NIS2 significantly expanded the scope of the original NIS Directive (2016/1148). While NIS1 covered roughly 500 “operators of essential services” per member state, NIS2 covers potentially hundreds of thousands of companies across the EU. The key question for any mid-sized company is: are we in scope?

This article covers practical NIS2 obligations. For broader security compliance context, see Security and Compliance in Cloud ERP 2026.

Are You in Scope?

The Two-Part Test

NIS2 applies if your company meets BOTH of these conditions:

Condition 1 — Sector: Operates in one of the 18 sectors listed in NIS2 Annexes I and II:

Annex I — Highly Critical Sectors (essential entities):

  • Energy (electricity, oil, gas, hydrogen)
  • Transport (air, rail, water, road)
  • Banking
  • Financial market infrastructure
  • Health (hospitals, reference labs, pharmaceutical manufacturers, medical device manufacturers)
  • Drinking water
  • Wastewater
  • Digital infrastructure (internet exchange points, DNS, TLD registries, cloud, data centres, CDN, trust services, electronic communications)
  • ICT service management (managed service providers, managed security service providers)
  • Public administration
  • Space

Annex II — Other Critical Sectors (important entities):

  • Postal and courier services
  • Waste management
  • Manufacture, production, and distribution of chemicals
  • Production, processing, and distribution of food
  • Manufacturing (medical devices, computers and electronics, electrical equipment, machinery, motor vehicles, transport equipment)
  • Digital providers (online marketplaces, online search engines, social networking platforms)
  • Research organisations

Condition 2 — Size: Medium or large enterprise:

  • Medium: 50+ employees AND/OR €10M+ annual turnover
  • Large: 250+ employees AND/OR €50M+ annual turnover

Exception — critical regardless of size: DNS service providers, TLD registries, cloud providers, data centres, CDN providers, managed service providers, trust services, and electronic communications providers are in scope regardless of size.

Essential vs. Important Entities

CategoryCriteriaSupervisionFines
Essential entityLarge company in Annex I sectorProactive (ex ante)Up to €10M or 2% turnover
Important entityMedium company in Annex I or any company in Annex IIReactive (ex post, after incident)Up to €7M or 1.4% turnover

The 10 NIS2 Security Measures (Article 21)

Article 21 requires entities to implement measures proportionate to the risk. The mandatory minimum includes these 10 elements:

1. Risk Analysis and Security Policies

  • Written information security risk assessment
  • Information security policy covering all systems and processes
  • Approved by management body
  • Reviewed at least annually

2. Incident Handling

  • Written incident management procedure
  • Classification criteria for major incidents
  • Internal escalation path
  • External reporting procedure (to national CSIRT/NCA)

3. Business Continuity, Backup Management, and Disaster Recovery

  • Business continuity plan for ICT systems
  • Backup policy: 3-2-1 rule minimum (3 copies, 2 media, 1 offsite), tested
  • Disaster recovery plan with RTO/RPO objectives
  • Annual DR test

4. Supply Chain Security

  • Register of critical ICT suppliers
  • Security assessment criteria for new suppliers
  • Contractual security requirements for critical suppliers
  • Annual review of supplier security posture

5. Security in System Acquisition, Development, and Maintenance

  • Security requirements in procurement tenders
  • Secure development lifecycle (for companies developing own software)
  • Patch management process with defined SLAs

6. Assessing Effectiveness of Cybersecurity Measures

  • Key security metrics tracked and reported to management
  • Regular testing (vulnerability scanning, penetration testing)
  • Post-incident review process

7. Cyber Hygiene and Training

  • Security awareness training for all employees (at least annually)
  • Management body training specifically on NIS2 obligations
  • Documented training records

8. Cryptography and Encryption Policies

  • Encryption policy covering data at rest and in transit
  • Key management procedures
  • Minimum encryption standards defined

9. HR Security, Access Control, and Asset Management

  • HR security screening for roles with access to critical systems
  • Joiners/movers/leavers access provisioning process
  • IT asset register
  • Access review (at least annually)
  • Principle of least privilege documented

10. Multi-Factor Authentication

  • MFA mandatory for administrative access to all critical systems
  • MFA required for remote access (VPN, cloud services)
  • Passkey / hardware token for privileged accounts

Incident Reporting Obligations

NIS2 Article 23 defines strict reporting timelines for significant incidents (incidents that cause or could cause severe disruption):

TimelineReportContent
Within 24 hoursEarly warning to national CSIRT or NCA”We have a significant incident. Brief description of attack type, suspected cause, affected systems.”
Within 72 hoursIncident reportFull incident description, impact assessment, indicators of compromise, initial mitigation steps
Within 1 monthFinal reportRoot cause, full impact assessment, mitigation measures taken, lessons learned

For incidents involving personal data, GDPR Article 33 also requires notification to the supervisory authority within 72 hours — the timelines are compatible (72h NIS2 and 72h GDPR can often be a single combined notification).

