Does NIS2 apply to companies with fewer than 50 employees?

Generally no. The NIS2 Directive uses a size-cap rule that excludes micro and small enterprises (fewer than 50 employees and annual turnover below EUR 10 million). However, there are important exceptions: companies providing DNS services, TLD registries, trust service providers, and sole providers of critical services in a Member State can fall in scope regardless of size. Additionally, small companies may face indirect obligations as suppliers to in-scope entities.

What are the NIS2 size thresholds for medium enterprises?

NIS2 applies to medium-sized enterprises that have 50 or more employees OR an annual turnover exceeding EUR 10 million (or a balance sheet total exceeding EUR 10 million). Large enterprises with 250+ employees or EUR 50 million+ turnover are also in scope. The Directive follows the EU SME definition from Commission Recommendation 2003/361/EC. If your company meets either the employee or financial threshold, you are subject to NIS2 if you operate in a covered sector.

How much does NIS2 compliance cost for a small business?

The European Commission estimated that NIS2 compliance would require an average increase in IT security spending of up to 22% for already-regulated entities and up to 12% for newly in-scope entities over the first few years. For a medium-sized company, this could range from EUR 20,000 to EUR 150,000 depending on current maturity levels, industry sector, and whether you qualify as essential or important. Cost-effective approaches include using managed security services, adopting frameworks like ISO 27001 as a baseline, and leveraging proportional solutions designed for SMEs.

Can small suppliers be affected by NIS2 through supply chain requirements?

Yes. Article 21(2)(d) of NIS2 requires in-scope entities to address supply chain security, including security-related aspects of relationships with direct suppliers. This means that even if your company is below the size thresholds, your clients who are in scope may contractually require you to meet specific cybersecurity standards, undergo audits, or demonstrate compliance with security policies. In practice, many SMEs are already receiving updated contractual requirements from larger clients preparing for NIS2.

What is the simplest way for an SME to start NIS2 compliance?

Start with three steps: (1) Determine your scope status by checking if you meet the size thresholds and operate in a covered sector; (2) Conduct a gap analysis comparing your current security measures against NIS2 Article 21 requirements covering risk management, incident handling, business continuity, supply chain security, and basic cyber hygiene; (3) Prioritize based on risk, focusing first on incident reporting capabilities (required within 24 hours) and basic risk management policies. Many SMEs find it most cost-effective to work with a managed security provider that offers NIS2-aligned services rather than building all capabilities in-house.

NIS2 for SMEs: Are You In Scope and What to Do

The NIS2 Directive (EU 2022/2555) has expanded cybersecurity regulation to cover an estimated 160,000 entities across the European Union, up from roughly 15,000 under the original NIS Directive. If you run a small or medium enterprise (SME) in a covered sector and meet certain size thresholds -- 50 or more employees or annual turnover exceeding EUR 10 million -- your company is likely in scope. Even below these thresholds, supply chain obligations may pull your business into NIS2 compliance requirements indirectly. This guide explains exactly how to determine your status and what practical steps to take.

Key Takeaways

Size-cap rule: NIS2 generally applies to medium (50+ employees or EUR 10M+ turnover) and large enterprises in covered sectors
Exceptions exist: DNS providers, TLD registries, trust services, and sole critical-service providers are in scope regardless of size
Supply chain effect: Even small suppliers may face contractual security requirements from in-scope clients
Cost impact: The EU estimates a 12-22% increase in IT security spending for compliance
Proportional approach: Managed security services can make compliance achievable for SMEs at lower cost

Understanding the NIS2 Size Thresholds

NIS2 uses the EU's standard SME definition from Commission Recommendation 2003/361/EC to determine which organizations fall in scope. The key thresholds are:

Company Size	Employees	Annual Turnover	Balance Sheet Total	NIS2 Status
Micro enterprise	Fewer than 10	Up to EUR 2 million	Up to EUR 2 million	Generally excluded
Small enterprise	10-49	EUR 2-10 million	EUR 2-10 million	Generally excluded
Medium enterprise	50-249	EUR 10-50 million	EUR 10-43 million	In scope (if in covered sector)
Large enterprise	250+	EUR 50 million+	EUR 43 million+	In scope (if in covered sector)

A company meets the threshold if it exceeds either the employee count or the financial metric. For example, a company with 40 employees but EUR 15 million in annual turnover would be in scope if it operates in a covered sector.

