NIS2: are you concerned if you are a SME/SMBs?

IPSIP – 2025

NIS2: What are the obligations for small and medium sized businesses?

The NIS2 directive (Network and Information Security) is a European regulation designed to strengthen cybersecurity across the EU. Since October 2024, all EU member states have been required to transpose this directive into national law. Once implemented through legislation and decrees, NIS2 will become fully enforceable. This directive targets both public and private organizations operating in sectors deemed essential or sensitive.

NIS2 replaces the original NIS directive adopted in 2016. It expands the scope of affected entities, introduces stricter security requirements, and increases regulatory oversight and penalties.

What is NIS2?

Background and evolution

In recent years, the European Union has faced a growing number of cyberattacks targeting critical infrastructure, businesses, and citizens.

The purpose of NIS2 is to strengthen business resilience in the face of evolving cyber threats. It sets out a series of obligations for entities operating in sectors considered critical to the functioning of our societies.

Key Objectives of the Directive:

Improve cybersecurity for essential entities
Harmonize security standards across all EU countries
Enhance incident management and limit the impact of cyberattacks
Increase reporting and notification requirements
Introduce stronger and more dissuasive sanctions

SMEs/SMBs affected by NIS2?

According to the directive, your company falls under the scope of NIS2 if it meets either of the following criteria:

More than 50 employees
Annual turnover or balance sheet total exceeding €10 million

However, eligibility is not based solely on company size. Your sector of activity and the criticality of the services you provide are equally important. While the original NIS directive focused mainly on large enterprises and critical infrastructure operators, NIS2 broadens its scope to include medium-sized businesses and, in some cases, even small businesses.

Important Exception: Some micro or small enterprises (fewer than 50 employees and under €10 million in annual turnover) may still be affected — if they operate in a critical sector (e.g., healthcare, water supply, energy, digital infrastructure, or managed IT services).

Test your eligibility directly on the official French government website: https://monespacenis2.cyber.gouv.fr/simulateur

What does it mean for you as an SME owner or executive?

Your exposure to risk is no different from large organizations. A cyberattack could result in severe financial loss, legal liability or irreversible damage to your operations and reputation.
Compliance with NIS2 is not optional. Failing to meet the directive’s requirements could lead to financial penalties or regulatory action.
Becoming compliant NIS2 also builds trust. Businesses that meet NIS2 standards are seen as more secure and reliable by clients, partners, and stakeholders.

What are the business implications?

Which sector are affected?

The NIS2 directive identifies 18 sensitive sectors, grouped into two main categories: “essential” sectors and “important” sectors.

Essential Sectors

Energy (electricity, gas, oil)
Transport (air, rail, road, maritime)
Healthcare (hospitals, clinics, labs)
Drinking water and wastewater management
Infrastructures numériques
Public administration
Aerospace and aeronautics

Important sectors

Postal and courier services
Waste management
Production and distribution of chemical substances
Food production and distribution
Manufacturing of specific products (e.g, medical devices, computers, electronics)
Research and development
Digital service providers (online platforms, cloud service providers, data centers, etc.)

Example of application: A small business with 35 employees offering cloud hosting services is considered an important entity and must comply with the NIS 2 directive, even if it does not meet the usual size thresholds.

What are the obligations for affected businesses?

Organizations targeted by the directive must undertake a comprehensive approach to securing their information systems. This involves assessing risks, implementing technical measures (such as network protection, regular backups, or strong authentication), and establishing organizational processes (such as an incident reporting plan within 24 to 72 hours). A dedicated cybersecurity officer must also be appointed.

It’s also essential to raise staff awareness: cybersecurity isn’t just about technology — it also depends on human behavior. Regular, tailored training for your teams can make a real difference in the event of an attack.

What are the penalties for non-compliance with NIS2?

Failing to comply with the NIS2 directive can lead to severe penalties. If cybersecurity requirements are not met, companies may face fines of up to €10 million or 2% of their global annual turnover — whichever is higher. These penalties are intended to encourage businesses to take cybersecurity seriously, as the consequences of a cyberattack can be far more damaging — both financially and reputationally.

Want to better understand cybersecurity? Let’s talk!

NIS2: Turning a compliance requirement into a competitive advantage

Every new regulation may feel like yet another constraint. However, the NIS2 directive shouldn't be seen as a burden — it can actually become a real driver of growth and differentiation. Implementing a cybersecurity strategy, even a basic one, is above all a way to protect yourself from very real threats. It also reassures your clients, partners, and service providers. In many cases, demonstrating compliance can become a selection criterion in calls for tender or during sensitive commercial negotiations. By adopting a proactive approach, business leaders send a strong signal: that of a modern, responsible company capable of securing data, ensuring service continuity, and meeting the market’s evolving expectations. Cybersecurity then becomes a competitive advantage and a pillar of trust for the future.

Best Practices to Get Ready!

If you’re a small or medium-sized business owner, your first step is to assess whether your organization is affected. As mentioned earlier, the French government provides an online test to quickly check your eligibility.

Adopt a pragmatic approach Start by assessing your current level of cybersecurity maturity. Identify the critical areas, implement simple measures (such as automatic backups, regular updates, or strong passwords), and draft an action plan. Finally, involve your team: even a small staff should understand the stakes and know how to respond in the event of an incident.

SMEs: How to comply without breaking the bank

You may think cybersecurity is only for large corporations with big budgets. That’s not true. Today, there are solutions designed specifically for smaller businesses — simple, affordable, and effective such as FlexSecure360..

Need support with your compliance?

We understand that you may lack the time or resources to assess and ensure your compliance. That’s why we offer a solution adapted to your company size and capabilities. We guide you from the audit stage to implementation, so you can become compliant without disrupting your business.

FlexSecure360 is a cybersecurity solution built for small and medium-sized businesses. It helps you strengthen your information systems, implement simple and effective security measures, and ensure compliance with the NIS2 directive — all without technical complexity.

Why take action now?

Companies must take the NIS2 directive seriously. Preparing now is essential to avoid penalties and protect against cyberattacks. With our FlexSecure360 cybersecurity solution, meeting the directive’s requirements is easier than ever.