A cartoon-style image of Agnes standing in front of a small office building with a NIS2 shield above it, holding a checklist.

NIS2 for SMBs: Where Do You Start When Nothing Is in Place?

NIS2

You've seen it pop up at an industry event, in an email from a client, or in a LinkedIn post from someone you've been ignoring for months. NIS2. Another acronym, another European regulation. And somewhere in the back of your mind, that nagging feeling: do I need to act on this?

Probably yes. But you don't have to tackle everything at once. Below, you'll learn how to figure out if NIS2 applies to you and where to start without getting stuck.

Do you fall under NIS2? (Quick self-check)

Before you jump into action, you'll want to know if NIS2 actually applies to your organization. The directive distinguishes two groups: essential entities and important entities. Both have obligations, but enforcement differs.

The NIS2 sector list in plain English:

  • Energy (electricity, gas, oil, heating)
  • Transport (aviation, rail, water, road)
  • Banking and financial market infrastructure
  • Healthcare (hospitals, labs, pharmaceuticals)
  • Drinking water and wastewater
  • Digital infrastructure (data centers, DNS, cloud, telecom)
  • ICT service management (MSPs, MSSPs)
  • Public administration
  • Space
  • Postal and courier services
  • Waste management
  • Chemicals and manufacturing (food, machinery, electronics, medical devices)
  • Research

The thresholds in most cases: 50+ employees or annual revenue above 10 million euros. But if you're a supplier to an organization that falls under NIS2, you could be affected indirectly. Your client may contractually require you to have your house in order.

The difference between essential and important? Essential entities (think energy, healthcare, digital infrastructure) are monitored proactively. Important entities are mainly checked after the fact, when incidents or complaints come in. The requirements themselves are largely the same.

Not sure if you're in scope? Start by reading what NIS2 actually is and what it means for your business.

What NIS2 practically requires from you

NIS2 goes beyond technology. The law expects your organization to demonstrate that you take cybersecurity seriously. In practice, that means:

  • Risk management: you know your risks and have taken measures
  • Supplier management: you know which external parties have access to your systems and data
  • Incident response: you have a process for when things go wrong
  • Training: your employees know what to do
  • Documentation: you can prove everything with evidence, not just words

For an SMB without a security team, that sounds like a lot. It is. But NIS2 implementation doesn't have to happen overnight. You don't need a complete management system by tomorrow. You do need to show you're working on it and moving in the right direction.

Step 1: Map your risks

The risk analysis is where you start. Without it, you don't know where you're vulnerable, and you can't explain why you took (or didn't take) certain measures.

What you need to do:

  • Inventory your critical systems and processes. Which systems are essential to your operations? Which data is sensitive?
  • Identify threats. Think ransomware, phishing, unauthorized access, outage at a cloud provider.
  • Assess the impact. What happens if a system goes down for 24 hours? Or if customer data gets leaked?
  • Categorize your risks. Work with categories (high, medium, low) so you can prioritize.

You don't need a complicated methodology for this. A structured inventory based on your systems, suppliers, and data flows is enough to get going. Write it down. You'll need that evidence later.

Step 2: Set up supplier management

This is the part many SMBs underestimate. NIS2 puts the responsibility on you to manage your supply chain. You need to know which external parties have access to your systems, what data they process, and what risks they bring.

Start here:

  1. Make a list of all your suppliers. Software vendors, hosting providers, IT management, cloud tools, external processors.
  2. Classify them by risk. Does the supplier have access to critical systems or personal data? Then it's a high-risk supplier.
  3. Review contracts. Are security requirements included? Is there a data processing agreement? Are incident reporting arrangements documented?
  4. Record everything. Not in a spreadsheet you won't be able to find in three months, but in a central system.

Want to know what requirements you can set for suppliers? Read about what requirements suppliers must meet.

ComplianceHive brings your suppliers, software inventory, and record of processing activities together in one overview, so you can see which suppliers need attention right away. See what's possible.

Step 3: Set up an incident response process

When a cyber incident hits, it's too late to figure out who does what. NIS2 expects you to have an incident response process and to report serious incidents to the regulator within 24 hours.

For an SMB, this doesn't need to be a 50-page document. It's about the basics:

  • Assign someone to take the lead during an incident. In an SMB, that's often the director or the IT lead.
  • Write out the steps in a short playbook: detect, assess, contain, recover, report.
  • Know when to report externally. NIS2 requires that for serious incidents, you submit an initial notification within 24 hours, followed by a full report within 72 hours.
  • Set up internal communication. Who do you inform? How do you reach employees outside office hours?

Practice this at least once a year. An incident response plan sitting in a drawer doesn't count.

Step 4: Train your employees

Most cyber incidents start with a person. A wrong click, a reused password, a USB drive from an unknown source. NIS2 expects you to train your employees on cybersecurity awareness.

This doesn't have to be a three-day course. What works well for SMBs:

  • A quarterly update with the most relevant threats and tips
  • Phishing simulations to test alertness
  • Clear guidelines for password use, remote work, and reporting suspicious situations
  • An onboarding module for new employees

Perfection isn't the goal. What matters is that you can show you give it regular attention.

Step 5: Document everything

This is where many organizations trip up. With NIS2, everything revolves around demonstrability. You could have the best security policy in the world, but if you can't show it, it doesn't exist as far as the regulator is concerned.

What "documented" means in a NIS2 context:

  • Policy documents describing what you do and why
  • Registers of your processing activities, suppliers, and systems
  • Logs of measures taken, assessments, and incidents
  • Proof of training: who was trained, when, and on what?
  • Version history, so you can show documents are up to date

The record of processing activities you may already have for the GDPR is a good starting point. But NIS2 asks for more: your software inventory, supplier assessments, and security measures all need to be recorded too.

What's a realistic timeline?

The Dutch implementation of NIS2, the Dutch Cybersecurity Act, is expected around mid-2026. That sounds far away, but implementation takes time, especially if you're starting from zero.

A realistic schedule for an SMB:

| Period | Action | |---|---| | Month 1-2 | Conduct risk analysis, inventory suppliers | | Month 2-3 | Complete supplier assessments, review contracts | | Month 3-4 | Draft and test incident response process | | Month 4-5 | Set up and run employee training | | Month 5-6 | Complete documentation, do first internal audit |

Who's responsible? In an SMB without a CISO, you need to assign a clear owner. That could be the director, an IT manager, or an external advisor. But someone has to own it, otherwise nothing moves.

This isn't hypothetical. Start now and you have enough time to prepare properly. Wait until the law takes effect and you risk the regulator showing up before you're ready.

Start today

You don't have to be fully NIS2-compliant by tomorrow. But you do need to start somewhere. The most concrete first step: make an overview of your suppliers and systems. Do a risk analysis. Write it down.

ComplianceHive gives you a structured way to take those first steps: supplier management, software inventory, and GDPR documentation in one place. No scattered spreadsheets, no documents collecting dust in a shared drive.

Try ComplianceHive free for 30 days and start your NIS2 preparation today.

Start gaining control over your vendors and software today

Let ComplianceHive help you with ISO 27001, GDPR, vendor management, and more. No hassle, no spreadsheets, just clarity. Start now with a free 1-month trial. No credit card required, no hidden fees. Discover the Busy Hive plan and manage up to 25 tools and vendors in one overview.

Try 1 month for free