they create risk instead of control.
Technical and Operational Measures
Technical controls must protect what matters most to the business. This includes securing critical systems, limiting access appropriately, monitoring for suspicious activity, and ensuring vulnerabilities are addressed in a timely manner. NIS2 readiness is not about deploying more tools, but about ensuring existing controls are effective, consistently applied, and tested. If controls fail silently, compliance fails with them.
Security Technologies and Solutions
Security technologies should support governance and risk management, not replace them. SMEs are expected to deploy tools that match their risk profile and operational maturity, and to manage them properly over time. Fragmented or poorly configured tooling creates blind spots and weakens accountability. What matters under NIS2 is not which tools are used, but whether their outputs are understood, reviewed, and acted upon.
Technical Compliance and Certifications
Certifications and frameworks can support NIS2 readiness, but they are not proof on their own. Organisations must be able to show how technical controls and certifications relate to real risks and operational processes. Auditors and customers will ask what is covered, what is excluded, and how controls are validated in practice. Compliance must be explainable—not assumed because a certificate exists.
Compliance with Legal and Industry Standards
NIS2 does not exist in isolation. SMEs must understand how it interacts with other legal, contractual, and sector-specific requirements, such as data protection laws or customer security clauses. These obligations should be tracked centrally and reflected consistently across policies, controls, and reporting. Misalignment between legal expectations and operational reality is a common, and avoidable—source of compliance failure.
Reporting and Communication
Timely and accurate reporting is a core NIS2 expectation. Organisations must clearly define what constitutes a security incident, how it is escalated internally, and who is responsible for external communication. Reporting procedures should be documented, tested, and understood by relevant teams. When incidents occur, confusion or delay is itself a compliance risk. NIS2 incident reporting is staged (early warning, notification, and final report), with tight timelines once you become aware of a significant incident.
Human Resources and Training
People remain a critical part of cybersecurity readiness. NIS2 expects organisations to train staff regularly, ensure roles and responsibilities are understood, and demonstrate engagement beyond tick-box training sessions. Employees should know how to recognise incidents, follow procedures, and escalate concerns. Evidence of awareness and participation is just as important as technical controls.
Download Sunbytes’ NIS2 Readiness Checklist to assess your current state and identify priority gaps. For organisations looking to understand which risk-management measures regulators expect to see evidenced in practice, our detailed breakdown of NIS2 Article 21 explains how these requirements translate into operational controls.
Is your business Evidence-Ready for NIS2 requirements?
Under NIS2, evidence is not something you assemble after the fact, it must already exist, be current, and be defensible. When regulators, customers, or auditors ask for proof, decision-makers are expected to show how controls operate, how decisions are made, and how risks are managed in real time. Being evidence-ready means knowing exactly what to show, where it lives, and why it matters.
Recent system and access logs
Evidence-ready organisations do not just collect logs—they use them to verify that key controls are working. This means retaining recent system, authentication, and access logs that demonstrate monitoring, access restrictions, and anomaly detection in operation. Companies should ensure logs are reviewed, exceptions are investigated, and the review process itself is documented. If logs exist but are never checked, they do not count as evidence.
Live risk and asset registers
Risk and asset registers must reflect the business as it operates today, not last quarter. Assets should be clearly identified, risks assessed in context, and updates made whenever systems, suppliers, or services change. To be NIS2-ready, registers must be actively maintained, linked to your organisational structure, and mapped to security priorities that leadership understands and approves. If a register cannot explain why certain risks are accepted or mitigated, it is incomplete.
Real policy-to-action links
Policies only matter when they trigger action. Evidence-ready organisations can show how a policy led to a specific control, test, or review—and provide proof of that outcome. “We have an incident response policy” becomes “This policy defined the response steps we tested last quarter, here are the results and follow-up actions.” Decision-makers should expect every critical policy to have a visible trail from intent to execution.
Supply-chain compliance checks
NIS2 requires visibility into supplier risk, not blind trust. Evidence should include records of vendor assessments, security reviews, contractual obligations, and mitigation actions taken when gaps are identified. This is not a one-off exercise—supplier checks must be repeatable, documented, and reviewed as part of ongoing risk management. If a critical supplier cannot be explained, justified, or challenged, it represents unmanaged exposure.
Staff engagement
Evidence-ready organisations can show when staff were trained, what they were trained on, and how understanding was verified. This includes follow-up actions after incidents, phishing simulations, or policy changes. Decision-makers should expect proof that employees know how to respond—and that gaps in awareness are identified and addressed promptly.
Being evidence-ready under NIS2 means removing guesswork before pressure arrives. When evidence is structured, current, and tied to real actions, compliance stops being a scramble and becomes something leadership can stand behind with confidence.
Achieve compliance with our free NIS2 Readiness Checklist
NIS2 readiness requires more than awareness. It requires structure, evidence, and decisions leadership can stand behind. Many EU SMEs know what is expected but lack a clear way to assess gaps, prioritise actions, and prove readiness when regulators or customers ask.
Sunbytes helps SMEs turn NIS2 requirements into a practical, evidence-driven approach. Download our free NIS2 Readiness Checklist to establish a clear baseline and prioritise your next steps.
When you’re ready to build evidence and a defensible baseline, start with Sunbytes CyberCheck, a fixed-scope service that delivers a clear security snapshot, evidence map, and prioritised roadmap tailored for lean teams. Contact us for a free consultation!
FAQs
NIS2 applies to both SMEs and large enterprises operating in covered sectors. In general, organisations with 50 or more employees or over €10 million in annual turnover are in scope. However, smaller companies can also be subject to NIS2 if they are designated as critical due to their role, sector, or importance within a supply chain. Non-EU companies offering services within the EU may also be required to comply.
Registration obligations and timelines are set by national implementing laws. If you’re in scope, monitor your national authority’s guidance and be ready to register when required.
Penalties can reach up to €10 million or 2% of global annual turnover for essential entities, and €7 million or 1.4% for important entities. Some countries also include executive liability or mandatory audits.
Companies must be able to provide clear, current, and defensible evidence showing how cybersecurity is governed and operated. This typically includes risk and asset registers, security policies linked to real actions, incident response procedures, system and access logs, supplier security assessments, and proof of staff awareness and training. Evidence must reflect ongoing practice, and be available on demand during audits, incidents, or customer reviews.
Sunbytes’ NIS2 Readiness Checklist
Download Sunbytes’ NIS2 Readiness Checklist to assess your current state and identify priority gaps.
