Why NIS2 matters for SMEs
NIS2 (Directive (EU) 2022/2555) replaces the original 2016 NIS directive and widens the net dramatically: more than 15,000 entities in France are now in scope, including mid-sized companies, subcontractors and digital service providers in strategic sectors. The French transposition sets the compliance deadline at 17 October 2026, with penalties reaching €10M or 2% of global turnover — and personal liability for executives.
The good news: most of what NIS2 asks for is documented governance, not expensive technology. If you approach it methodically, an SME can get the core in place in weeks, not months.
The 10 steps
1. Confirm whether you are in scope
You are likely in scope if you have more than 50 employees or €10M turnover and operate in a strategic sector (energy, transport, health, digital infrastructure, public administration, manufacturing, etc.). Even smaller SMEs can be indirectly affected: essential and important entities must secure their supply chain, so a subcontractor providing a critical digital service will be assessed against NIS2 criteria.
2. Appoint an accountable owner
NIS2 makes management bodies responsible. Name a person accountable for the programme and have leadership formally approve it — that sign-off is itself evidence.
3. Run a risk analysis
Identify your assets, the threats against them and the measures that reduce the risk. This drives everything else: NIS2 expects measures that are proportionate to your risk.
4. Write your information security policy (ISSP)
The top-level document that states your security objectives and commitment. It anchors every other policy.
5. Set up incident handling and notification
NIS2 imposes tight notification timelines (an early warning within 24 hours, a fuller notification within 72 hours). You need a documented incident response process before an incident — not during one.
6. Plan business continuity and recovery
Document a business continuity plan (BCP) and a disaster recovery plan (DRP) — see our guide to writing a business continuity policy. Test the restore.
7. Secure your supply chain
This is one of NIS2's biggest changes. Assess your suppliers, add security clauses to contracts, and keep a vendor security policy.
8. Cover the technical baseline
Access control, multi-factor authentication, vulnerability management, logging and encryption. Each should be a short, approved, communicated policy — not tribal knowledge.
9. Train people (including leadership)
NIS2 explicitly requires cyber-hygiene training and management awareness. Document the programme and keep attendance records.
10. Keep the evidence
For every measure, be ready to show approval, communication and review. Auditors and regulators care less about perfect prose than about proof that the measure is real, known and maintained.
How PolicyForge accelerates NIS2
The NIS2 policy generator maps each required document — ISSP, risk management, incident response, continuity, supply chain, access control, vulnerability management, awareness — to a structured, bilingual template with an approval block, communication notes and a review date. You generate the documentary core in an afternoon and walk into your assessment with the evidence already in shape.