A lot of small businesses hear "NIS2" and assume it belongs in the same mental drawer as enterprise compliance, Brussels policy, and expensive consultancy decks. For some, that is true. For others, especially MSPs, digital suppliers, and businesses supporting critical sectors, NIS2 is much closer than it looks.
The practical question is not "do I understand every article of the directive?" It is simpler: are you in scope, almost in scope, or likely to be pulled in by a bigger customer who is?
The European Commission says NIS2 now covers 18 critical sectors across the EU, with medium-sized and large entities in those sectors generally expected to apply cybersecurity risk-management measures and report significant incidents. That is a much wider net than the original NIS regime.
The Quick Scope Test
NIS2 works through national laws in EU member states, so the exact detail depends on the country. But the first-pass test is fairly straightforward. If you answer yes to one of these, you should look closer.
- Do you operate in the EU, or support customers who do? NIS2 is an EU regime, but it does not stay neatly inside EU borders. EU operations, EU subsidiaries, regulated EU services, or important customers in covered sectors can all change the practical answer.
- Are you medium-sized or larger? As a rule of thumb, NIS2 is aimed at medium and large organisations in covered sectors. Micro and small businesses are usually outside the direct scope, but there are important exceptions.
- Are you in a covered sector? Energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, space, postal services, waste management, chemicals, food, manufacturing, digital providers, and research all appear in the wider NIS2 picture.
- Do you provide managed IT, security, cloud, hosting, DNS, data centre, marketplace, search, or social platform services? Digital and ICT service providers are one of the areas where the scope expanded most noticeably.
- Are your customers asking for NIS2 evidence? Even if you are not directly regulated, you may still need to show risk assessments, incident response plans, supplier controls, and evidence of basic security hygiene to keep larger customers comfortable.
The Part Nobody Tells You
For many small businesses, NIS2 will not arrive as a letter from a regulator. It will arrive as a spreadsheet from a customer.
Imagine a 35-person IT support company looking after a manufacturing client with facilities in Germany, the Netherlands, and the UK. The MSP itself may be small, local, and nowhere near a regulator's first list. But the customer is in a covered sector, has NIS2 obligations in Europe, and now needs to prove that its key technology suppliers are not an obvious weak point. Suddenly the MSP is being asked for MFA coverage, patching timelines, backup testing, incident notification procedures, subcontractor controls, and evidence that admin access is properly managed.
That is the real-world shape of NIS2 for a lot of small firms: not "you are regulated tomorrow", but "your customers need answers tomorrow".
The 24-Hour Clock Is the Big Shift
Most business owners who know one regulatory deadline know the GDPR breach reporting window: 72 hours to notify the relevant authority where a personal data breach creates risk to individuals. NIS2 moves faster.
For significant incidents, NIS2 introduces an early warning within 24 hours, followed by a more detailed incident notification within 72 hours and later follow-up reporting. The early warning does not need to contain every forensic detail. It is meant to say: something significant may be happening, here is the likely nature of it, and here is whether we suspect unlawful or malicious activity.
24 hours is not a paperwork target. It changes how prepared you need to be. If you spend the first day working out who owns incident response, who can contact the regulator, who can talk to customers, and where your logs are, you have already lost the useful part of the window.
That does not mean every small supplier needs a grand incident response function. It does mean you need a simple decision path:
- Who decides whether an incident is serious enough to escalate?
- Who speaks to affected customers?
- Who has authority to take systems offline?
- Where are your insurer, legal, IT, and key customer contacts stored?
- Can you produce a basic timeline of what happened in the first hour?
What "Good Enough" Starts To Look Like
NIS2 is not just a reporting rule. It expects covered organisations to manage cyber risk properly. For a small business trying to get ready, the sensible move is to build the same core habits your larger customers will ask about.
- Asset visibility. Know your laptops, servers, cloud services, admin accounts, key suppliers, and where sensitive data lives.
- Access control. Use MFA, remove stale accounts, separate admin accounts from everyday accounts, and review privileged access regularly.
- Patch discipline. Have a documented patching expectation, especially for internet-facing systems, VPNs, firewalls, identity platforms, and remote management tools.
- Supplier checks. Know who you rely on, what access they have, and how quickly they must tell you if something goes wrong.
- Incident response. Keep a short written plan, test it, and make sure it covers customer notification as well as technical containment.
- Backup and recovery. Backups need to be protected, separated from day-to-day admin access, and tested often enough that restore time is not a guess.
This is also where the statistic about regulatory burden matters. With more than a third of European firms already reporting that regulation is weighing on them, the businesses that do best are usually not the ones with the biggest compliance binder. They are the ones that can show calm, current evidence without turning every customer request into a three-week scramble.
Where Europe and the UK Differ
For businesses based in the EU, NIS2 is implemented through national law. That means the broad shape is European, but the details can still vary by country: who supervises you, how you register, which authority receives reports, and how national thresholds are interpreted.
For UK businesses, Brexit means the UK did not automatically adopt NIS2. A UK-only business is not directly covered by NIS2 just because the directive exists. But that does not make it irrelevant, especially if you serve EU customers or sit in the supply chain of a covered organisation.
The practical routes are similar for small businesses on both sides of the Channel:
1. Direct operations or services
If you have an establishment in an EU member state, provide certain digital services, or operate in a covered sector, you may need country-specific advice. A business with offices in Spain and France, for example, may have to look at both national implementations, not just the EU directive headline.
2. Supply chain pressure
A supplier to an EU-regulated organisation may be asked to meet NIS2-style requirements contractually, whether that supplier is in Dublin, Lisbon, Warsaw, London, or Manchester. That can include security questionnaires, audit rights, incident notification clauses, and stricter supplier management expectations.
3. UK rules are moving in the same direction
The UK is also updating its cyber resilience regime. The government's Cyber Security and Resilience Bill policy statement points to stronger duties around digital services, managed service providers, data centres, supply chains, incident reporting, and customer notification. It is not NIS2 by another name, but it is travelling in the same direction.
So the practical advice is this: do not panic if you are genuinely local, small, and low-risk. But do not ignore the direction of travel if you provide IT, digital, cloud, operational, or data-heavy services to larger organisations in Europe or the UK.
What To Do This Month
If NIS2 might touch you directly or indirectly, start with a one-page readiness check rather than a compliance project. The aim is to know where you stand, where the obvious gaps are, and what evidence you can already show a customer.
- Map your exposure. List European and UK customers, regulated-sector customers, cross-border operations, and customers who treat you as a critical supplier.
- Identify your critical services. What would seriously disrupt a customer if it failed, was breached, or was unavailable?
- Review your incident process. Can you escalate, investigate, decide, and notify inside 24 hours?
- Check your supplier clauses. Do your own providers have notification duties to you, or are you the last to know?
- Gather evidence. MFA status, patching approach, backup tests, access reviews, security policies, and incident contacts should be easy to find.
The Honest Summary
NIS2 is not something every small business needs to fear. But it is something more small businesses need to understand, especially if they sit inside a larger digital or operational supply chain.
The line between "regulated" and "not regulated" is only part of the story. The commercial question is often more important: can you prove to a customer, insurer, or partner that you understand your risk and can respond quickly when something goes wrong?
That is where the work should start. Not with panic. Not with a giant framework. With a clear scope test, a simple incident plan, and evidence that the basics are actually working.
Find Out Where You Stand
Faradome RisQ gives you a practical view of your current security posture, supplier risk, and readiness gaps before a customer questionnaire or regulatory deadline forces the issue.
Start Your RisQ Assessment → Talk to Us