Exceptions: When Small Companies Are Still In Scope

Article 2 of the NIS2 Directive specifies several categories of organizations that fall in scope regardless of their size. These exceptions reflect the critical nature of their services:

Trust service providers -- companies offering digital certificates, electronic signatures, or electronic seals under the eIDAS Regulation
DNS service providers -- any company operating DNS resolution services
TLD name registries -- operators managing top-level domain registrations
Sole providers -- companies that are the only provider of a service essential for maintaining critical societal or economic activities in a Member State
Public administration entities -- central government entities at national level (and optionally regional level, per Member State decision)
Entities identified under NIS1 -- organizations already designated as operators of essential services under the original NIS Directive

According to ENISA's NIS Investments 2023 report, approximately 15% of entities newly brought into NIS2 scope are SMEs that fall under these exception categories. If your company provides any of these services, size is irrelevant -- you need to comply.

The Supply Chain Effect on Small Suppliers

Perhaps the most significant impact of NIS2 on SMEs comes not from direct scope but from Article 21(2)(d), which mandates that in-scope entities address "supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers."

In practice, this means:

Contractual requirements: Your larger clients will likely add cybersecurity clauses to contracts, requiring specific security measures, certifications, or audit rights
Vendor assessments: Expect security questionnaires, on-site audits, or requests for certification evidence (ISO 27001, SOC 2, or equivalent)
Incident notification: You may be required to notify your clients of security incidents within specific timeframes, mirroring NIS2's own reporting requirements
Minimum security standards: Clients may require you to implement specific technical measures such as multi-factor authentication, encryption, or regular vulnerability scanning

A 2024 survey by the European Digital SME Alliance found that 67% of SMEs providing IT services to larger companies had already received updated cybersecurity contractual requirements related to NIS2 preparation. The Verizon 2024 Data Breach Investigations Report confirms this trend, noting that 15% of breaches involved a third party, up from 9% the previous year -- a 68% increase that underscores why supply chain security is a NIS2 priority.

Cost-Effective Compliance Strategies for SMEs

The European Commission's impact assessment for NIS2 estimated that organizations already subject to regulation would need to increase IT security budgets by approximately 22%, while newly in-scope entities would see increases of around 12%. For SMEs, spending wisely is essential. Here are practical strategies:

1. Leverage Existing Frameworks

If you already comply with ISO 27001, you have covered a substantial portion of NIS2 requirements. The overlap between ISO 27001:2022 and NIS2 Article 21 is estimated at approximately 70-80%. Map your existing controls against NIS2 requirements to identify gaps rather than starting from scratch.

2. Adopt Managed Security Services

Building an in-house Security Operations Center (SOC) is impractical for most SMEs. Instead, consider managed detection and response services that provide 24/7 monitoring, incident detection, and response capabilities at a fraction of the cost. According to Gartner, 50% of organizations will be using MDR services by 2025, with the highest adoption rates among mid-size organizations.

3. Prioritize the NIS2 Essentials

NIS2 Article 21 lists ten categories of cybersecurity measures. For SMEs, prioritize these based on risk:

Priority	NIS2 Requirement	SME-Friendly Approach	Estimated Cost
1	Incident handling	Incident response retainer + playbook	EUR 5,000-15,000/year
2	Risk analysis & policies	Risk assessment template + annual review	EUR 3,000-10,000
3	Business continuity	Cloud backup + BCP document	EUR 2,000-8,000/year
4	Supply chain security	Vendor questionnaire + contract clauses	EUR 2,000-5,000
5	Basic cyber hygiene & training	Security awareness platform	EUR 1,000-5,000/year
6	Cryptography & encryption	TLS everywhere + disk encryption	EUR 1,000-3,000
7	Access control & asset management	MFA + endpoint management tool	EUR 3,000-10,000/year
8	Vulnerability handling	External attack surface monitoring	EUR 3,000-12,000/year
9	Security in network acquisition	Secure procurement checklist	EUR 1,000-3,000
10	Policies on effectiveness assessment	Annual penetration test	EUR 5,000-20,000/year

4. Use Proportionate Solutions

Recital 44 of the NIS2 Directive explicitly states that measures should be "proportionate" to the risk, the entity's size, and the likelihood and severity of incidents. This means regulators expect SMEs to implement measures appropriate to their resources and risk profile, not to match the security programs of large enterprises.

