NIS2 for SMEs: who must comply and the 10 areas to cover

In short

NIS2 (EU Directive 2022/2555, transposed in Italy by Legislative Decree 138/2024) raises the cybersecurity bar for thousands of companies. It isn't only about large enterprises: it applies to entities in critical sectors that exceed the size thresholds (at least 50 employees or over €10 million in turnover), but it also reaches SMEs below the threshold through the supply chain. Those in scope must cover 10 security areas (Article 21), be able to notify incidents to ACN within 24 hours / 72 hours / 1 month, and have their baseline measures operational by 31 October 2026. Failing to comply risks fines up to €10 million or 2% of worldwide turnover and the personal liability of directors. This article covers who must comply, the 10 areas in detail, the deadlines and how to build a sustainable roadmap. At the end you'll find a free assessment to see where you stand in 12 minutes.

NIS2: not (just) a big-company problem

When NIS2 comes up, the typical reaction of an SME owner is: "that's for multinationals, not my 60-person company." It's a dangerous assumption, for two reasons.

First: the threshold for application is far lower than people think. 50 employees or €10 million in turnover in a critical sector are enough to be in scope. Those are small-to-medium business numbers, not large-group numbers.

Second, and even more underestimated: even if your company is below the threshold, NIS2 still reaches you if you are a supplier to a company that must comply. The directive requires in-scope entities to secure their supply chain, which means your more structured clients will start asking you for contractual security requirements, audits and incident-notification clauses. Not being ready means, very concretely, losing tenders and contracts.

In other words, NIS2 is becoming the de facto standard for B2B cybersecurity in Europe. And just as happened with the AI Act, arriving unprepared at the deadlines is a choice that comes at a cost.

What NIS2 is and who enforces it

NIS2 is Directive (EU) 2022/2555, which replaces the previous 2016 NIS directive and dramatically widens its scope: more sectors, more entities, stricter obligations and, above all, real fines.

In Italy it was transposed by Legislative Decree 138 of 4 September 2024, in force since 16 October 2024. The competent authority is ACN, the National Cybersecurity Agency, while incident notifications go to CSIRT Italia.

The goal isn't paperwork: it's to raise the cyber resilience of the productive system. That's why NIS2 thinks in terms of risk management and leadership accountability, not bureaucratic checklists. Let's see what that means in practice.

1. Who it applies to: are you in scope?

NIS2 covers a lot of organizations, public and private: 18 sectors in total and over 80 types of entity. But for a private company the question is simple and comes down to two things together: what sector you operate in and how big you are.

The critical sectors (private companies) are in two annexes:

• Annex I, high-criticality sectors (mostly yielding essential entities): energy, transport, banking and financial markets, health, drinking water and waste water, digital infrastructure, ICT service management, space.
• Annex II, other critical sectors (mostly yielding important entities): postal and courier services, waste management, manufacture and distribution of chemicals, food production and distribution, manufacturing (medical devices, computer and electronic products, machinery, motor vehicles), digital providers, research.

The size thresholds: as a rule you're in scope if you have at least 50 employees or an annual turnover/balance sheet over €10 million. Large companies (≥250 employees or >€50M) are typically essential; medium ones tend to be important.

What if you're small, a public body or a supplier?

The "sector + size" rule isn't the whole story. Keep three cases in mind that hit SMEs directly:

• Are you a public body or a public company? Public administrations and publicly-controlled, participated or in-house companies are in scope by category (Annexes III and IV of the decree), often regardless of size. For municipalities the obligation kicks in above 100,000 inhabitants.
• Do you run a critical service, even if you're small? Providers of services like internet domains (DNS), digital signatures and identities (trust services) or telecommunications networks are in scope even as a micro or small business. ACN can also add other entities it deems critical.
• Are you a supplier to a bigger company? This is how most SMEs get pulled in: your in-scope client must secure its supply chain and will start asking you for contractual security requirements. Not being "directly" in scope doesn't mean you're out.

Essential vs important entities

The difference is mostly about oversight: essential entities are checked proactively, even before anything happens; important ones usually only after a problem or a tip-off. But note: the Article 21 security obligations apply to both. What changes is how closely you're watched and the size of the fine, not what you must do.

In practice: if you operate in an annex sector and exceed the thresholds, you're in. If you're a publicly-controlled company or a public body, check Annexes III and IV. And if you're below the threshold but supply structured companies, prepare anyway: the pressure will come through contracts. When in doubt, our free assessment gives you an indicative classification in minutes.

2. The 2026 deadlines to put on your agenda

NIS2 in Italy isn't "one single date": it's a gradual journey. ACN published the list of NIS entities on 31 March 2025 (over 20,000 organizations, more than 5,000 of them essential). From that moment the deadlines start, scheduled as follows in 2026.

