NIS2 Compliance for SMEs: Obligations, Penalties, and Complete Checklist
Complete NIS2 guide for small and mid-sized businesses. Who's affected, what the obligations are, what the penalties look like, and how to get compliant step by step.
In October 2024, the NIS2 directive came into force across the European Union. For French SMEs, this deadline marks a turning point: thousands of companies that were not covered by the original NIS1 directive now face strict cybersecurity obligations. And the penalties are steep: up to EUR 10 million or 2% of global annual turnover for the most serious breaches.
Yet according to a CESIN study published in 2025, fewer than 30% of affected French SMEs have started their NIS2 compliance journey. The reason? The text is dense, technical, and resources tailored to small and mid-sized businesses are scarce. Most available guides target large corporations with dedicated cybersecurity teams.
This guide was designed specifically for SME executives and IT managers. Here's everything you need to understand NIS2 and take concrete action:
- Who is actually affected: with a simple decision tree to determine if your company is in scope
- The 10 concrete obligations from Article 21, explained in plain language
- The penalties and the new personal liability for executives
- The compliance timeline and critical deadlines
- A 20-point checklist organized by priority, to structure your action plan
This guide draws on the official text of Directive (EU) 2022/2555 of 14 December 2022, recommendations from ANSSI (France's national cybersecurity agency, cyber.gouv.fr), ENISA publications, and feedback from early compliance efforts in France.
What is the NIS2 directive?
The NIS2 directive, officially Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022, is the European regulatory framework for the cybersecurity of network and information systems. It replaces the first NIS directive adopted in 2016, significantly expanding its scope and strengthening requirements.
Why NIS2 replaces NIS1
The 2016 NIS1 directive laid the first foundations for a coordinated approach to cybersecurity in Europe. But it had significant limitations:
- Too narrow a scope: only "operators of essential services" (OES) and digital service providers were covered - roughly 15,000 entities across the entire EU
- Inconsistent transposition: each member state interpreted the directive differently, creating major disparities
- Insufficient penalties: fines were not harmonized and often too low to be dissuasive
- Limited responsiveness: incident notification mechanisms were slow and fragmented
NIS2 corrects these weaknesses. The number of entities in scope grows from 15,000 to approximately 160,000 across the EU, including tens of thousands in France. According to ANSSI, between 10,000 and 15,000 French companies are directly within the new directive's scope.
The French context
In France, the transposition of NIS2 into national law was adopted in 2025. ANSSI (Agence nationale de la securite des systemes d'information - France's national cybersecurity agency) is designated as the competent authority, responsible for supervision, audits, and penalties. ANSSI has published guidance documents and set up a registration portal for affected entities.
French legislators chose a faithful transposition of the European text, without significantly easing obligations. French SMEs are therefore subject to the same requirements as their European counterparts - a point that some industry groups contested during consultations.
Who is affected by NIS2 in France?
This is the fundamental question. Unlike NIS1, the NIS2 directive uses objective criteria of size and sector to determine who falls within scope. There is no longer case-by-case designation by authorities.
Size criteria
NIS2 applies to two categories of entities, determined by their size:
| Category | Employees | Annual turnover | Annual balance sheet |
|---|---|---|---|
| Medium entities | 50 to 249 employees | EUR 10M to 50M | EUR 10M to 43M |
| Large entities | 250+ employees | > EUR 50M | > EUR 43M |
Important: exceeding just one of these thresholds is enough to be in scope. A company with 45 employees but EUR 12 million in turnover is affected.
Essential sectors (Annex I of the directive)
The so-called "highly critical" sectors are subject to the strictest requirements:
| Sector | Example activities |
|---|---|
| Energy | Electricity, oil, gas, hydrogen, district heating |
| Transport | Aviation, rail, maritime, road |
| Banking | Credit institutions |
| Financial market infrastructure | Trading platforms, central counterparties |
| Healthcare | Hospitals, laboratories, medical device manufacturers |
| Drinking water | Supply and distribution |
| Wastewater | Collection, treatment, discharge |
| Digital infrastructure | DNS, registries, cloud, data centers, CDN, ISPs |
| ICT service management | Managed service providers (MSP/MSSP) |
| Public administration | Central government entities |
| Space | Operators of ground-based infrastructure |
Important sectors (Annex II of the directive)
The so-called "critical" sectors face similar obligations but with lower penalties:
| Sector | Example activities |
|---|---|
| Postal and courier services | Mail, parcels, logistics |
| Waste management | Collection, treatment, recycling |
| Chemical manufacturing, production and distribution | Industrial chemistry, agrochemicals |
| Food production and distribution | Agri-food, retail |
| Manufacturing | Medical devices, electronics, machinery, automotive, transport equipment |
| Digital service providers | Marketplaces, search engines, social networks |
| Research | Research organizations |
Special cases: covered regardless of size
Certain entities fall within NIS2 scope regardless of their size:
- DNS service providers
- Top-level domain (TLD) name registries
- Qualified trust service providers
- Providers of public electronic communications networks
- Entities identified as critical under the CER directive
Is my company affected? A simplified decision tree
To determine whether your SME falls within NIS2 scope, ask yourself these three questions:
- Does your company operate in one of the sectors listed above? If not, you are probably not directly affected (but watch point 3).
