NIS2 Compliance for SaaS Vendors: What Your EU Customers Will Demand

Jeff Sowell · 2026-04-10 · Compliance

NIS2 compliance deadlines are hitting now. If you sell SaaS to EU enterprises, your customers are about to push their obligations down to you through procurement. Here's what's coming and how to get ready.

NIS2 in 60 seconds

The EU's NIS2 Directive (Directive (EU) 2022/2555) is the most consequential cybersecurity regulation to hit Europe since GDPR. It replaces the original 2016 NIS Directive and dramatically expands both the scope and the consequences.

Member states had until 17 October 2024 to transpose NIS2 into national law. Most have. The directive is now being enforced across the EU through national supervisory authorities — ANSSI in France, BSI in Germany, CCB in Belgium, ACN in Italy, and so on.

Why you should care as a SaaS vendor: Even if you're not directly in scope, your EU enterprise customers are. And they will push their NIS2 obligations onto you through procurement, contracts, and security questionnaires. If you can't answer yes to the questions they're about to ask, you'll lose the deal.

Who NIS2 applies to (directly)

NIS2 applies to two tiers of organizations:

"Essential entities" — strictest obligations

Large organizations (250+ employees OR €50M+ revenue) operating in:

- Energy (electricity, oil, gas, district heating)

- Transport (air, rail, water, road)

- Banking and financial market infrastructure

- Health (hospitals, EU medicines, in vitro diagnostic medical devices)

- Drinking and waste water

- Digital infrastructure (DNS providers, TLD registries, cloud computing services, data center services, content delivery networks, trust service providers, public electronic communications networks/services)

- ICT service management (managed service providers, managed security service providers)

- Public administration

- Space

"Important entities" — same security obligations, lighter supervision

Medium organizations (50-249 employees OR €10-50M revenue) in essential sectors, plus large/medium organizations in:

- Postal and courier services

- Waste management

- Manufacture/distribution of chemicals

- Food production, processing, distribution

- Manufacturing (medical devices, electronics, machinery, vehicles, transport equipment)

- Digital providers (online marketplaces, search engines, social networks)

- Research

Note for vCISOs and MSSPs: "Managed security service providers" are explicitly listed as essential entities. If you're an MSSP serving EU clients, you may be directly in scope yourself, regardless of your customers.

What NIS2 requires

Article 21 lists the cybersecurity risk-management measures every in-scope organization must implement:

1. Risk analysis and information system security policies

2. Incident handling

3. Business continuity (backup, disaster recovery, crisis management)

4. Supply chain security — including direct supplier relationships

5. Security in network and information systems acquisition, development, and maintenance (vulnerability handling and disclosure)

6. Policies and procedures to assess the effectiveness of cybersecurity risk-management measures

7. Basic cyber hygiene practices and cybersecurity training

8. Cryptography and encryption policies

9. Human resources security, access control pol