Who is covered by NIS2?

Typically medium and large organizations operating in covered sectors, plus several digital and supply-chain roles. Scope should be checked against size, sector, and dependency profile.

Can a small SME ignore it?

Not safely. Even when not formally in scope, customers, partners, and insurers may require equivalent controls, especially for access, logs, resilience, and incident handling.

Which controls create the fastest risk reduction?

MFA, company VPN, removal of exposed services, centralized immutable logs, tested backups, and a documented incident procedure with named owners.

How does a managed firewall help?

It reduces exposed surface, enforces consistent rules, improves traffic visibility, and when paired with VPN and WORM logs it creates much stronger evidence.

EU Regulation

NIS2 Guide 2025-2026

A practical guide to understand who falls within the directive, what it changes for European businesses, and which controls matter most when auditors ask for evidence.

At a glance

NIS2 requires governance, risk management, incident notification capability, and verifiable technical measures. For most SMEs, the hard part is not the theory. It is proving that access control, logging, backup, patching, business continuity, and decision ownership actually work.

2022/2555

EU Directive

Legislative Decree 138/2024

Italian transposition

24 hours

Initial incident warning

72 hours

Fuller notification

Common mistake

Treating compliance as a product purchase. NIS2 requires a control system, not a single appliance.

Real risk

If you cannot detect an incident in time, you cannot meet notification deadlines. Weak logging becomes a legal problem, not just a technical one.

Where SecBox helps

SecBox Shield covers the most fragile operational areas: protected remote access, reduced exposure, immutable WORM logs, and evidence-ready reporting.

What NIS2 really is

NIS2 is the EU directive that raises the baseline cybersecurity obligations for entities considered essential or important. It is not limited to technical controls. It also introduces duties around governance, supply chain security, resilience, incident handling, and continuity planning.

For a company, the takeaway is straightforward: it is no longer enough to say “we have a firewall”. You must show that security is organized, monitored, documented, and owned by named decision-makers.

Risk assessment and proportionate safeguards
Incident handling and escalation procedures
Access security, strong authentication, and traceable logging
Business continuity, backup, and recovery capability
Supply chain oversight for critical vendors
Direct management accountability for cyber risk

Who it affects in practice

In practice, scope depends on sector and size. The common rule of thumb is the 50 employees or 10 million euro turnover threshold, combined with activity in a covered sector or a strategically relevant digital role.

Even when an SME is not formally in scope, it can still face indirect pressure from larger customers, regulated partners, insurers, or supply-chain requirements.

Energy, transport, healthcare, water, banking, and digital infrastructure
IT providers, managed service providers, cloud, hosting, data center, and critical software organizations
Critical manufacturing and high-dependency supply chain actors
Vendors expected to provide audit trails, access control, and incident readiness

Definitions worth getting right

A large share of wasted compliance effort comes from misunderstanding the vocabulary. The labels below drive very different expectations and audit questions.

Essential entity: an organization whose disruption would have broader systemic impact and which faces a stricter supervisory posture.
Important entity: a relevant organization still subject to substantial duties, but within a different oversight model.
Significant incident: an event with relevant impact on service delivery, data, resilience, customers, or the wider supply chain.
Technical and organizational measures: actual controls, procedures, responsibilities, and evidence. Not just paperwork.
Management body accountability: executives must approve, supervise, and understand cyber risk exposure.

The technical controls that matter most

Many companies focus on generic checklists. In reality, reviews quickly converge on a small set of high-evidence controls: access, logs, backup, segmentation, vulnerability handling, and incident response.

MFA for every remote and administrative access path
Company VPN or segmented remote access instead of directly exposed services
Centralized logs with integrity, retention, and reviewability
Offline or immutable backups with tested recovery procedures
Patching and vulnerability management with prioritization and traceability
Network segmentation to limit lateral movement
Incident response playbooks with contacts, escalation, and evidence handling

Incident reporting: where companies usually break down

Operationally, the hardest part is detecting, qualifying, and reporting incidents within the required windows. If detection is late, or evidence is unreliable, compliance fails immediately.

Within 24 hours: early warning or initial notification
Within 72 hours: more complete update with preliminary assessment
Within 1 month: final report covering cause, impact, and remediation
You need named owners for decision-making, evidence collection, and authority communication

Why management involvement matters

NIS2 is not something the board can push entirely onto the IT department. Management bodies are expected to approve the measures, receive suitable training, and supervise implementation.

Without executive ownership, security spending stalls, accountability stays ambiguous, and incident decisions become slow exactly when speed matters most.

A practical SME roadmap

For an SME, the correct approach is sequential: first remove the highest-risk gaps, then formalize governance and reporting.

Map assets, privileged users, remote access paths, and exposed services
Remove exposed RDP, admin panels, and unnecessary Internet-facing ports
Enable MFA, company VPN, centralized logging, and tested backups
Define roles, escalation flows, and 24/7 decision contacts
Maintain a minimum incident register, exception log, and corrective action trail
Produce recurring evidence: reports, log retention proof, restore tests, and change records

Operational timeline

Immediately

Confirm whether the company falls in scope, identify critical services, and assign a clear owner.

First 2-4 weeks

Reduce exposure: MFA, VPN, segmentation, closure of exposed services, centralized logging, backup validation.

Within 60-90 days

Formalize incident response, 24/7 contacts, minimum policies, patching processes, and escalation criteria.

Ongoing

Run reviews, produce reports, test restore procedures, monitor critical suppliers, and keep evidence current.

Next step

Turn compliance into concrete controls

SecBox Shield helps reduce exposure, control access, make logs audit-ready, and produce technical evidence that is reusable during audits and reviews.

View Shield Plans Read the NIS2 checklist