Agnes holds up a decision flowchart with two paths — direct and indirect — while figuring out if a company falls under NIS2

Does NIS2 Apply to My Company? How to Check in 5 Minutes

NIS2, Compliance

You get an email from a large customer. They want to know about your cybersecurity practices. Whether you are NIS2-compliant. You read the email twice, google "NIS2", and ten minutes later you are deep in a rabbit hole of European directives, sector lists, and thresholds. Sound familiar?

You are not alone. For most SMB owners, this is the moment NIS2 becomes real. Not because of a new law, but because a customer asked.

In this article, you will run through two checks in about five minutes. By the end, you will know whether NIS2 applies to your company, directly or indirectly, and what to do about it.

The two ways NIS2 can apply to your company

NIS2 works through two paths. The first is direct: your company operates in a designated sector and is large enough to meet the threshold. The second is indirect: your customers fall under NIS2 and pass their supply chain obligations down to you.

These two paths call for different responses. Direct scope means legal obligations. Indirect scope means commercial obligations: your customer expects answers, and if you cannot provide them, you risk losing the contract.

Let us walk through both checks.

Check 1: Are you directly in scope? (The sector and size test)

Direct scope under NIS2 comes down to two questions: does your company operate in one of the designated sectors, and is it large enough?

The size threshold is straightforward: 50 or more employees or annual revenue above EUR 10 million. Below that, you are generally not directly in scope.

There are exceptions. Certain critical services fall under the directive regardless of size. Think DNS providers, trust services, or domain name registries. But for the vast majority of SMBs, being below the threshold means you are not directly in scope.

Above the threshold? Then it depends on your sector.

The 18 NIS2 sectors, explained without jargon

NIS2 divides organizations into two categories: essential entities and important entities. The difference is mainly about enforcement. Essential entities face proactive supervision. Important entities are monitored after the fact, typically following incidents or complaints. The actual requirements are largely the same.

Essential sectors:

  • Energy (electricity, gas, oil, heat)
  • Transport (aviation, rail, water, road)
  • Banking
  • Financial market infrastructure
  • Healthcare (hospitals, labs, pharma)
  • Drinking water
  • Wastewater
  • Digital infrastructure (data centers, DNS, cloud, telecom)
  • ICT service management (managed service providers)
  • Public administration
  • Space

Important sectors:

  • Postal and courier services
  • Waste management
  • Chemicals
  • Food production
  • Manufacturing of certain goods (machinery, electronics, medical devices)
  • Digital providers (online marketplaces, search engines, social platforms)
  • Research organizations

If your company falls within one of these sectors and meets the size threshold, you are directly in scope. Your next step is to determine whether you qualify as essential or important, since that affects how you are supervised. Read our full guide on how to prepare for a NIS2 audit.

Check 2: Are you indirectly in scope through your customers?

This is where it gets relevant for most Dutch tech companies. Because the odds are that as a SaaS company, IT service provider, software vendor, or digital agency, you do not fall directly in scope. You have 15 or 30 employees, your revenue is below EUR 10 million, and you do not operate in one of those 18 sectors.

But your customers do.

NIS2 includes an explicit article on supply chain security (Art. 21(2)(d)). Organizations that fall under NIS2 are required to assess the cybersecurity of their suppliers. That means a hospital, energy company, or bank you provide software or IT services to will start asking you questions.

In practice, it looks like this: you receive a supplier questionnaire. It asks about your incident response process, access controls, encryption, backup policies, and documentation. You do not need to be NIS2-compliant yourself as a supplier. But you do need to demonstrate that you take security seriously.

This is exactly the scenario we opened this article with. And it is the reason dozens of Dutch SMBs that technically fall outside NIS2 are preparing anyway.

For more on handling this from the other side, read our guide on how to assess your vendors. It gives you a sense of what questions to expect.

What if you are not in scope, is there still anything to do?

Yes. And it is less work than you think.