Personal Liability for Management Bodies

NIS2 Article 32(6) is a significant new element: for essential entities, national authorities can hold management body members personally liable for negligent failure to implement NIS2 obligations.

Practical implications:

  • CEO, board members, and supervisory board members can be personally fined
  • They can be temporarily disqualified from managing the entity
  • They cannot delegate this liability to IT teams — they must be personally engaged in NIS2 governance

This has driven significant boardroom attention to NIS2 compared to earlier cybersecurity regulations.

12-Week NIS2 Preparation Plan for SMBs

Weeks 1-2: Scope and Gap Assessment

  • Confirm whether your company is in scope (sector + size test)
  • If in scope, determine essential or important entity classification
  • Conduct gap assessment against the 10 Article 21 measures
  • Prioritise gaps by risk level

Weeks 3-4: Governance

  • Present NIS2 obligations to the management body (required by Article 21 — management must be informed and involved)
  • Appoint a NIS2 responsible person (CISO, DPO, or designated manager)
  • Approve information security policy at board level

Weeks 5-6: Risk Assessment and Incident Management

  • Complete written risk assessment
  • Draft incident classification criteria
  • Create incident response procedure
  • Identify and register with national CSIRT/NCA (registration is required in some member states)

Weeks 7-8: Technical Controls

  • Implement or verify MFA on all critical systems and remote access
  • Verify backup process meets 3-2-1 rule; schedule and document a recovery test
  • Run vulnerability scan; patch critical vulnerabilities

Weeks 9-10: Supply Chain and Training

  • Create or update supplier register with criticality classification
  • Review contracts with critical ICT suppliers for security clauses
  • Run security awareness training for all employees

Weeks 11-12: Documentation and Review

  • Compile all required documentation
  • Conduct internal review against Article 21 checklist
  • Brief management body on compliance status

NIS2 and ERP/CRM

An ERP system is typically a critical ICT system for any company in scope. NIS2 implications for ERP:

  • Included in risk assessment — ERP is typically classified as a critical system
  • Supplier assessment — your ERP vendor assessed in supply chain security review
  • Access control — MFA required for ERP access (Article 21 measure 10)
  • Audit log — ERP audit log evidence for incident investigation
  • Business continuity — ERP backup and recovery tested

Modulario supports NIS2 compliance:

  • MFA mandatory configuration option
  • Audit log for all actions
  • Configurable backup and retention
  • ISO 27001 certification (recognised evidence of security measures)
  • Supply chain security documentation (subprocessors, security questionnaire responses)

Frequently Asked Questions

Does NIS2 apply to our company? We are a mid-sized manufacturer. NIS2 applies to medium and large enterprises (50+ employees OR €10M+ annual turnover) in 18 critical sectors. For manufacturing, NIS2 applies if you manufacture: medical devices, computers and electronics, electrical equipment, machinery and equipment, motor vehicles, or other transport equipment. ‘Generic’ manufacturing (food, textiles, furniture) is not in scope unless the company also operates in another listed sector.

What are the 10 minimum security measures under NIS2 Article 21? The 10 measures are: (1) risk analysis and security policies, (2) incident handling, (3) business continuity and backup, (4) supply chain security, (5) security in system acquisition and development, (6) assessing effectiveness of cybersecurity measures, (7) cyber hygiene practices and training, (8) cryptography and encryption policies, (9) HR security, access control, and asset management, (10) multi-factor authentication.

What are the NIS2 sanctions and can directors be personally liable? NIS2 Article 34 sets maximum fines: essential entities up to €10M or 2% of global annual turnover; important entities up to €7M or 1.4% of turnover. NIS2 Article 32(6) introduces personal liability for management bodies of essential entities: national authorities can hold management body members personally liable for negligent failure to comply. This means CEO, board members, and other management body members can be personally fined.