- Does your company exceed one of the size thresholds? (50 employees, EUR 10M turnover, or EUR 10M balance sheet) If yes, you are in scope.
- Are you a subcontractor or supplier to an affected entity? Even if you are not directly in scope, your NIS2-regulated clients will demand cybersecurity guarantees under the supply chain security obligation (Article 21.2.d). This is the cascade effect of NIS2.
If in doubt, consult the MonEspaceNIS2 portal set up by ANSSI for self-assessment.
The 10 NIS2 obligations for companies
Article 21 of the NIS2 directive defines 10 categories of measures that affected entities must implement. These measures must be proportionate to the company's size, risk exposure, and the potential severity of incidents.
Here are these 10 obligations, explained in practical terms for an SME.
1. Risk analysis and security policy (Article 21.2.a)
What the text says: entities must adopt policies on risk analysis and information system security.
In practice for your SME: you must map your digital assets (servers, workstations, SaaS applications, sensitive data), assess the risks to each, and document a formal security policy. This document must be approved by management and reviewed at least once a year.
2. Incident management (Article 21.2.b)
What the text says: entities must implement security incident management procedures.
In practice: you need a documented process for detecting, analyzing, containing, and remediating security incidents. NIS2 imposes strict notification deadlines:
- Initial alert: within 24 hours of becoming aware of a significant incident
- Full notification: within 72 hours, with an initial assessment of the incident
- Final report: within one month of the notification, with detailed analysis and measures taken
3. Business continuity (Article 21.2.c)
What the text says: entities must ensure the continuity of their activities, including backup management, disaster recovery, and crisis management.
In practice: document a business continuity plan (BCP) and a disaster recovery plan (DRP). Regularly test your backups - an untested backup is not a backup. In case of a ransomware attack, you must be able to restore your critical systems within a defined timeframe.
4. Supply chain security (Article 21.2.d)
What the text says: entities must manage risks related to their suppliers and service providers.
In practice: inventory your critical suppliers (hosting provider, software vendor, maintenance contractor). Assess their cybersecurity level. Integrate security clauses into your contracts. This is one of the most impactful obligations for SMEs because it creates a cascade effect: even companies outside the NIS2 scope will need to demonstrate their cyber maturity to their regulated clients.
5. Security of network and information system acquisition, development, and maintenance (Article 21.2.e)
What the text says: entities must integrate security throughout the lifecycle of their information systems.
In practice: if you develop software, integrate security from the design phase (security by design). If you purchase solutions, assess their security before deployment. Apply security patches within reasonable timeframes - unpatched vulnerabilities are the second leading cause of intrusion after phishing.
6. Assessment of cybersecurity risk management effectiveness (Article 21.2.f)
What the text says: entities must regularly assess the effectiveness of their cybersecurity measures.
In practice: implementing protections is not enough - you must prove they work. This is precisely where phishing simulation becomes a compliance tool: by regularly testing your employees' resilience against malicious emails, you produce documented, auditable metrics.
Quarterly simulation campaigns with detailed reports directly satisfy this obligation. Click rates, reporting rates, and their trends over time constitute tangible evidence of your measures' effectiveness.
7. Cyber hygiene practices and training (Article 21.2.g)
What the text says: entities must implement basic cyber hygiene practices and cybersecurity training.
In practice: NIS2 makes employee training mandatory, not optional. Every staff member must be trained in best practices: recognizing a phishing email, using strong passwords, reporting a suspicious incident. This training must be ongoing (not a once-a-year slide deck) and tailored to each employee's risk profile.
This is the obligation most directly linked to anti-phishing. According to the Verizon DBIR 2025, 91% of cyberattacks start with a phishing email. Training your teams is now a legal obligation. For a detailed guide on setting up an effective training program, see our article on employee cybersecurity training.
8. Cryptography and encryption policies (Article 21.2.h)
What the text says: entities must define policies on the use of cryptography, including encryption.
