The NIS2 Directive is the EU-wide legislation introduced to update the original 2016 NIS Directive, expanding the scope of cybersecurity rules to new sectors and introducing stringent risk management measures. While much of the regulatory focus is on large, critical infrastructure operators, the practical reality of the directive is quietly reshaping the operational landscape for small and medium enterprises.
If you supply services to a large enterprise, their regulatory burden is about to become your operational requirement.
The Article 21 cascade
NIS2 is designed to strengthen the culture of security across sectors vital for our economy and society — energy, transport, water, banking, healthcare, and digital infrastructure. Under Article 21, these essential and important entities are legally mandated to implement rigorous risk management measures. Crucially, this accountability extends to their supply chains.
This creates a regulatory cascade. To remain compliant and avoid significant fines, enterprise boards — who now hold increased, direct responsibility for cybersecurity — must systematically assess the risk profiles of their suppliers. They are actively looking for vulnerabilities such as supply chain compromise of software dependencies or reliance on ICT service providers as a single point of failure.
You may not be an Operator of Essential Services yourself, but if your largest customer is, their need for compliance will materialise on your desk as an extensive supplier-readiness audit.
What this means for SMEs
Procurement teams are no longer accepting informal assurances. They require documented, objective evidence of your operational resilience.
The NCSC recognises this shift and has indicated that forthcoming certification schemes will encompass NIS2-aligned measures specifically designed to aid SMEs in strengthening their resilience. However, the immediate pressure will not come from the regulator — it will come from your clients' procurement and legal departments attempting to satisfy their own compliance audits.
The 3-step checklist: what to do tonight
You do not need to panic, but you do need to prepare. Take these three concrete steps tonight to understand your exposure and establish your baseline.
1. Map your enterprise exposure
Review your top ten revenue-generating clients. Determine if they operate in sectors heavily reliant on ICT that fall under NIS2 jurisdiction — transport, energy, healthcare, banking, or digital infrastructure. If they do, an audit request is likely imminent.
2. Locate your foundational documentation
Enterprise audits will look for evidence, not assertions. Locate your current business continuity plans, information system security policies, and records of management reviews — all core compliance areas. If these processes exist only in the minds of your key staff, schedule time to write them down.
3. Run the NCSC SME self-assessment
You do not need to guess your current standing. The NCSC provides a detailed guide on NIS2 self-assessment and a specific tool to assist SMEs in this process. Run through it to identify your immediate gaps before your enterprise clients identify them for you.
Regulatory note: this is a plain-language overview, not legal or compliance advice. NIS2 obligations vary by sector, member state, and entity classification. Consult your legal adviser for definitive guidance on your specific position.