NIS2 (Network and Information Security Directive 2) came into EU law in October 2024. Unlike GDPR, which targets data protection, NIS2 targets operational resilience and cybersecurity. It expands coverage to over 160,000 entities across 18 sectors — and software companies are directly in scope.
Who Is Covered?
NIS2 applies to "essential" and "important" entities across sectors including:
- Digital infrastructure (cloud providers, DNS, CDNs, datacenters)
- Digital services (online marketplaces, search engines, social networks)
- ICT service management (managed service providers, SaaS)
- Public administration
If your SaaS has 50+ employees or €10M+ annual turnover, you're likely an "important entity." Violations carry fines up to €7M or 1.4% of global turnover.
The 10 Core Technical Requirements
NIS2 Article 21 mandates ten specific security measures. Here's what they mean technically:
1. Risk Analysis and Information Security Policy
You need a documented risk register. Not in someone's head — an actual document with identified threats, likelihood ratings, and mitigation plans.
2. Incident Handling
Incident response plan required. Plus: significant incidents must be reported to your national authority within 24 hours (initial) and 72 hours (detailed). Define "significant" internally before you need it.
3. Business Continuity
RPO and RTO targets for every critical system. Documented backup procedures. Tested DR runbooks. "We have backups" doesn't count.
4. Supply Chain Security
Third-party vendor risk assessments. Contracts must include security requirements. This includes SaaS dependencies, not just infrastructure.
5. Vulnerability Disclosure
A way for researchers to report vulnerabilities. Coordinated Vulnerability Disclosure (CVD) policy. Consider a security.txt file:
# public/.well-known/security.txt
Contact: mailto:security@yourcompany.com
Encryption: https://yourcompany.com/pgp-key.asc
Preferred-Languages: en
Policy: https://yourcompany.com/security/disclosure-policy
6. Multi-Factor Authentication
MFA is now mandatory for access to sensitive systems — not optional, not "encouraged."
7. Encryption
Data in transit: TLS 1.2+ minimum (1.3 recommended). Data at rest: AES-256. Keys managed separately from data.
8. Access Control
Principle of least privilege. Role-based access. Quarterly access reviews. Offboarding checklists.
9. Staff Awareness Training
Annual security training. Phishing simulations. Documented completion records.
10. Asset Management
Complete inventory of hardware and software assets. You can't protect what you don't know you have.
Where to Start
Most companies are failing on items 1, 3, and 4 above. Start with a gap assessment — map your current controls against the 10 requirements. Tools like CompliPilot can automate an initial NIS2 audit to show you exactly where you stand before bringing in a consultant.
NIS2 enforcement is active. Don't wait for an incident to find out you weren't compliant.
Top comments (0)