In practice: encrypt sensitive data at rest and in transit. Use HTTPS everywhere, encrypt laptop hard drives, and implement email encryption for confidential data. Document your key management policy.
9. Human resources security, access control, and asset management (Article 21.2.i)
What the text says: entities must secure human resources processes and manage access appropriately.
In practice: apply the principle of least privilege - each employee should only have access to the resources required for their role. Implement onboarding and offboarding procedures to grant and revoke access. Regularly review access rights, particularly for privileged accounts.
An AI-powered verification assistant, to which employees forward suspicious emails, contributes to this obligation by helping your teams identify compromise attempts.
10. Multi-factor authentication and secure communications (Article 21.2.j)
What the text says: entities must use multi-factor authentication (MFA) or continuous authentication, and secure communications.
In practice: deploy MFA on all critical accounts - business email, VPN access, line-of-business applications, cloud admin consoles. Prefer phishing-resistant MFA solutions (FIDO2, WebAuthn) over SMS, which is vulnerable to SIM swapping.
Penalties and executive liability
NIS2 marks a significant toughening of penalties compared to NIS1. European legislators wanted to send a clear message: cybersecurity is no longer optional.
Financial penalties
Maximum fine amounts vary by entity category:
| Category | Maximum fine | Alternative |
|---|---|---|
| Essential entity | EUR 10,000,000 | 2% of global annual turnover (whichever is higher) |
| Important entity | EUR 7,000,000 | 1.4% of global annual turnover (whichever is higher) |
For an SME with EUR 20 million in turnover, the maximum fine could reach EUR 400,000 as an important entity, or EUR 10 million as an essential entity. These amounts are theoretical maximums, but they reflect the legislature's intent to make penalties genuinely dissuasive.
Personal liability of executives
This is one of NIS2's major innovations and probably the most concerning provision for SME leaders. Article 20 of the directive stipulates that:
- The management bodies of affected entities must approve cybersecurity risk management measures
- They must supervise the implementation of these measures
- They can be held personally liable in case of non-compliance
- They must themselves undergo cybersecurity training to be able to assess risks
For serious violations, NIS2 provides for the possibility of temporary suspension from management duties. This is unprecedented in cybersecurity and fundamentally changes the game: NIS2 compliance is a governance issue that directly engages the executive's personal liability.
ANSSI's powers
In France, ANSSI has extensive powers to enforce NIS2:
- Audits and inspections: ANSSI can conduct on-site or remote audits, including unannounced ones
- Injunctions: it can order compliance under penalty
- Administrative fines: without going through the courts, within the prescribed limits
- Publication of penalties: the "name and shame" approach - publishing the penalty decision, including the company's name, often causes more reputational damage than the fine itself
- Activity suspension: in the most serious cases, for essential entities
NIS2 compliance timeline
Understanding the timeline helps you prioritize your actions. Here are the key dates:
14 December 2022: Adoption of Directive (EU) 2022/2555 by the European Parliament and the Council.
17 October 2024: Deadline for transposition into national law in all member states. This is the date from which NIS2 is officially in force.
2025: France adopts its transposition law. ANSSI publishes guidance documents and opens the MonEspaceNIS2 registration portal. Gradual implementation period - ANSSI prioritizes support over immediate enforcement.
2026: Affected entities must be registered with ANSSI. First audits are expected. Incident notification obligations are fully enforceable. This is now.
2027 and beyond: Financial penalties are fully enforceable. Audits become systematic. Non-compliant entities face fines and publication of their identity.
The key takeaway: don't wait for audits to act. Companies that get compliant now benefit from a triple advantage: they avoid the pressure of last-minute compliance, they genuinely strengthen their security posture, and they stand out with clients and partners who increasingly demand cyber guarantees in their supply chain.
NIS2 compliance checklist for SMEs
This 20-point checklist covers all obligations under Article 21 of NIS2. It is organized by category to help you structure your action plan and track your progress.
Governance
- Appoint a cybersecurity lead: Even part-time, someone must be identified as the point person. This doesn't have to be a full-time CISO (see FAQ), but someone who drives the topic day to day.
- Train executives in cybersecurity: Article 20 of NIS2 explicitly requires this. Board members must understand cyber risks and be capable of assessing proposed measures.
- Document the security policy: A formal document, approved by management, describing the principles, roles, and responsibilities for cybersecurity. Reviewed at least annually.
- Establish a cyber steering committee: Quarterly meetings at minimum, bringing together management, the cybersecurity lead, and business unit heads to review metrics and validate actions.
Risk management
- Conduct a risk analysis: Identify threats, vulnerabilities, and potential impacts on your operations. Use a recognized methodology (EBIOS RM - the risk analysis method recommended by ANSSI - or ISO 27005).
