Does NIS2 apply to freelancers and micro-businesses?

In most cases, no. NIS2 applies directly to organisations with 50 or more employees or more than EUR 10 million in revenue that operate in one of the 18 designated sectors. Smaller businesses fall outside the direct scope, but may face indirect obligations through their customers.

What are the 18 NIS2 sectors?

The sectors include energy, transport, banking, financial market infrastructure, healthcare, drinking water, wastewater, digital infrastructure, managed ICT services, public administration, space, postal and courier services, waste management, chemicals, food production, manufacturing of certain goods, digital providers, and research organisations.

My customer is asking for a NIS2 statement. What do I send them?

Customers who are themselves subject to NIS2 are required to assess their suppliers' security practices. You do not need formal NIS2 certification, but you need to demonstrate that you have basic security measures in place. That means system documentation, vendor management, an incident response plan, and access controls. That is what customers are actually looking for.

What is the difference between an essential entity and an important entity under NIS2?

Essential entities are large organisations in critical sectors. They face proactive supervision and must demonstrate compliance before incidents occur. Important entities are medium-sized organisations in designated sectors. They face reactive supervision. Both categories must meet the same security requirements. The difference is how the regulator checks.

Does NIS2 apply to my company? A 5-minute scope check

NIS2, Compliance, SMB

5/6/2026

An email lands in your inbox from a large customer. Subject: "NIS2 supplier compliance." They want to know whether your business meets the requirements and are asking for a statement by the end of next month.

You have no idea what to say.

This is the situation that keeps most Dutch SMB owners up at night. Not the regulation itself, but the question: does NIS2 even apply to us? And if so, what do we need to do?

That question has two parts. Most businesses only know half the answer.

The two ways NIS2 can apply to your company

NIS2 does not apply to every business in the same way. The directive has a defined scope, and that scope works in two layers.

The first is direct scope. Your organisation falls under NIS2 because you operate in a designated sector and meet the size or revenue threshold. You have active obligations: implement security measures, report incidents, demonstrate compliance.

The second is indirect scope. Your organisation is outside NIS2 directly, but your customers or their customers are essential or important entities. Under NIS2, those customers have a supply chain security obligation, which means they will assess you as a supplier. You do not need to be NIS2-compliant yourself, but you need to be able to answer their questions.

For Dutch tech SMBs, indirect scope is the most common situation. Software companies, IT service providers, and digital agencies rarely fall directly under NIS2. But their enterprise customers often do. And those customers send questionnaires.

Check 1: Are you directly in scope? The sector and size test

Direct scope under NIS2 is based on two criteria: the sector your organisation operates in, and its size.

On size, the thresholds for most sectors are: essential entities need 250 or more employees, or more than EUR 50 million in annual revenue and more than EUR 43 million in balance sheet total. Important entities need 50 or more employees, or more than EUR 10 million in revenue and more than EUR 10 million in balance sheet total.

Clearly below both? In most cases you are not directly in scope. There are exceptions for providers of critical national services, but these are rare for standard SMBs.

If your organisation operates in one of the sectors below and meets the size thresholds, you are likely in scope.

| Sector | Examples | |--------|----------| | Energy | Electricity network operators, gas network operators | | Transport | Aviation, rail, road and maritime transport | | Banking | Banks and credit institutions | | Financial market infrastructure | Trading platforms, central counterparties | | Healthcare | Hospitals, laboratories, pharmaceutical companies | | Drinking water | Water supply companies | | Wastewater | Wastewater management | | Digital infrastructure | DNS providers, data centres, cloud providers | | Managed ICT services | Managed service providers, IT outsourcing | | Public administration | National and regional government bodies | | Space | Ground infrastructure operators | | Postal and courier services | Postal companies, parcel delivery | | Waste management | Waste processing companies | | Chemicals | Chemical producers and distributors | | Food | Large-scale food production and distribution | | Manufacturing | Medical devices, electronics, machinery | | Digital providers | Online marketplaces, search engines, social platforms | | Research | Research organisations |

Worth noting: digital providers and managed ICT services catch more Dutch tech companies than people expect. If you provide cloud services, managed services, or software-as-a-service at any meaningful scale, it is worth getting this assessed properly.

Check 2: Are you indirectly in scope through your customers?

This is the check most businesses skip entirely.

NIS2 requires essential and important entities to assess the security of their supply chains (Art. 21(2)(d)). In practice: your customer who is subject to NIS2 must screen you as a supplier.

Ask yourself three questions:

Do I have customers operating in an NIS2 sector?
Do those customers have more than 50 employees or more than EUR 10 million in revenue?
Do I supply them with software, IT services, data storage, or other digital services?

If you answered yes to all three, there is a strong chance a NIS2 questionnaire will land in your inbox sooner or later. Not because you have obligations, but because your customer does.

This is the reality for most Dutch tech SMBs: they are not directly in scope, but they feel the effects of NIS2 through their customers. And that is not a reason to do nothing.

What if you are not in scope? There is still work to do

Not being in scope does not mean nothing needs to happen.

If you have customers who are themselves in scope, they will eventually ask about your security practices. Who is responsible for your systems? How do you handle incidents? Have you assessed your own vendors?

A well-prepared supplier statement can win or retain a contract. Companies that already have their documentation in order answer those questionnaires quickly and professionally. Companies that do not sometimes lose the deal before the first conversation.

The documentation customers expect is largely the same as what NIS2 directly requires: system documentation, vendor management, an incident response plan, demonstrable access controls. You are doing it for the customer relationship. But you are also doing the actual compliance work either way.

See how ComplianceHive helps you build that documentation.

What if you are in scope? First steps

Are you directly in scope? Here is where to start.

Step 1 is figuring out your category. Essential entity or important entity? That determines the level of oversight you are under. Essential means proactive supervision: regulators come to you. Important means reactive: they show up if something goes wrong.

Step 2 is appointing someone responsible. NIS2 expects board-level involvement. Someone needs to own this, not just be aware of it.

Step 3 is running a risk assessment. Which systems are critical? Which threats are realistic for your situation? What do you already have in place and what is genuinely missing?

Step 4 is mapping your supply chain. Your vendors can introduce risk that lands on you. You need to show you have assessed them. A supplier risk assessment gives you the structure to do that.

Step 5 is documentation. Security measures that are not written down do not exist as far as a regulator is concerned. Record what you have, who owns it, and when you last reviewed it.

Ready to go deeper? Read our full guide on NIS2 audit preparation for SMBs.

The Dutch Cyberbeveiligingswet: what changes in 2026?

The Cyberbeveiligingswet is the Dutch implementation of NIS2. It is expected to come into force in the first half of 2026. From that point, obligations become formally enforceable for organisations that are directly in scope.

Concretely: regulators can actively audit whether your measures are adequate. You will have a mandatory incident reporting obligation (24 hours for an initial notification, 72 hours for a formal report). For essential entities, fines can reach EUR 10 million or 2% of global annual turnover.

Start now. Businesses working on documentation today will only need to adjust in 2026. Businesses that wait will start from nothing.

What next?

Direct scope or indirect, the work is roughly the same. Which systems do you run? Who has access? What happens when something goes wrong? Who is responsible? Those are the questions customers ask now and regulators will ask later.

If you are starting from scratch, NIS2 for SMBs: where to begin walks through the basics.

ComplianceHive gives you a structured way to build that documentation — system records, vendor assessments, risk tracking. Without the spreadsheet chaos.

Try ComplianceHive free for 30 days.

This article provides general information and does not constitute legal advice. Consult a qualified lawyer or NIS2 specialist for an assessment specific to your situation.