• 15 January 2026, incident notification becomes fully operational: early warning within 24 hours, notification within 72 hours, final report within 1 month.
• 1 January – 28 February 2026, annual window to register and update data on the ACN portal (points of contact, CSIRT contact).
• 1 May – 30 June 2026, communication and categorization of activities and services on the ACN platform.
• 31 October 2026, the decisive deadline: all baseline security measures must be operational.

The underlying logic is the two terms that start from the notification of inclusion in the list: 9 months to activate incident-notification mechanisms and 18 months to implement baseline security measures. In short: entities listed in 2025 reach full operability of the measures right by the end of October 2026. That's not much time if you're starting from scratch.

3. The 10 areas of NIS2 (Article 21)

The heart of NIS2 is Article 21, which lists the 10 minimum risk-management measures. Don't panic: you don't need to become an expert in each one. Treat them as a checklist and, for each, ask yourself just one question, "am I covered or not?", then look at the first concrete move (under In practice). Here they are, SME-style.

1. Governance and risk management

The foundation of everything. You need formalized security policies and a risk analysis, and, crucially, the management body (board, owner, director) must be involved, trained and accountable. NIS2 moves cybersecurity from the IT department to the desk of whoever runs the company. In practice: appoint a lead, have the leadership approve the measures, document how you assess risk.

2. Incident handling

You must be able to detect, handle and notify a significant incident. That means a documented process, clear roles and the technical and organizational ability to meet the 24h/72h/1-month deadlines toward CSIRT Italia. In practice: prepare an incident-response procedure and contacts already registered on the ACN portal, before you actually need them.

3. Business continuity and crisis management

Backups, disaster recovery, business continuity and crisis management. Doing backups isn't enough: you must test restores and have a plan to keep operating (and communicating) during an attack. In practice: a 3-2-1 backup strategy with offline copies, defined RTO/RPO for critical systems, a written continuity plan.

4. Supply chain security

NIS2 makes you responsible for the security of your critical ICT suppliers too. You must map them, put security requirements into contracts and monitor them over time. It's the same mechanism that, downstream, involves you if you supply others. In practice: an inventory of critical suppliers, contractual security clauses, a risk assessment for the most important ones.

5. Security in acquisition, development and maintenance (and vulnerability management)

Security must be built into how you buy, develop and maintain systems, including a vulnerability management and responsible disclosure process. In practice: risk-based patch management, periodic scans, a channel to report vulnerabilities, security requirements in software procurement.

6. Assessing the effectiveness of measures

Adopting measures isn't enough: you must measure whether they work. Audits, metrics, periodic reviews and management of non-conformities. In practice: an internal audit plan, a few monitored security KPIs, at least an annual review of policies.

7. Basic cyber hygiene and training

The basics that stop most attacks: updates, antivirus, strong passwords, MFA, and above all staff training. The weak link is almost always the person. In practice: a hygiene baseline applied to all devices and periodic training with phishing simulations, an area that, incidentally, overlaps with the AI literacy obligation.

8. Cryptography

Policies and use of cryptography to protect data at rest (servers, devices, backups) and in transit (TLS, VPN), with secure key management. In practice: encrypt devices and sensitive data, use encrypted connections everywhere, manage keys and certificates with clear procedures.

9. HR security, access control and asset management

You must know what you own (asset inventory), who accesses what (least-privilege access control) and manage security in HR processes (onboarding/offboarding). In practice: an up-to-date inventory, role-based access, timely revocation when someone leaves, attention to privileged accounts.

10. Multi-factor authentication and secure communications

Use of MFA (ideally phishing-resistant) on critical access, secure communications where needed and secure emergency communication systems in a crisis. In practice: MFA on VPN, email and critical systems; an alternative communication channel for when normal systems are compromised.

Want to see where you stand on these 10 areas? That's exactly what the NIS2 Readiness Assessment does, the free tool built on this very structure: answer a few questions per area and in about ten minutes you get a traffic-light score (green, yellow, red) showing you, in black and white, where you're covered and where you're exposed. It's the fastest way to turn the theory in this article into a snapshot of your company.

4. What's at stake if you don't comply: fines and board liability

This is where NIS2 raises the stakes compared to the past. The fines are not symbolic.

• Essential entities: up to €10 million or 2% of annual worldwide turnover, whichever is higher.
• Important entities: up to €7 million or 1.4% of annual worldwide turnover.
• Failure to register on the ACN portal: fines up to 0.1% of turnover (essential) or 0.07% (important).

But the real watershed is another: the personal liability of management bodies. The decree states that governing bodies approve the measures, oversee their implementation and are liable for violations. ACN can apply the accessory sanction of disqualification from management functions in the same entity. In other words: cybersecurity becomes a matter of directors' responsibility, no longer fully delegable to IT or an external vendor.