- Map critical assets: A complete inventory of your information systems, applications, sensitive data, and interconnections. You cannot protect what you don't know about.
- Assess supply chain risks: List your critical suppliers, evaluate their cyber maturity, integrate security requirements into your contracts.
- Document remediation measures: For each identified risk, document the chosen response (accept, reduce, transfer, avoid) and the implementation plan.
Protection
- Deploy multi-factor authentication (MFA): On all critical access points - email, VPN, line-of-business applications, cloud admin consoles. Top priority.
- Encrypt sensitive data: At rest (drives, databases) and in transit (HTTPS, VPN). Document the key management policy.
- Segment networks: Separate administration, production, and guest networks. Limit lateral movement in case of compromise.
- Implement tested backups: The 3-2-1 rule: 3 copies, 2 different media, 1 offsite copy. Test restoration at least quarterly.
Training and testing
- Set up an awareness program: Ongoing training for all employees on cybersecurity best practices. Not a once-a-year slide deck - short, regular, interactive modules.
- Run regular phishing simulations: Assessing the effectiveness of measures (Article 21.2.f) requires concrete testing. Phishing simulation campaigns produce documented, actionable metrics.
- Measure and document progress: Track click rates, reporting rates, and detection rates over time. These metrics are your compliance evidence for an ANSSI auditor.
- Train employees on incident reporting: Every staff member must know how and to whom they should report a suspicious email or abnormal behavior. See our guide to phishing simulation in the workplace for how to structure this program.
Detection and response
- Implement an incident management process: A documented procedure covering who does what, in what order, with what tools. Include ANSSI contact details and the relevant CSIRT.
- Prepare notification templates: NIS2 requires notification within 24 hours, then a report within 72 hours. Prepare the forms in advance so you don't lose time during a crisis.
- Test the incident response plan: A tabletop exercise at least every six months. Simulate different scenarios: ransomware, account compromise, data breach.
- Document lessons learned: After every real or simulated incident, write a post-mortem and update your procedures accordingly.
NIS2 and phishing: a direct link
Phishing is the attack vector most directly targeted by NIS2. As noted above, it is the leading cause of corporate compromise across all sectors.
Several Article 21 obligations explicitly target this threat:
Article 21.2.f (effectiveness assessment) requires regular testing of your defenses. Phishing simulation is the most direct and measurable tool for meeting this requirement. An ANSSI auditor finding that you run quarterly simulation campaigns with detailed reports will validate this obligation.
Article 21.2.g (training and cyber hygiene) makes ongoing employee training mandatory. Post-simulation training - micro-learning triggered after an employee clicks a simulated phishing email - is considered the most effective method by ENISA. It occurs at the precise moment when the employee is most receptive, and it adapts to their individual risk profile.
Article 21.2.i (HR security and access control) covers the protection of your employees' digital identities. An AI-powered verification assistant, to which staff forward suspicious emails for a verdict, strengthens this protection by complementing the existing spam filter.
For detailed statistics on phishing's impact on businesses, see our full article: Phishing in the workplace: 2026 statistics, examples, and solutions.
How nophi.sh helps you comply with NIS2
NIS2 compliance is a broad topic that requires a comprehensive approach. No single tool covers all 10 obligations under Article 21. But for obligations directly related to the phishing threat - obligations 6, 7, and 9 - nophi.sh provides a turnkey solution.
Obligation 21.2.f: Assessing measure effectiveness
nophi.sh phishing simulation campaigns let you regularly test your employees' resilience with realistic, customized scenarios. Each campaign generates a detailed report with key metrics: click rate, open rate, reporting rate, reaction time. These reports serve as your compliance evidence for an auditor.
Obligation 21.2.g: Training and cyber hygiene
The automated training module triggers a personalized micro-learning path for every employee who fails a simulation. Training adapts to the individual's risk profile and covers essential best practices: identifying suspicious emails, reporting, password management. A real-time dashboard lets you track progress by department.
Obligation 21.2.i: Human resources security
The nophi.sh AI verification assistant analyzes emails that your staff forward to it and delivers a verdict within seconds: phishing, spear phishing, BEC (Business Email Compromise), or legitimate email. A technical complement to human training.
Audit-ready compliance reports
nophi.sh generates compliance reports consolidating your simulation, training, and verification metrics. In the event of an audit, you have structured documentation demonstrating your continuous improvement approach.
Learn more about all our compliance features, or start a free 14-day trial.
Frequently asked questions about NIS2
Is my 60-employee consulting firm affected by NIS2?
