NIS2 for mid-sized companies: what the directive actually requires
A clear answer to what the regulator expects of you and what you can do first.
29 May 2026 · Bartek Liszkowski
When the EU directive NIS2 came into force in 2024, most mid-sized companies treated it as something that concerns banks and telecom operators. In 2026 that assumption has fallen apart. National implementations are now taking effect across the EU, in several countries with no transition period at all. And it is enough to supply critical services to the supply chain of a customer who is themselves covered by NIS2 — and suddenly so are you.
This article will not replace a conversation with a lawyer. What I have gathered in it, though, is what I was missing myself when a client first asked how GoIDEA meets NIS2. Without consultant fog, in plain language. What actually follows from the directive and what you can do first.
What NIS2 actually is
NIS2 is the EU cybersecurity directive (formally 2022/2555) that replaced the older NIS directive of 2016. It raises and harmonises the security requirements across the whole Union for companies in critical and important sectors. Each member state transposes it into its own national law and designates its own supervisory authority — the details of the implementation vary from country to country.
In practice the directive imposes obligations in three layers: risk management, reporting of incidents within set deadlines, and the personal responsibility of company management for both. This is a continuous process, maintained for as long as the company operates.
Who NIS2 applies to
In short: companies in critical or important sectors with 50+ employees or an annual turnover of 10+ million €. Critical sectors include energy, transport, banking and digital infrastructure. Important sectors include, among others, manufacturing, digital service providers, postal services and waste management.
The second hook is less obvious. If you are outside NIS2 yourself but supply software, infrastructure or critical services to a company that is covered by it — your customer is obliged to verify how you handle cybersecurity. In practice: clauses appear in contracts that demand the same from you as from the large customer.
For mid-sized suppliers this is currently the fastest mechanism for being pulled into NIS2. The large customer does not ask whether you would like to adapt. The large customer has a compliance department that has been given a plan and is executing it.
What the directive actually requires
NIS2 defines the required outcomes and leaves the choice of technology to you. From the perspective of a mid-sized company, these are nine areas that need to be described and maintained.
Policies for risk analysis and system security. Procedures for handling and reporting incidents — an early warning within 24 hours, an assessment within 72 hours, a final report within 30 days. Business continuity (backups, crisis management). Supply chain security — including your software suppliers. Security in the acquisition, development and maintenance of IT. Procedures for assessing the effectiveness of risk measures. Staff training in cyber hygiene. Cryptography where it makes sense. Access control and identity management.
Nine areas. Each must be documented. Each needs a person responsible for it. Each must be auditable.
What this means for a mid-sized company in practice
For most companies with 20–250 people, implementing NIS2 is above all documentation work — technically, they usually already have what is needed. Most mid-sized companies do most of what the directive requires — they just write it down nowhere, test it nowhere and report it nowhere.
The most expensive part of a NIS2 implementation is usually a month of work to describe what already happens in the company, and the first audit, which shows what is genuinely missing. Hardware is often the smallest cost here.
The second cost block is your suppliers. All contracts with system, hosting and software providers will need addenda. Most off-the-shelf cloud services have such addenda in their portfolio. A local provider who built you an application ten years ago probably does not. This is exactly where many customers are reviewing their supplier portfolio today.
How I build for NIS2
Three architectural decisions I make from the start of every project, because they lead towards compliance with the directive anyway.
First — everything I build runs in the customer's infrastructure, not in mine. Your data never leaves the servers you control yourself. That resolves the NIS2 supply chain problem at the technical level, before it is even discussed.
Second — the server keeps audit logs automatically: who, when, what. On top of that I add any logging you need or the regulations demand. The same applies to access control at record level, not just on screen.
Third — the documentation is created automatically, as the system is built. The customer receives a ready package — one they can essentially generate from the system themselves at any time. The same documentation can be reused when preparing further required paperwork.
I have gathered more technical detail on a dedicated page HERE. If you are preparing for NIS2 or your customer is starting to ask — get in touch. We will discuss exactly where you stand today and what you can do first.
Book 30 minutes. I answer every email myself.
The first call is a calm conversation to get to know each other. I check whether I can help at all. No slides, no sales pressure. If I see it is a poor fit, I say so directly.
Would you rather talk than write? Pick a slot in the calendar — we will meet on Zoom:
Open Cal.com →
Phone +48 601 789 966 — you can call, I pick up myself.