Is Your Business in Scope for NIS2? A Plain-English Checklist

The practical guide to understanding NIS2 requirements for SMBs — and a free tool to assess your compliance in 15 minutes.

If you run a business in the EU, you've probably heard about NIS2 by now. But between the legal jargon, conflicting advice, and the sheer volume of frameworks out there, it's hard to know where you actually stand.

This guide cuts through the noise. We'll explain what NIS2 is, whether it applies to your business, and give you a practical checklist you can work through today — no consultant required.

What Is NIS2?

NIS2 is the EU's updated directive on cybersecurity. It replaced the original NIS Directive in January 2023 and EU member states were required to transpose it into national law by October 2024. It significantly expands who is covered and what's expected.

The directive sets minimum cybersecurity requirements for organisations that provide essential or important services across the EU. Think of it as the EU saying: if your business matters to the economy or society, you need to prove your cyber house is in order.

Does NIS2 Apply to Your Business?

This is the question that catches most people out. NIS2 doesn't just apply to critical infrastructure. It covers a much wider range of sectors and sizes than most business owners realise.

You're likely in scope if you meet both of these criteria:

Size threshold: Your organisation has 50 or more employees, OR annual turnover exceeds €10 million.

Sector: You operate in one of the sectors listed below.

Essential Entities (stricter requirements, higher penalties)

  • Energy (electricity, oil, gas, hydrogen, district heating)
  • Transport (air, rail, water, road)
  • Banking and financial market infrastructure
  • Health (hospitals, laboratories, pharma, medical devices)
  • Drinking water and wastewater
  • Digital infrastructure (DNS, TLD registries, cloud, data centres, CDNs)
  • ICT service management (B2B — managed service providers, managed security providers)
  • Public administration (central government)
  • Space

Important Entities (lighter oversight, still significant obligations)

  • Postal and courier services
  • Waste management
  • Chemical manufacturing, production, and distribution
  • Food production, processing, and distribution
  • Manufacturing (medical devices, electronics, machinery, motor vehicles)
  • Digital providers (online marketplaces, search engines, social networks)
  • Research organisations

Key point: Even if your organisation is below the size threshold, member states can designate you as in scope if you're a sole provider of an essential service, or if disruption to your services could have significant impact. Your supply chain partners may also require you to demonstrate compliance regardless of your size.

The NIS2 Compliance Checklist

If you're in scope (or think you might be), work through this checklist. It covers the core requirements of the directive.

1. Governance & Accountability

  • ✅ Board-level or senior management responsibility for cybersecurity is formally assigned
  • ✅ Management has received cybersecurity awareness training
  • ✅ There is a named individual responsible for NIS2 compliance
  • ✅ Cybersecurity risk is a standing item on the board agenda

2. Risk Management & Policies

  • ✅ A formal cybersecurity risk assessment has been completed in the last 12 months
  • ✅ An information security policy exists and is reviewed at least annually
  • ✅ Risk treatment plans are documented with owners and deadlines
  • ✅ Policies cover acceptable use, access control, and data classification

3. Incident Handling

  • ✅ An incident response plan exists and has been tested (tabletop exercise or simulation)
  • ✅ You can detect and report a significant incident within 24 hours (early warning to CSIRT)
  • ✅ You can provide a full incident notification within 72 hours
  • ✅ A final incident report can be produced within one month
  • ✅ Roles and responsibilities during an incident are clearly defined

4. Business Continuity

  • ✅ A business continuity plan exists covering key systems and services
  • ✅ Backups are performed regularly and tested for restore
  • ✅ A disaster recovery plan is documented and tested
  • ✅ Recovery time and recovery point objectives (RTO/RPO) are defined

5. Supply Chain Security

  • ✅ Critical suppliers and third-party providers are identified
  • ✅ Supplier contracts include cybersecurity requirements
  • ✅ Third-party risk assessments are conducted at least annually
  • ✅ You have visibility into your supply chain's security posture

6. Technical Security Controls

  • ✅ Multi-factor authentication (MFA) is enabled on all critical systems
  • ✅ Network segmentation is in place to limit lateral movement
  • ✅ Encryption is used for data in transit and at rest
  • ✅ Vulnerability management process exists (regular scanning and patching)
  • ✅ Access control follows the principle of least privilege
  • ✅ Logging and monitoring is active on critical systems

7. Reporting & Registration

  • ✅ You have identified which member state's NIS2 transposition applies to you
  • ✅ You have registered (or plan to register) with the relevant national authority if required
  • ✅ You understand the penalty regime in your jurisdiction

What Happens If You're Not Compliant?

NIS2 has real teeth. Penalties for essential entities can reach €10 million or 2% of global annual turnover, whichever is higher. For important entities, it's €7 million or 1.4% of turnover. Management can also be held personally liable — this isn't just a fine for the company.

Beyond penalties, there's the business risk. Customers, partners, and insurers are increasingly asking for evidence of compliance. If you can't demonstrate your posture, you risk losing contracts and facing higher insurance premiums.

How to Assess Your NIS2 Compliance in 15 Minutes

Working through the checklist above gives you a good sense of where you stand. But if you want a scored assessment with prioritised actions, you can use ShieldIQ's free NIS2 compliance assessment.

The platform asks 25–30 practical questions mapped to the NIS2 directive's requirements. AI analyses every response individually and scores each category from 0–100%. You get a spider graph showing your strengths and weaknesses, a risk heatmap, and a prioritised list of what to fix first — ranked by effort and impact.

It's free, takes under 15 minutes, and you don't need to hand over a credit card or sit through a sales demo.

Ready to find out where you stand?

Start your free compliance assessment at app.shieldiqcyber.com

No credit card. No sales call. Under 15 minutes.