When NIS2 was drafted, it was described as a directive for critical infrastructure — energy operators, hospitals, transport networks, digital infrastructure at scale. Most scale-ups I work with initially read the press coverage, checked their sector against the Annex I and Annex II lists, and concluded they were out of scope. A growing number are now discovering that they are in scope after all — not directly, but through the supply-chain provisions, the digital-services expansion, and the Member State transposition choices that in several cases went broader than the directive required. This article is about the three mechanisms that are pulling companies into scope, and the practical question of what to do when you find yourself there unexpectedly.

The headline sectors — and why that is not the whole story

NIS2 applies directly to “essential” and “important” entities operating in the sectors listed in Annex I (energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, space) and Annex II (postal services, waste management, manufacture of certain products, digital providers, research, food production). The directive sets size thresholds — broadly, medium and large entities — and Member States implement national laws that designate which specific organisations fall within scope.

If you are reading this and your company is, say, a B2B SaaS vendor with a hundred employees selling project management software, you are probably not in any of these sectors directly. You read Annex I, confirmed you are not an energy operator, and closed the tab.

The problem is the three paths into scope that do not require you to be in a listed sector yourself.

Path one — the supply-chain provision

Article 21(2)(d) of NIS2 requires in-scope entities to implement policies on supply-chain security, including assessing the cybersecurity practices of their suppliers and service providers. This is not an abstract obligation. The entities implementing it are translating it into procurement requirements. Specifically: before a hospital, a regional energy operator, a public-sector IT department, or a large bank will renew a contract with you in 2026 and beyond, they will require you to demonstrate a defined security posture — often mapped to the NIS2 control expectations in national guidance.

The vendor does not need to be subject to NIS2 to be affected by NIS2. The regulated customer is legally required to verify the vendor’s security practices, and the easiest way to do that at scale is to push NIS2-style requirements through the contract.

What this looks like in practice: ISO 27001 becomes non-negotiable for a pool of vendors that previously could sell on SOC 2 alone. DPA and SLA templates start including Article 21 control requirements as pass-through clauses. Incident-reporting obligations on the regulated entity (Article 23) get transmitted upstream as contractual reporting requirements on the vendor — often with timelines shorter than the 24-hour early-warning deadline the customer itself must meet.

If you sell into regulated sectors, your procurement cycles are already being reshaped by NIS2 whether or not you think of yourself as a NIS2 company.

Path two — the expanded digital-services definition

NIS2 Annex I includes “digital infrastructure” and, separately, “ICT service management”. The categories captured are broader than the NIS1 definitions: managed service providers, managed security service providers, trust service providers, DNS service providers, TLD name registries, providers of cloud computing services, providers of data centre services, content delivery network providers, electronic communications providers, and others.

The “cloud computing services” category in particular has drawn in companies that do not think of themselves as cloud infrastructure. Several Member State transpositions have interpreted it to include B2B SaaS that provides computing, storage, or application capabilities over the network to third parties — which is a definition that applies to many products founders would describe simply as “our SaaS platform”.

Annex II also captures “providers of online marketplaces, of online search engines, and of social networking services platforms”. If your product has marketplace dynamics, user-generated-content elements, or discovery features, re-read that line carefully against your national transposition.

The test is not whether you think of your company as critical infrastructure. The test is whether your product, under the definitions used by the national regulator, falls into one of these digital categories — and many scale-ups discover they do.

Path three — Member State gold-plating

The directive sets a floor, not a ceiling. Several Member States have transposed NIS2 with expansions of scope beyond the directive minimum: lower size thresholds, additional sectors, or specific designations that pull in companies operating in their jurisdiction.

Germany, France, the Netherlands, and the Nordic states have each taken slightly different approaches. A company that is out of scope under the Belgian transposition may be in scope under the French one. For scale-ups operating across Europe, this is a practical compliance complexity that does not go away by checking the directive text alone.

The correct question is not “am I subject to NIS2?” — it is “in which of the markets I operate in am I subject to the national implementation, and under what specific obligations?”

The obligations, quickly

If you find yourself in scope, the substantive obligations under Article 21 are significant:

  • Risk analysis and information system security policies
  • Incident handling
  • Business continuity (backups, disaster recovery, crisis management)
  • Supply chain security
  • Security in network and information systems acquisition, development and maintenance
  • Policies and procedures to assess the effectiveness of cybersecurity risk-management measures
  • Basic cyber hygiene practices and cybersecurity training
  • Cryptography policies and procedures
  • Human resources security, access control policies, and asset management
  • Multi-factor authentication, secure voice/video/text communications, and secure emergency communications
  • Incident reporting to the CSIRT or competent authority with a 24-hour early warning, a 72-hour incident notification, and a 1-month final report

Management bodies of essential and important entities carry personal approval responsibility under Article 20 — this is a board-level obligation, not a CISO-level one.

What to do when you discover you are in scope

Three actions, in order, that have worked in the engagements I have run:

Map the exposure honestly and quickly. Which of your markets has transposed NIS2 in a way that captures your product. Which of your customers are in-scope entities who will push Article 21 requirements upstream to you. Whether your own services fall into the expanded digital-infrastructure or cloud-services categories. Two weeks of focused work, not six.

Consolidate the response into your existing ISMS rather than building a parallel programme. If you have ISO 27001 in flight or in place, the gap to Article 21 is manageable. The areas that typically need strengthening are supply-chain security, incident reporting timelines, business continuity evidence, and management-body governance structure. Treating NIS2 as a 27001 extension is the right framing for most scale-ups — treating it as a separate programme duplicates effort.

Get the incident-reporting pathway operational before you need it. The 24-hour early-warning clock is genuinely tight. Companies that discover they are in scope and have an active incident on the same day are in a difficult position. The pathway to notify the national CSIRT, the drafting templates for each of the three reporting stages, and the internal escalation that gets a board-approved notification out the door inside 24 hours — these need to be tested before they are exercised.

The scale-ups that are handling NIS2 well are the ones that treated the scope question seriously the moment they sold into a regulated sector, not the ones that waited for a procurement questionnaire to force the issue. The cost of finding out too late is usually a contract lost, a remediation sprint at triple the planned cost, or a notification obligation missed. None of those outcomes are necessary if the scope analysis is done early.