Regulatory Compliance · NIS2

NIS2 Obligations for Business: What You Must Do on Time

NIS2 now affects not only large organisations but also their suppliers, partners and any business that needs to demonstrate cyber maturity.

April 2026 8 min read IT Doctors
Home / Cybersecurity NIS2 / NIS2 Obligations

NIS2 is not a checkbox document. It is a framework that requires real measures, real accountability and the ability to demonstrate how you manage risk.

What NIS2 Is in Brief

NIS2 is a European cybersecurity framework with an expanded scope and stricter requirements. It affects more sectors, more suppliers and more management decisions than its predecessor.

  • Broader scope — more sectors and organisations are covered.
  • Stricter measures — specific technical and organisational controls are required.
  • Personal liability — management cannot delegate the topic entirely to the IT department.

Who Is Most Often Affected

Frequently in scope

Energy, transport, banking, healthcare, digital infrastructure, MSPs, public administration and other critical sectors.

Frequently outside direct scope

Micro-enterprises and some small businesses — though indirect requirements may apply when they operate in the supply chain of obligated clients.

The Supply Chain Effect Is Real

Even when your company is not directly in scope, your clients may request evidence of backup, MFA, incident procedures and staff training before continuing to work with you.

What Penalties You Need to Keep in Mind

Essential entities

Up to €10 million or 2% of global turnover, whichever is higher.

Important entities

Up to €7 million or 1.4% of global turnover, whichever is higher.

What Is Required in Practice

1
Security policies

Clear rules for access, passwords, devices, remote work and system management.

2
Incident management

Who responds, who is notified and how every significant attack is documented.

3
Backup and continuity

A working recovery strategy with real testing — not just a paper archive.

4
Supply chain security

Vetting of external IT partners, subcontractors and their access levels.

5
Training and cyber hygiene

Regular staff training with documented evidence of sessions completed.

Practical Plan in 4 Steps

StepActionTimeline
1. Scope checkDetermine whether you fall within scope and what your role is.Immediately
2. Gap analysisCompare your current controls against the actual requirements.1–2 weeks
3. PrioritiesCover backup, MFA, policies, training and incident response first.1–3 months
4. DocumentationOrganise your evidence so you are ready for an inspection at any time.Ongoing
The Good News

NIS2 requires measures proportionate to the risk. This means a practical, well-documented approach is more valuable than heavy, unused policy documents.

Frequently Asked Questions

Which companies fall under NIS2 scope?

Most often these are organisations in critical sectors and some of their suppliers. For certain smaller businesses, the topic arrives indirectly through the supply chain of obligated clients and partners.

Where should a business start with NIS2?

The most sensible starting point is a scope check, a gap analysis and covering the most important measures: backup, MFA, security policies, staff training and an incident response process.

Related Cybersecurity Articles

Phishing Attacks and Employee TrainingThe human factor is central to NIS2 and must be managed, not ignored. Ransomware Protection for BusinessBackup, incident response and technical measures are part of real cyber readiness. Cybersecurity and NIS2 ServicesSee how IT Doctors covers the technical and audit aspects of compliance.

Related Services

NIS2 Assessment and Technical ReadinessWe review your scope, gaps and the real measures that need to be implemented. Request a Preliminary ReviewWe will give you a clear action plan for compliance without unnecessary bureaucracy.

Not Sure Whether You Are in Scope?

IT Doctors conducts a preliminary review of your scope, gaps and first steps toward genuine compliance.

Request an NIS2 Review