CompliWiseAI
All guides
·8 min read

NIS2 compliance for SMEs: a practical checklist

What the NIS2 Directive requires of smaller EU organizations — scope, the risk-management measures, incident-reporting deadlines, and a step-by-step checklist.

NIS2cybersecurityEUchecklist

The NIS2 Directive (EU 2022/2555) is the biggest shift in EU cybersecurity regulation in years — and unlike its predecessor, it pulls many small and medium-sized organizations into scope, often as suppliers to essential services. If you've been told "we need to be NIS2 compliant" and aren't sure where to start, this checklist is for you.

Does NIS2 apply to us?

NIS2 covers medium and large entities in sectors classed as essential or important — energy, transport, banking, health, drinking water, digital infrastructure, ICT service management, public administration, postal services, manufacturing of critical products, and more. Two things surprise SMEs:

  1. Size thresholds catch smaller firms than you'd expect — generally 50+ employees or €10m+ turnover, but with exceptions where a service is critical.
  2. Supply-chain reach — even if you're below the threshold, your enterprise customers will push their NIS2 obligations onto you contractually.
Check your national transposition law for the exact thresholds in your country — member states implement NIS2 with some local variation.

The risk-management measures (Article 21)

NIS2 requires a set of cybersecurity risk-management measures. Document and implement each of these:

  • Risk analysis and information system security policies.
  • Incident handling — detection, response and recovery.
  • Business continuity — backups, disaster recovery, crisis management.
  • Supply chain security — assessing and managing supplier risk.
  • Security in acquisition, development and maintenance, including vulnerability handling and disclosure.
  • Policies to assess the effectiveness of your measures.
  • Basic cyber hygiene and security training.
  • Cryptography and encryption.
  • Access control, asset management, and multi-factor authentication.

Incident reporting deadlines

This is where NIS2 is strict. For a significant incident, you must provide:

  1. An early warning within 24 hours of becoming aware.
  2. A fuller incident notification within 72 hours.
  3. A final report within one month.

Have a written incident-handling and reporting procedure built around exactly these timelines *before* you need it — not during an incident.

Management accountability

A defining feature of NIS2: management bodies must approve the cybersecurity measures and can be held liable. Senior leaders also have to undergo training. Make sure your governance documentation records management's approval and oversight.

A step-by-step checklist

  1. Confirm whether you're in scope (and register with your national authority if required).
  2. Run a cyber risk assessment and record the results.
  3. Write the Article 21 policies and procedures.
  4. Stand up an incident process aligned to the 24h / 72h / 1-month deadlines.
  5. Address supply-chain security and vulnerability handling.
  6. Roll out cyber-hygiene training, including for management.
  7. Get the management body to formally approve the measures.

CompliWiseAI generates the full NIS2 documentation set — risk policy, incident-handling and reporting plan, business continuity, supply-chain security, and more — structured around these requirements. See the NIS2 compliance tool for the complete document list.

Want a head start? Create a free workspace and generate your NIS2 documents in minutes.

Related

Generate your NIS2 documents with CompliWiseAI

Meet NIS2 cyber risk-management and incident-reporting obligations.