SEO
NIS2 Directive: A Practical Compliance Checklist for B2B SaaS
Who this guide is for
NIS2 is the EU's mandatory cybersecurity directive, in force since October 2024, covering 18 critical sectors. If you run a B2B SaaS business serving European customers, you are likely in scope, even if your legal team has not flagged it. The most useful NIS2 compliance checklist B2B SaaS teams can actually act on starts with a scope test, then maps Article 21 controls to engineering work, then quantifies what each phase costs. Most published guidance skips that last part.
This guide is written for engineers, product owners, and founders. Not procurement lawyers. If you already know you are in scope, jump to the Article 21 section.
Key Takeaways
B2B SaaS providers serving essential entities can inherit NIS2 obligations even from outside the 18 named sectors, with mandatory registration to the national authority.
Article 21 lists 10 security categories; five (incident handling, SDLC, MFA, supply chain, and effectiveness assessment) demand the heaviest engineering lift.
EU penalties reach €10 million or 2% of global turnover for essential entities, per the directive text cited by Keepit.
Gravidy audits show NIS2 readiness costs €23K-63K for a 50-200 person SaaS, with active ISO 27001 holders paying 40-60% less.
Are you actually in scope for NIS2?
B2B SaaS sits in an awkward corner of the NIS2 scope map. The directive applies to medium and large organisations (50+ employees or €10M+ turnover) operating in one of 18 designated sectors. Most SaaS companies land in Annex II as digital providers or managed service providers, which carries lighter supervisory requirements than Annex I but identical Article 21 obligations.
The harder case is supply chain inheritance. If you sell to a healthcare network, an energy utility, or a financial market participant, NIS2 Article 21(2)(d) requires your customer to assess your security practices. In practice, you inherit a checklist whether or not you are directly named. The European Commission's NIS2 overview confirms this expectation for upstream service providers.
Run three checks: size threshold, sector classification (Annex I or II), and whether you serve essential entities. If two of three are yes, register with your national competent authority. Self-identification was optional under NIS. Under NIS2 it is mandatory.
What actually changed between NIS and NIS2?
NIS (2016) covered seven sectors and let organisations self-select whether they qualified. NIS2 removes that option, expands to 18 sectors, adds personal liability for board members, and shrinks the initial incident reporting window from 72 hours to 24.
Five changes matter most for SaaS teams: - Scope: digital service providers moved from optional annexure to mandatory Annex II. - Supply chain security: NIS had no explicit clause. Article 21(2)(d) now requires direct supplier assessment. - Incident reporting: 24-hour initial notification to the national authority, not 72. - Management accountability: Article 20 makes governing bodies personally liable for cybersecurity oversight. - Penalty floors: NIS left fines inconsistent across member states. NIS2 sets EU-wide minimums.
The personal liability piece changes the conversation at board level. GDPR fines hit the entity. NIS2 sanctions can suspend an individual director from managerial functions. That is a different risk profile, and it is the reason boards now want quarterly evidence rather than annual policy reviews. ENISA's NIS2 guidance goes into the procedural detail.
The NIS2 compliance checklist B2B SaaS teams need
Article 21 specifies 10 security categories. Every in-scope organisation must implement them proportionate to its risk profile. For SaaS, half are heavy technical work and half are policy.
From the Gravidy audit perspective, the five hardest categories for SaaS teams are incident handling, supply chain security, secure SDLC, effectiveness assessment, and MFA enforcement across legacy admin systems. Policy work moves faster than engineers expect. Technical controls take longer than founders expect. The proportionality clause is not a loophole; national authorities interpret it based on sector exposure, not company preference.
Article 21 requirement | What it means for SaaS | Typical effort |
|---|---|---|
Risk analysis and security policies | Documented ISMS and threat model | 3-6 weeks |
Incident handling | Detection, IR playbook, 24h NCA notification path | 4-8 weeks |
Business continuity and DR | Defined RTO/RPO, tested recovery | 2-4 weeks |
Supply chain security | Vendor risk questionnaire, SLA security clauses | 4-6 weeks |
Secure development (SSDLC) | Shift-left testing, dependency scanning, code review | 6-12 weeks |
Effectiveness assessment | Annual pentest, vulnerability disclosure policy | Ongoing |
Cyber hygiene and training | Phishing simulation, onboarding security module | 2-3 weeks |
Cryptography | Encryption at-rest and in-transit, key management | 2-4 weeks |
HR security and access control | Joiners/leavers process, RBAC, PAM for admins | 3-5 weeks |
MFA and secure communications | Enforced MFA on admin and production systems | 1-2 weeks |
For the effectiveness assessment row, see how the first pentest usually goes. If your product ships LLM features, AI system security now falls inside Article 21 too. Prompt injection is a documented attack surface.