If you do not fall under NIS2, directly or indirectly, you have no legal obligation. But there are three practical reasons to build a foundation anyway:

Customers change. You may serve only small businesses today. But as you grow, your customers grow with you, or new ones arrive that are in scope.

Trust sells. A short supplier security statement describing how you handle security is a strong signal. It shows you operate professionally, even when nobody requires it.

The basics are small. An incident response plan, an overview of your systems and vendors, and a brief security statement. That is a few hours of work. And it answers 80% of the questions any customer will ever ask you.

What if you are in scope, the first steps

If you have concluded that NIS2 applies to your company, directly or indirectly, the next question is: where do I start?

1. Determine your category. Are you an essential or important entity? That determines how the regulator will approach you. Essential entities face proactive oversight. Important entities are checked after incidents or complaints.

2. Appoint someone. NIS2 expects management to take responsibility for cybersecurity. That does not mean you need to hire a CISO. But someone in the organization must own this topic.

3. Run a risk assessment. Map your critical systems, data flows, and threats. This is the foundation for every step that follows. Without a risk assessment, you cannot explain why you took certain measures and skipped others.

4. Document your supply chain security. Which vendors have access to your systems or data? Have you put agreements in place? This is one of the first areas regulators will look at.

For a complete step-by-step plan, see our article on getting started with NIS2. Want to speed up the process? Check out our NIS2 compliance software that lets you manage risks, controls, and documentation in one place.

The Dutch Cyberbeveiligingswet: what changes in 2026?

NIS2 is a European directive. Each EU member state must translate it into national law. In the Netherlands, that law is called the Cyberbeveiligingswet, and it is expected to take effect around mid-2026.

What changes in practice? The obligations from NIS2 become formally enforceable for Dutch organizations that are directly in scope. Regulators gain the authority to inspect and impose sanctions.

For companies affected indirectly, through the supply chain, less changes legally. But the pressure increases. Once your customers are formally required to assess their suppliers, those questionnaires stop being optional.

The advice is simple: do not wait for the law to take effect. Start building the basics now. That gives you a head start when enforcement begins.

Frequently asked questions

Does NIS2 apply to freelancers or micro-businesses?

In most cases, no. NIS2 targets organizations with 50 or more employees or annual revenue above EUR 10 million. As a freelancer or micro-business, you almost always fall below those thresholds. The exception: if you provide a critical service (such as DNS or trust services), you can fall in scope regardless of size. But that applies to a very small group.

What are the 18 NIS2 sectors?

The 18 sectors are divided into two categories. Essential: energy, transport, banking, financial market infrastructure, healthcare, drinking water, wastewater, digital infrastructure, ICT service management, public administration, and space. Important: postal and courier services, waste management, chemicals, food production, certain manufacturing sectors, digital providers, and research organizations.

My customer is asking for NIS2 compliance evidence, what do I send?

Your customer is probably not expecting a full NIS2 certificate (that does not exist). What they want is evidence that you take security seriously. A supplier security statement describing how you handle access controls, incident response, backups, and encryption is usually sufficient. Combine that with an overview of your main technical controls.

When does NIS2 take effect in the Netherlands?

The Cyberbeveiligingswet, the Dutch implementation of NIS2, is expected to take effect around mid-2026. From that point, the obligations become formally enforceable and regulators can impose sanctions.

What is the difference between an "essential entity" and an "important entity" under NIS2?

The requirements are largely the same. The difference is in enforcement. Essential entities (energy, healthcare, digital infrastructure) are proactively supervised by regulators. Important entities (postal, chemicals, food, manufacturing) are monitored after the fact, usually following incidents or complaints. Fines in both cases can reach up to EUR 10 million or 2% of annual turnover.

Start gaining control over your vendors and software today

Let ComplianceHive help you with ISO 27001, GDPR, vendor management, and more. No hassle, no spreadsheets, just clarity. Start now with a free 1-month trial. No credit card required, no hidden fees. Discover the Busy Hive plan and manage up to 25 tools and vendors in one overview.

Try 1 month for free