5. Consider NIS2-Specific Compliance Services

Several providers, including Orizon, now offer NIS2 compliance packages designed specifically for SMEs. These typically bundle gap analysis, policy templates, technical controls, and ongoing monitoring into a single subscription. Check pricing options to find solutions scaled to your organization's size.

National Transposition: Italy and Spain

Each EU Member State must transpose NIS2 into national law, and the specifics can vary. Here is the current status for Italy and Spain:

Italy (D.Lgs. 138/2024)

Italy transposed NIS2 through Legislative Decree 138/2024, published in October 2024. The Agenzia per la Cybersicurezza Nazionale (ACN) serves as the competent authority and the national CSIRT. Key points for Italian SMEs:

Registration on the ACN portal is mandatory for in-scope entities
The ACN has published guidance for SMEs on proportional implementation
Italian transposition largely follows the Directive's size thresholds without additional expansion
Sanctions align with NIS2 maximums: EUR 10 million or 2% of global turnover for essential entities

Spain

Spain is in the process of transposing NIS2 into national law. The Centro Criptologico Nacional (CCN) and the Instituto Nacional de Ciberseguridad (INCIBE) serve as reference points. For Spanish SMEs:

INCIBE provides free tools and resources for SME cybersecurity through its Protege tu Empresa program
The Esquema Nacional de Seguridad (ENS) framework already requires many similar measures for public-sector suppliers
Companies already compliant with ENS will have a head start on NIS2 requirements

A Practical Compliance Roadmap for SMEs

Based on the NIS2 requirements and the realities of SME resource constraints, here is a phased approach:

Phase 1: Assessment (Months 1-2)

Determine whether you are directly in scope (sector + size thresholds)
Assess indirect exposure through supply chain obligations
Conduct a gap analysis against NIS2 Article 21 requirements
Identify your national competent authority and registration requirements

Phase 2: Foundation (Months 3-4)

Establish an information security policy and risk management framework
Implement incident response procedures aligned with the 24-hour early warning requirement
Deploy basic technical controls: MFA, backup, encryption, endpoint protection
Begin management body training (required under Article 20)

Phase 3: Maturation (Months 5-8)

Implement supply chain security measures and update vendor contracts
Deploy monitoring capabilities (in-house or via managed services)
Conduct a vulnerability assessment or penetration test
Establish business continuity and disaster recovery plans

Phase 4: Optimization (Ongoing)

Regular policy reviews and updates
Annual penetration testing and risk assessments
Continuous security awareness training for all staff
Periodic compliance audits against evolving national requirements

Management Liability: Why Leaders Must Pay Attention

NIS2 Article 20 introduces a significant change for SME leadership: management bodies can be held personally liable for non-compliance. This means company directors, managing partners, and C-suite executives must:

Approve cybersecurity risk management measures
Oversee implementation of those measures
Undergo cybersecurity training themselves
Be accountable for infringements of Article 21

According to ENISA's Threat Landscape 2024 report, SMEs remain disproportionately targeted by cybercriminals, with ransomware attacks on SMEs increasing by 47% compared to the previous year. The combination of regulatory liability and increasing threat exposure makes NIS2 compliance not just a legal requirement but a business survival strategy for European SMEs.

Conclusion

NIS2 represents a significant expansion of cybersecurity regulation in Europe, and SMEs cannot afford to ignore it. Whether you are directly in scope through size thresholds, indirectly affected through supply chain requirements, or simply want to improve your security posture ahead of regulatory changes, taking action now is essential. The Directive's proportionality principle means you do not need enterprise-level spending -- but you do need a structured, risk-based approach to cybersecurity that covers the fundamentals. Start by assessing your scope status, prioritize the highest-impact measures, and consider working with specialized providers like Orizon to make compliance achievable within your budget.

Requirement	Orizon Solution	Coverage
Risk Management	RECON + Oversight
Incident Handling	Oversight SOC 24/7
Security Testing	Fireline Pentest
Security Awareness	Aware Platform