NIS2 Readiness for Small and Mid-Sized Organizations

The NIS2 Directive significantly broadens the scope of EU cybersecurity regulation. Organizations that were comfortably outside the original NIS now find themselves classified as essential or important entities — including a large number of small and mid-sized businesses in sectors such as digital infrastructure, managed services, manufacturing, food, postal services and waste management.

For an SME without a dedicated compliance team, NIS2 can look overwhelming. It does not have to be. The directive is risk-based: the controls you implement are expected to be proportionate to the size of your organization and the criticality of your services. This article outlines the readiness roadmap we use with mid-sized clients at Cleverina.

Step 1 — Confirm scope and classification

Before anything else, document whether your organization is in scope as an essential or important entity, and which national transposition applies. The distinction matters: supervisory regimes and fines differ, and incident-reporting thresholds are tighter for essential entities. Keep the analysis in writing — supervisory authorities will ask for it.

Step 2 — Establish governance accountability

NIS2 makes management bodies personally accountable for approving cybersecurity risk-management measures and overseeing their implementation. In practice this means a documented decision by the board or equivalent, recorded training for management on cyber risk, and a clear RACI for who owns each control area. For SMEs this is often the single biggest cultural shift the directive requires.

Step 3 — Implement the ten control areas

Article 21 lists ten minimum measures. Translated for a typical SME running on Microsoft 365 and a few SaaS apps:

• Risk-management policies, reviewed annually and approved by management.
• Incident-handling procedures with defined roles and rehearsed runbooks.
• Business continuity, backup and crisis management — tested, not just documented.
• Supply-chain security including security requirements in supplier contracts.
• Security in network and information systems acquisition, development and maintenance.
• Policies to assess the effectiveness of cybersecurity risk-management measures.
• Basic cyber hygiene and cybersecurity training across the workforce.
• Cryptography and encryption policies aligned to data sensitivity.
• Human-resources security, access control and asset management.
• Multi-factor authentication, secure communications and secure emergency communications.

Most of these map directly to Microsoft 365 capabilities you already license — Conditional Access, Intune, Defender, Purview — but the policies, evidence and training are the work.

Step 4 — Incident reporting readiness

NIS2 requires an early warning within 24 hours of becoming aware of a significant incident, an incident notification within 72 hours, and a final report within one month. That cadence only works if you have a rehearsed escalation path, an on-call rota that actually answers, and a pre-drafted notification template aligned with your national CSIRT. We strongly recommend a tabletop exercise before you need it for real.

Step 5 — Supply-chain security

Your obligations extend to your direct suppliers. Maintain a register of suppliers whose compromise would materially affect your service, classify them by criticality, and add contractual clauses covering security requirements, incident notification and audit rights. For SMEs this is usually the first time anyone has formally inventoried SaaS vendors — expect the list to be longer than you think.

An anonymized example

A 180-person logistics provider we supported was newly classified as an important entity. They had Microsoft 365 E3, no formal ISMS and a part-time IT manager. Within twelve weeks we ran a scoped readiness assessment, produced a risk register, implemented the missing technical controls (phishing-resistant MFA, Conditional Access, Defender, baseline Purview labels), drafted the management-approved policy set and ran two incident tabletops. The cost was a fraction of the worst-case fines they were exposed to before.

Conclusion

NIS2 readiness for an SME is achievable inside a quarter when the work is sequenced properly: scope, governance, controls, incident readiness, supply chain. Our compliance readiness services follow exactly this sequence, and we frequently combine it with compliance platform implementation using platforms such as ControlMap so the evidence is structured from day one. If you are not sure where you stand, the solutions page is a good starting point, or get in touch via the contact page.