NIS2 readiness for small businesses — a plain-English guide (2026) | Scanthra

Scanthra · 8 min read · Updated May 2026

What is NIS2 and where does it apply?

NIS2 is the EU's Network and Information Security Directive (Directive (EU) 2022/2555). It replaces the original NIS1 from 2016 and significantly broadens scope, raises the baseline of required security measures, and introduces personal liability for management bodies.

Every EU Member State had to transpose NIS2 into national law by 17 October 2024. In practice the national laws have landed in waves through 2024–2026. A few examples of the local names you may encounter:

• Poland — amendment to the Cybersecurity Act (Krajowy System Cyberbezpieczeństwa), in force since 3 April 2026.
• Germany — NIS2-Umsetzungsgesetz (NIS2UmsuCG).
• France — implemented via the Loi de transposition NIS2 overseen by ANSSI.
• Italy — Decreto Legislativo implementing the directive, overseen by ACN.
• Spain, Netherlands, Belgium, Nordics… — each has its own act with the same minimum content.

Outside the EU, similar regimes are emerging — the UK's Cyber Security and Resilience Bill, Switzerland's Information Security Act, and several non-EU countries are aligning vendor-questionnaire language with NIS2 even where it doesn't legally apply. If you sell into the EU from anywhere in the world, your customers will eventually ask you about Article 21 measures.

Am I in scope?

Directly: only if you are an essential or important entity. That mostly means medium and large companies (≥50 employees or ≥10M EUR turnover) in sectors like energy, transport, banking, healthcare, digital infrastructure, public administration, postal services, waste, manufacturing of critical products, food, chemicals, research and digital providers (cloud, marketplaces, search engines).

Indirectly: every supplier or subcontractor of an in-scope entity. NIS2 Article 21(2)(d) requires in-scope entities to address supply chain security. In practice that means your enterprise customers will send you a security questionnaire and a contract addendum asking you to demonstrate the same controls — patching, headers, MFA, incident response — even if your own company has 5 employees and is based outside the EU.

The 7 website-relevant Article 21 measures

Of the 10 minimum measures in NIS2 Article 21(2), seven map to things you can observe and improve on a website:

1. Cryptography & encryption — modern TLS, HSTS, no SSLv3/TLS 1.0/1.1.
2. Vulnerability handling and disclosure — keep CMS and components on supported, patched versions; publish a security contact or security.txt.
3. Access control — admin URLs not publicly indexed, no exposed .git / .env / backup files.
4. Secure communications — HTTPS only, secure cookies, sane CSP and Permissions-Policy.
5. Data protection — debug pages off, no stack traces leaked, no internal IPs in headers.
6. Supply chain security — known dependencies and versions, no exposed customer data via subdomains.
7. Email authentication — SPF, DKIM, DMARC so incidents don't spread through spoofed mail.

The cheap NIS2 starter pack (under 4 hours of work)

These five actions cover most of the "we expected better" findings in a typical small-business NIS2 vendor questionnaire — regardless of country:

1. Turn on auto-updates for your CMS, themes and plugins.
2. Add HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy and Permissions-Policy headers. See our CSP guide.
3. Configure SPF, DKIM and DMARC on your domain. See our email auth guide.
4. Remove or block .env, .git/, /backup.sql, /wp-config.php.bak and other "accidentally exposed" files.
5. Publish /.well-known/security.txt with an email contact and your vulnerability-disclosure policy.

A 24/72-hour incident response plan that fits on one page

Even outside scope, having this document ready turns into a competitive advantage when an enterprise customer asks for it. The 24/72-hour windows below come straight from NIS2 Article 23:

• Hour 0: Identify the incident. Take a snapshot.
• Hour 1–4: Contain — rotate credentials, isolate the affected service.
• Hour 4–24: Notify (internal owners, hosting provider, Data Protection Authority if personal data is affected, customers if their data is affected). NIS2 calls this the "early warning".
• Hour 24–72: File a formal report with your national CSIRT if you're in scope.
• Day 7+: Root-cause analysis, post-mortem, update runbook. NIS2 requires a final report no later than one month after notification.

Every Member State runs its own reporting portal — CSIRT NASK in Poland, BSI in Germany, ANSSI/CERT-FR in France, CSIRT Italia, NCSC-NL in the Netherlands, etc. ENISA maintains a central directory. Even if you're not in scope, having the URL and your account details ready saves panic-Googling on the worst day of your year.

What NIS2 explicitly is not about

A few common myths:

• It is not a one-off certification. There is no "NIS2 stamp" — you demonstrate continuous practice.
• It does not replace GDPR. The two coexist; personal-data incidents can trigger both regimes.
• It does not require buying specific software. Article 21 is technology-neutral.
• It is not "EU-only" in effect. Non-EU vendors selling into the EU routinely receive NIS2-shaped questionnaires from their EU customers.

How Scanthra helps

Every Scanthra PDF report now includes a NIS2 readiness section that maps your scan findings to the seven website-relevant Article 21 categories above, with a per-category status (OK, attention, gap) and an overall score. The mapping is to the EU directive itself, so it's useful regardless of which Member State's transposition you fall under — and regardless of whether you're in the EU at all. It's not a legal opinion or a substitute for an audit, but it's a useful technical input you can attach to a vendor questionnaire response or share with your security consultant.

This article is for general information and does not constitute legal advice. For binding interpretation of NIS2 in your jurisdiction, consult a qualified lawyer or your national cybersecurity authority.