It depends on your sector. Consulting as such is not listed in Annex I or II of the directive. However, if your firm provides managed IT services (MSP), cybersecurity services (MSSP), or operates in a listed sector (healthcare consulting, energy consulting), you may fall within scope. Additionally, if your clients are subject to NIS2, they will likely demand security guarantees under the supply chain obligation (Article 21.2.d), even if you are not directly regulated.
What is the difference between an essential entity and an important entity?
The difference mainly concerns the level of supervision and penalties. Essential entities (Annex I sectors, large companies) face proactive supervision - ANSSI can audit them at any time, including unannounced inspections. Important entities (Annex II sectors, mid-sized companies) face a reactive regime - ANSSI intervenes after an incident or report. Maximum penalties are also higher for essential entities (EUR 10M vs EUR 7M).
When will NIS2 penalties start being enforced in France?
The directive has been in effect since October 2024 and the French transposition was adopted in 2025. ANSSI indicated it would prioritize a supportive approach initially, but penalties are legally enforceable from the moment of transposition. The first formal audits are expected in 2026. Don't wait for penalties to act: compliance takes time, and a company caught unprepared during an audit won't get a second chance.
Does NIS2 apply to subcontractors of regulated entities?
Not directly: a subcontractor that is not itself in a covered sector and does not exceed the size thresholds is not formally subject to NIS2. But indirectly, yes: Article 21.2.d requires regulated entities to secure their supply chain. In practice, this means your NIS2-regulated clients will impose contractual security requirements - audits, certifications, technical guarantees. This is the cascade effect of NIS2, and it potentially affects hundreds of thousands of SMEs across Europe.
How do I prove NIS2 compliance to an auditor?
NIS2 compliance is proven through documentation. You must be able to present: your security policy approved by management, your risk analysis, your incident management procedures, your simulation and training reports, your asset inventory, your supplier contracts with security clauses, and your steering committee minutes. The auditor will check consistency between documentation and the measures actually in place. Regular phishing simulation reports showing improving metrics are particularly compelling evidence.
What budget should I plan for NIS2 compliance?
The budget varies considerably depending on company size and current maturity level. According to ENISA, European SMEs spend on average between EUR 50,000 and EUR 200,000 on initial NIS2 compliance, then between EUR 20,000 and EUR 80,000 per year for maintenance. This covers risk analysis, technical tools, training, audits, and staff time. It's a significant investment, but compare it to the average cost of a data breach: USD 4.88 million according to the IBM Cost of a Data Breach Report 2025.
NIS2 and GDPR: where do they overlap?
NIS2 and GDPR are complementary but distinct. GDPR protects personal data; NIS2 protects networks and information systems. The overlaps are numerous: a personal data breach caused by phishing is both a NIS2 incident (notification to ANSSI within 24 hours) and a GDPR violation (notification to CNIL, France's data protection authority, within 72 hours). Technical measures overlap significantly: encryption, access control, training. The advantage for SMEs already GDPR-compliant: part of the documentation and governance work is already done.
Do I need a dedicated CISO to comply with NIS2?
NIS2 does not explicitly require a full-time CISO (Chief Information Security Officer). What the directive requires is that a person be identified as responsible for cybersecurity and that management be involved. For an SME of 50 to 100 employees, an IT manager trained in cybersecurity, supported by automated tools and possibly an external provider (MSSP), can be sufficient. The key is that the role is formally assigned, documented, and that the person has the time and resources needed.
And if a phishing incident occurs despite your preventive measures, see our phishing incident response guide for step-by-step instructions.
Start generating your compliance evidence. Phishing simulation, automated training, and audit reports in a few clicks. Create a free account - 14-day trial, no commitment.
Conclusion
The NIS2 directive represents the most significant change in European cyber regulation since GDPR. For French SMEs, compliance demands a real investment of time, budget, and organization. The obligations are precise, the deadlines are tight, and the penalties are dissuasive. But companies that comply genuinely strengthen their resilience against cyber threats - and phishing in particular. In a context where 60% of SMEs that suffer a cyberattack cease operations within 6 months according to the Hiscox Cyber Readiness Report 2025, investing in cybersecurity is above all an investment in your company's survival.
NIS2's phishing-related obligations - assessing measures, ongoing training, and verifying suspicious emails - overlap exactly with the components of an effective anti-phishing strategy. Regulatory requirement and operational best practice converge.
Don't wait for the first ANSSI audits to act. Companies that prepare now have the time needed for calm, gradual, and lasting compliance.
Generate my first NIS2 compliance evidence - simulation, micro-learning, and audit reports included.