NIS2 for SMEs: Does It Apply to Small and Medium Businesses?

TL;DR

NIS2 officially does not apply to micro enterprises (<10 employees, <€2M) and small enterprises (<50 employees, <€10M). But: certain sectors have size-threshold exceptions, and as a supplier to an Essential Entity, you may be indirectly affected. This guide explains what to do.

For small and medium enterprises (SMEs), NIS2 applicability is often unclear. Many SMEs hear about NIS2 but do not know whether it applies to them. This guide explains precisely when NIS2 applies, what exceptions exist, what SMEs as suppliers should do, and how much a baseline NIS2 compliance implementation costs.

The NIS2 Size Thresholds

Enterprise size	Employees	Turnover / Balance	NIS2 status
Micro enterprise	< 10	< €2M	Exempt ✓
Small enterprise	< 50	< €10M	Exempt ✓
Medium enterprise	50–249	€10–50M	Potentially in scope ⚠
Large enterprise	≥ 250	> €50M	In scope ✗

* Size is assessed on BOTH criteria. A medium enterprise must meet both the employee AND the turnover threshold.

Size-Rule Exceptions: These SMEs Are in Scope Regardless

NIS2 Article 2(2) lists entity types that fall in scope regardless of size. If your company operates in one of these categories, the headcount is irrelevant:

🌐DNS service providers (including recursive DNS resolvers)

🔤TLD name registry operators

🔒Trust service providers (qualified and non-qualified)

📡Providers of publicly available electronic communications services

🏛️Public administration entities (national and regional, depending on member state)

🌍Entities designated as critical by member states regardless of size

Indirect Impact: SMEs as Suppliers

Even if your company is not directly in scope, you may be indirectly affected if you act as a supplier or service provider to an Essential or Important Entity.

📊 Quick Test

Find out if your company is in scope

Does your organisation fall under Annex I (Essential) or Annex II (Important) entities?

Check NIS2 Scope →

⚠️ Supply chain duty under Article 21(2)(d)

NIS2-affected entities must assess the security practices of their suppliers. This means: if you have a NIS2-affected customer, they will likely require security questionnaires, audit access, or contractual cybersecurity clauses from you, even if you are not directly in scope yourself.

When You Grow Past the Thresholds

Many growing companies miss that NIS2 applies from the moment they cross the thresholds, not when the authority informs them. NIS2 Article 3(3) requires entities to self-register with the competent authority as soon as they meet the thresholds.

In practice, this means: if your company grows during the year to 55 employees and €12 million in turnover and operates in a NIS2 sector, you must register and begin implementation, even if you had no prior knowledge of NIS2.

ℹ️ Recommendation for growing companies

Check annually whether you have met the NIS2 thresholds. Start preparing early if you are approaching the thresholds. Registration and initial compliance measures take time you do not have once you have already crossed the threshold.

Cost of a Baseline NIS2 Implementation for SMEs

A common question is: what does NIS2 compliance cost for a medium-sized company? Costs vary considerably depending on the existing security baseline. Companies with no existing security structure pay considerably more than those that have already implemented ISO 27001 or similar frameworks.

Cost area	Starting point: no ISMS	Starting point: ISO 27001
Initial assessment / gap analysis	€5,000–15,000	€2,000–5,000
Policies and documentation	€10,000–25,000	€2,000–5,000
Technical measures (MFA, EDR, backup, SIEM)	€30,000–80,000	€5,000–20,000
Management training	€2,000–5,000	€2,000–5,000
Incident response plan and exercises	€5,000–15,000	€2,000–5,000
Supply chain assessment	€5,000–15,000	€3,000–8,000
Annual ongoing costs (audits, training, updates)	€15,000–40,000	€8,000–20,000

Indicative figures for a medium-sized enterprise (50–249 employees). Individual costs depend heavily on existing infrastructure, sector requirements, and the choice between internal implementation and external consultancy.

National Support Programmes for SMEs

Several EU member states have developed programmes to support SMEs with cybersecurity:

🇩🇪 GermanyBSI

BSI offers free guidance documents and the IT-Grundschutz Compendium, which is specifically designed with SMEs in mind. BSI IT-Grundschutz certification is recognised by authorities as NIS2 evidence.

🇧🇪 BelgiumCCB

The CyberFundamentals Framework (CFF) has a 'Basic' level explicitly designed for SMEs that requires considerably less effort than ISO 27001. The CCB provides free guides and self-assessment tools.

🇳🇱 NetherlandsDTC

The Digital Trust Centre offers SME-oriented advisory services and a free Cyber Security Assessment Tool.

EU-wideENISA

ENISA regularly publishes SME-specific cybersecurity guides and runs the European Cyber Security Month (ECSM) with resources for smaller organisations.

What SMEs Should Do

Check applicability

Use our NIS2 Scope Checker to clarify in 60 seconds whether NIS2 applies directly. Also consider the size-rule exceptions and identify which sectors your company operates in.

Anticipate customer requirements

Check with your key customers whether they are classified as NIS2 entities. If yes, prepare for security questionnaires, audits, and contractual cybersecurity clauses.

Build baseline cybersecurity

Implement MFA, patch management, regular backups, and a basic incident response process, even if not directly in scope. This strengthens your position as a supplier and reduces your own risks.

Consider certification

ISO 27001 or national frameworks like Belgium's CyberFundamentals Basic level can serve as evidence to NIS2-affected customers. The Basic level of the CyberFundamentals Framework is less expensive than ISO 27001 and specifically designed for SMEs.

Review and negotiate contract clauses

When customers start including NIS2 security clauses in contracts, review which requirements you can meet and which seem disproportionate. Some clauses (for example, unlimited audit rights) can be negotiated.

Are you directly in scope?

Our scope checker gives a clear answer in 60 seconds.

🎯 Check now

FAQ

We have 45 employees and €8 million turnover. Does NIS2 apply?▾

No, unless you operate in one of the sector-specific exception areas (DNS, TLD, trust services, public administration). You meet both conditions for a small enterprise (under 50 employees and under €10 million) and are therefore exempt from NIS2. Still check whether your customers are NIS2 entities that might impose requirements on you.

We are a cloud provider with 30 employees. Does NIS2 apply?▾

It depends on the type of cloud services you provide. Cloud computing service providers fall under NIS2 if they qualify as 'DNS service providers' or 'cloud computing service providers' within the meaning of the Directive. With IaaS, PaaS, or SaaS above certain user thresholds, you may be in scope despite a small headcount. Have your specific service legally reviewed.

Our customers are demanding NIS2 compliance evidence from us. What can we do?▾

You have several options: (1) ISO 27001 certification, (2) CyberFundamentals Basic-level certification (less expensive, recognised by CCB in Belgium), (3) completing security questionnaires (SIG-Lite, CAIQ), (4) providing penetration test results or security reports. Ask your customer which specific evidence they will accept.

If we are not directly in scope, do we still need to act?▾

Legally, no. NIS2 directly obligates only Essential and Important Entities. But commercially: if your key customers are NIS2 entities and they require security evidence from you, that is market pressure that functions just as effectively as a legal obligation.