NIS2 came into force in October 2024. Many SME directors still don't know whether their company is in scope — or that management is personally liable if they are. This is not a future concern. The obligations apply now, and supervisory authorities in most EU member states have begun enforcement.
Are You In Scope?
Medium enterprises with 50 to 249 employees are directly covered in most sectors. Some smaller companies qualify if they provide services to critical infrastructure operators. Professional services firms — legal, tax, accountancy — increasingly fall in scope as suppliers to regulated industries.
The sectors covered under NIS2 are broader than most people expect. Energy, transport, and healthcare were already covered. Now added: managed IT services, digital infrastructure, food production, manufacturing, and parts of the public sector. If you have 50 or more employees and operate in one of these areas, assume you are in scope until you confirm otherwise.
What NIS2 Requires
- Documented risk assessment and security policies
- 24-hour initial incident notification to the competent authority
- Supply chain security measures — your vendors are your risk
- Management accountability — NIS2 explicitly holds senior management personally liable
The 24-hour notification window is not theoretical. Without a defined incident response process, clear escalation paths, and pre-identified contacts at the competent authority, this deadline is very difficult to meet.
The Management Liability Angle
Unlike GDPR, which targets the organisation, NIS2 explicitly holds senior management personally responsible for compliance failures. Directors can be held personally accountable — not just through company law, but directly under the NIS2 framework. This is a significant departure from previous cybersecurity regulation, and most business owners are not yet aware of it.
The practical implication: if a significant incident occurs and your organisation cannot demonstrate that reasonable security measures were in place, personal exposure follows.
What a Technical Audit Provides
Your Microsoft 365 environment is likely your largest attack surface and your most common source of security gaps. A technical audit maps which NIS2-relevant controls are active and which are missing — and produces documentation you can reference if a supervisory authority asks for evidence.
Many gaps can be closed through configuration changes alone. Knowing where they are is the first step.
Not sure if NIS2 applies to your business? Book a free scoping call — we determine your obligations in one session, at no charge.