How long does NIS2 implementation actually take?
Based on Gravidy security assessments of EU B2B SaaS companies during 2024 and 2025, teams starting from no formal security programme need six to nine months to reach defensible NIS2 readiness. Companies with an active ISO 27001 certification reach readiness in three to four months because most baseline controls already exist and only need re-scoping.
Three phases run in parallel, not sequence:
Phase 1 (weeks 1-8): scope confirmation, gap assessment, policy drafting (ISMS, incident response, vendor risk). External cost typically €3K-8K depending on audit depth.
Phase 2 (weeks 4-20): MFA enforcement, vulnerability scanning pipeline, DR testing, supply chain questionnaire rollout. External cost typically €12K-35K. The wide range reflects tooling debt. Companies dragging legacy on-prem components alongside cloud-native stacks consistently land near the top.
Phase 3 (weeks 16-36): external pentest, tabletop incident simulation, NCA registration, board sign-off under Article 20. External cost typically €8K-20K.
Total observed: €23K-63K for a 50-200 person SaaS. Teams that skipped ISO 27001 and jumped straight to NIS2 paid 40-60% more in remediation because baseline controls were missing. The most common mistake we see is treating NIS2 as a documentation project. National authorities can run on-site inspections and demand technical evidence, not policy PDFs.
What do NIS2 penalties actually look like?
EU member states can impose fines of up to €10 million or 2% of global annual turnover, whichever is higher, for essential entities that breach NIS2 obligations, per the Keepit NIS2 compliance checklist citing the directive text. Important entities face a lower ceiling: €7 million or 1.4% of turnover.
The fine structure intentionally mirrors GDPR so that compliance officers recognise it. The material difference is personal liability. NIS2 Article 20 allows national authorities to temporarily prohibit a manager from exercising managerial functions when an organisation repeatedly fails to address identified risks. That sanction does not exist under GDPR. It lands on the individual, not the legal entity.
For most SaaS companies, the near-term risk is not a regulator's fine. It is procurement. Enterprise security questionnaires in DACH and the Nordics already include NIS2 attestation questions. Failing them blocks sales cycles before legal ever sees the contract.
Member state enforcement maturity varies sharply. Germany (via BSI), the Netherlands (NCSC-NL), and Finland are furthest along. Several southern EU states have still not completed national transposition, which means uneven exposure depending on where your customers sit.
Frequently Asked Questions
### What is the NIS2 directive? NIS2 is EU Directive 2022/2555, the updated Network and Information Security law that replaced the original 2016 NIS Directive. It sets mandatory cybersecurity requirements across 18 critical sectors, with binding incident reporting timelines, risk management obligations under Article 21, and significant financial and personal penalties for non-compliance.
### When does NIS2 take effect? The directive entered EU law on January 16, 2023, with a transposition deadline of October 17, 2024 for member states to pass national implementing legislation. Enforcement powers for national authorities began at that date, though transposition progress varies by country and some southern EU states are still finalising national law.
### What is the difference between NIS and NIS2? NIS (2016) covered seven sectors, allowed voluntary self-identification, set no minimum penalty levels, and had no explicit supply chain security clause. NIS2 doubles the covered sectors to 18, mandates registration with national authorities, adds board-level personal liability, cuts the initial incident reporting window from 72 to 24 hours, and sets EU-wide penalty floors.
Closing thought and next step
NIS2 compliance is not a one-time checklist. It is an operational posture: documented, tested, and approved at board level. The SaaS companies that will struggle most are not the ones lacking security controls entirely. They are the ones with informal practices that have never been written down, tested against a real incident, or reviewed by an external party.
Most B2B SaaS sites we audit also have three to five SEO findings sitting next to those security gaps. If you want to know which fixes are draining your traffic and which exposures would trip a NIS2 inspection, book a Free SEO Audit Call. Thirty minutes, specific findings, no slide decks.