It's the same principle we've seen emerge with data and AI governance: compliance is no longer a cost to minimize, but a business risk to manage at the top. It's also worth remembering good practices on what not to expose, as we explain in 7 things SMEs shouldn't upload to ChatGPT.

5. Where to start, in practice

Seen all at once, NIS2 can look like a mountain. But for an entrepreneur the path comes down to a few concrete steps, done in the right order and without panicking.

1. Understand where you stand today. Before spending a single euro, get an honest snapshot: which of the 10 areas are you already fine on, and where are you exposed? It's the most important step, and the quickest. You can do it in ten minutes with the NIS2 Readiness Assessment, which gives you a traffic light per area and your priorities already in order.

2. Start with the red areas. You don't have to do everything at once. Put your first energy into the most serious gaps, usually three: backups that actually work, the ability to detect and report an attack, and MFA on the logins that matter. These are the measures that cut risk the most for the least effort.

3. Put it on the desk of whoever decides. NIS2 wants security to reach ownership, not stay inside IT. Appoint a point person, book a moment with leadership, and agree on a small annual budget. Without this step, good intentions stay just that.

4. Look at your suppliers (and your clients). List your most critical IT suppliers and start asking them for minimum security requirements. It's the same thing your bigger clients will, sooner or later, ask of you: getting there prepared is an advantage.

5. Write down what you do. NIS2 doesn't only reward being secure, but being able to prove it. Keep track of policies, decisions and tests: in case of a check, it's the difference between "we're working on it" and "here's the evidence".

6. Turn it into a habit. Once the basics are in place, the rest is maintenance: review the measures once a year, repeat the assessment and update the plan when something changes.

It's not a project with an end date: it's a way of working. But tackled like this, one step at a time, it's within reach of any SME.

6. On your own or with help?

A good part of the NIS2 measures an SME can handle in-house: backups, MFA, training and basic policies are within reach of anyone with a minimum of structure. For others, like risk analysis, supply chain security or preparing for a check, you need the more specialist skills of security governance and architecture.

The practical rule is simple: start with what you can do yourself right away, and get support where you don't have the skills in-house, especially to set the right method and avoid wasting your investment. Whether you do it internally or with a partner, what matters is not arriving at the deadlines unprepared: a company that can prove it's secure doesn't just avoid fines, it wins more contracts, especially as a supplier to NIS2 entities.

Frequently asked questions about NIS2 for SMEs

Does NIS2 really apply to my SME? It applies if you operate in a critical sector (Annex I or II of Decree 138/2024) and exceed the size thresholds: at least 50 employees or over €10 million in turnover/balance sheet. The decree also covers public administrations (Annex III) and publicly-controlled companies (Annex IV), and some entities are in scope regardless of size (DNS/TLD, trust services, electronic communications networks, sole national providers). Micro and small enterprises can also be involved if they are critical suppliers in the supply chain of a NIS2 entity.

What's the difference between essential and important entities? The type of supervision (proactive for essential, ex-post for important) and the maximum fines. The Article 21 security obligations, however, apply to both categories.

What are the NIS2 deadlines for 2026? From 15 January 2026 incident notification is fully operational (24h/72h/1 month); between January and February there's the registration/update window on the ACN portal; between May and June the categorization of services; by 31 October 2026 the baseline security measures must be operational.

What are the NIS2 fines? For essential entities up to €10 million or 2% of annual worldwide turnover; for important ones up to €7 million or 1.4%. There is also personal liability of management bodies, with possible disqualification from management functions.

What are the 10 measures required by Article 21? Risk analysis and security policies; incident handling; business continuity; supply chain security; security in development/acquisition and vulnerability management; assessing the effectiveness of measures; cyber hygiene and training; cryptography; HR security, access control and asset management; multi-factor authentication and secure communications.

My company is a supplier to a NIS2 entity: what changes for me? Even if you're below the threshold, your NIS2 client must secure its supply chain: it will ask you for contractual security requirements, possible audits and incident-notification obligations. Preparing now lets you avoid losing contracts and stand out from competitors.

How do I figure out where to start? The fastest way is a gap analysis on the 10 areas of Article 21. You can do it for free with the NIS2 Readiness Assessment, which gives you a traffic-light score per area and a priority roadmap to start from.

In short

NIS2 isn't a bureaucratic deadline to fear, but a chance to put your company's security in order, with a clear method and clear priorities. The rules are complex, but the starting point for any entrepreneur is simple, free and fast: understanding where you stand.

If you want a concrete snapshot of your situation, the NIS2 Readiness Assessment is the fastest way to get it: ten minutes, a score for each of the 10 areas and a list of priorities to start from. From there you'll calmly decide what to do yourself and where, if needed, to get a hand.

With NIS2, cybersecurity stops being an IT cost and becomes part of how a company looks after itself.