NIS2

NIS2 Compliance Checklist for SaaS Companies

4 min readUpdated 3 June 2026

SaaS companies are one of the most commonly confused categories under NIS2. Many are in scope — particularly those operating as managed service providers, cloud providers, or serving critical infrastructure sectors. Others are not directly in scope but are subject to NIS2 requirements through their enterprise customer contracts.

This checklist covers what in-scope SaaS companies need to implement.

First: Are You In Scope?

Before working through the checklist, confirm your NIS2 status:

  • Cloud service provider (IaaS/PaaS/SaaS meeting the directive's definition) → Essential entity
  • Managed service provider (providing IT management to other organisations) → Essential entity
  • Managed security service provider → Essential entity
  • Digital marketplace, search engine, or large social network → Important entity
  • SaaS serving critical sectors (healthcare, banking, energy) → Possibly in scope as supply chain
  • General-purpose B2B SaaS not in the above categories → Check size and sector thresholds

If you are out of scope directly but sell to essential/important entities, your customers may require NIS2-equivalent security practices contractually.

NIS2 Compliance Checklist for In-Scope SaaS

Governance

  • NIS2 responsibility assigned to a named individual or team
  • Management body (board or equivalent) has formally approved the cybersecurity risk management approach
  • Management body members have completed cybersecurity training
  • Cybersecurity risk management is included in regular management reviews
  • Company is registered with the national NIS2 competent authority in relevant member states

Risk Management

  • Information security risk assessment completed and documented
  • Risk treatment plan in place with identified controls for each significant risk
  • Risk assessment reviewed at least annually and after significant changes
  • Risk assessment covers: infrastructure, application, people, supply chain, physical security

Security Measures (Article 21)

  • Multi-factor authentication (MFA) implemented for all system access — not just administrative access
  • Encryption at rest and in transit for all systems processing customer data
  • Access controls based on least privilege — users have only the access they need
  • Vulnerability management programme in place — scanning, patching, prioritisation
  • Penetration testing conducted at least annually
  • Security monitoring and logging covering all critical systems
  • Endpoint security on all company-managed devices
  • Secure software development lifecycle — security reviews in development, dependency scanning, secrets management

Incident Response

  • Incident response plan documented and tested
  • Criteria for "significant NIS2 incident" defined
  • 24-hour early warning reporting procedure in place
  • 72-hour incident notification procedure in place
  • Authority contact details for relevant member state CSIRTs documented
  • 30-day final report procedure defined
  • Customer notification procedure for service-impacting incidents

Business Continuity

  • Business continuity plan documented
  • Recovery time objectives (RTOs) and recovery point objectives (RPOs) defined for critical services
  • Backup systems tested at defined frequency
  • Disaster recovery plan documented and tested

Supply Chain Security

  • Critical suppliers and sub-processors identified
  • Security risk assessment for each critical supplier
  • Contractual security requirements in place with critical suppliers
  • Sub-processor security certifications reviewed and documented
  • Process for managing supplier security changes

Compliance and Training

  • All employees completed security awareness training in last 12 months
  • Technical staff completed role-appropriate security training
  • Management completed NIS2-specific cybersecurity training (Article 20 requirement)
  • Security policies reviewed and updated in last 12 months

What Enterprise Customers Will Ask You

Even if you are not directly in scope under NIS2, your customers who are essential or important entities will ask you to demonstrate NIS2-equivalent security practices. Expect:

  • Security questionnaires covering all Article 21 requirements
  • Requests for ISO 27001 certification or SOC 2 Type II report
  • Contractual requirements for incident notification within 24–72 hours of any security event affecting their data
  • Right to audit your security practices
  • Sub-processor disclosure and right to object

Build your security programme to this standard regardless of direct NIS2 scope — enterprise deals require it.

Penalties

For in-scope entities that do not implement required measures:

  • Essential entities: up to €10 million or 2% of global annual turnover
  • Important entities: up to €7 million or 1.4% of global annual turnover

Regulators are beginning enforcement in member states that transposed NIS2 by the October 2024 deadline. Early enforcement has focused on registration failures and gaps in incident reporting procedures.

ComplyOne determines your NIS2 entity classification and generates the required security documentation.

Check your NIS2 compliance →

Related guides

Does NIS2 Apply to My Company?

NIS2 — the EU's revised Network and Information Security Directive — expanded its scope dramatically compared to its predecessor.

NIS2 for Data Centres

Data centres are explicitly named in NIS2 Annex I as essential entities under the digital infrastructure sector.

NIS2 Entity Classification: Essential vs Important

NIS2 divides in-scope entities into two categories: essential entities and important entities.

View all guides in this module