Nearly every piece of NIS2 guidance published since the Directive entered into force reads as though every in-scope entity operates a 24/7 security operations centre with a team of forty. That is the reality for critical infrastructure operators and large financial institutions. It is not the reality for a 75-person managed service provider, a 120-employee SaaS company serving the healthcare sector, or a medium-sized manufacturer that happens to fall within an Annex I or Annex II sector.
These entities are in scope. The Directive does not exempt them from its obligations. But Article 21(1) explicitly requires that cybersecurity measures be "proportionate" — and understanding how proportionality translates from legal text to operational practice is the difference between a compliance programme that works and one that either bankrupts the organisation through over-engineering or fails through under-investment.
Who Is in Scope: The Size Threshold and Its Exceptions
NIS2 applies to entities that meet both a sector criterion (operating in a sector listed in Annex I or Annex II) and a size criterion. The size criterion follows the EU's SME definition framework:
- Medium-sized entities: 50-249 employees AND annual turnover of €10 million to €50 million (or balance sheet total of €10 million to €43 million)
- Large entities: 250+ employees OR annual turnover exceeding €50 million
Entities below the medium threshold — fewer than 50 employees and less than €10 million turnover — are generally excluded. However, NIS2 Article 2(2) lists exceptions where smaller entities are in scope regardless of size:
- Providers of public electronic communications networks or services
- Trust service providers
- Top-level domain name registries and DNS service providers
- Entities that are the sole provider of a service essential to societal or economic activities in a Member State
- Entities whose disruption could have a significant impact on public safety, public security, or public health
These exceptions matter. A five-person DNS registrar is in scope. A 30-employee qualified trust service provider is in scope. Size does not protect entities whose disruption would have outsized impact.
For the majority of newly in-scope entities, however, the medium-sized category (50-249 employees) is where the compliance challenge concentrates. These organisations typically have an IT team but not a dedicated security function. They may have a head of IT who also handles compliance, or an outsourced MSSP providing monitoring. Their budgets for security tooling are measured in tens of thousands, not millions.
Proportionality: What the Directive Actually Says
Article 21(1) states that Member States shall ensure that essential and important entities take "appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems." It specifies that these measures shall be based on "an all-hazards approach" and shall be "proportionate to the risks posed."
The proportionality assessment, per the text, considers:
- The entity's degree of exposure to risks
- The entity's size
- The likelihood of occurrence of incidents and their severity, including their societal and economic impact
This is not decorative language. It is a binding legal requirement that the measures demanded of a 60-person SaaS company must be commensurate with its specific risk profile, resources, and impact potential. A supervisory authority that demanded enterprise-grade controls from a medium-sized entity without conducting a proportionality assessment would be acting outside the Directive's mandate.
Recital 79 reinforces this: measures should "take into account the state of the art and, where applicable, the relevant European and international standards, as well as the cost of implementation." Cost of implementation is an explicit factor. This does not mean cheap compliance is acceptable compliance — but it does mean that the economic burden on the entity is part of the legal calculus.
Practical Proportionality: Art. 21(2) Measures at SME Scale
Article 21(2) lists the minimum measures that all essential and important entities must implement. The table below translates each measure into what proportionate implementation looks like for a medium-sized entity versus a large enterprise.
| Article 21(2) Measure | Enterprise Implementation (1000+ employees) | SME Implementation (50-150 employees) |
|---|---|---|
| (a) Risk analysis and information system security policies | Dedicated GRC team, formal risk framework (ISO 27005), annual risk assessment cycle, board-level risk committee | Documented risk register maintained by IT lead, annual risk assessment using lightweight framework (NIS2 requirements mapping), reviewed by management body |
| (b) Incident handling | 24/7 SOC (internal or MSSP), SOAR platform, tiered incident response plan, regular tabletop exercises, dedicated incident management tooling | Documented incident response plan, defined escalation contacts (including after-hours), MSSP-provided monitoring with alerting, annual incident response drill |
| (c) Business continuity and crisis management | Full BCM programme, BIA for all critical processes, disaster recovery sites, annual failover tests, crisis communication team | Documented business continuity plan covering top 3-5 critical services, tested backup restoration quarterly, defined communication templates for customer notification |
| (d) Supply chain security | Formal TPRM programme, vendor risk assessments for all suppliers, continuous monitoring, contractual security requirements with audit rights | Risk-tiered vendor list (critical vs. non-critical), security requirements in contracts with critical suppliers, annual review of critical vendor security posture |
| (e) Security in network and information systems acquisition, development, and maintenance | Secure SDLC, SAST/DAST in CI/CD pipeline, security architecture review board, vulnerability management programme with SLA-driven patching | Patching process with defined timelines (critical: 48h, high: 7d), dependency scanning in build pipeline, secure configuration baselines for production systems |
| (f) Policies and procedures for assessing effectiveness | Continuous control monitoring, annual internal audit, periodic external penetration testing, red team exercises | Annual vulnerability scan, annual external penetration test, documented review of security measures by management body |
| (g) Basic cyber hygiene and cybersecurity training | Mandatory annual training for all employees, role-based training for developers and administrators, phishing simulation programme | Annual security awareness training for all employees, additional training for IT staff, documented training records |
| (h) Policies and procedures for cryptography and encryption | Key management system, HSMs for critical keys, encryption-at-rest for all data stores, TLS 1.3 enforcement, certificate lifecycle management | TLS enforcement for all external-facing services, encryption-at-rest for databases containing sensitive data, documented key management procedures (even if manual) |
| (i) Human resources security, access control, and asset management | IAM platform with automated provisioning/deprovisioning, RBAC/ABAC, quarterly access reviews, asset inventory with automated discovery | Documented onboarding/offboarding checklists, MFA for all administrative access, manual asset inventory reviewed semi-annually, principle of least privilege documented and applied |
| (j) Multi-factor authentication and secured communications | MFA for all user access, conditional access policies, secure communication platform for sensitive discussions, encrypted email for external communication | MFA for all remote access and cloud services, encrypted messaging for incident communication, VPN or zero-trust network access for remote work |
The pattern is consistent: the same controls, at different levels of automation, formality, and coverage. A medium-sized entity is not expected to build what a Fortune 500 company builds. It is expected to achieve the same security objectives through implementation that matches its scale.
Supervision Differences: Essential vs Important Entities
NIS2 creates two categories of in-scope entities with materially different supervision regimes.
Essential entities (Annex I sectors: energy, transport, banking, financial market infrastructure, health, drinking water, waste water, digital infrastructure, ICT service management B2B, public administration, space) are subject to ex-ante supervision. Competent authorities can conduct proactive audits, on-site inspections, and security scans without waiting for an incident. Fines can reach €10 million or 2% of global annual turnover.
Important entities (Annex II sectors: postal services, waste management, chemicals, food, manufacturing, digital providers, research) are subject to ex-post supervision. Competent authorities generally investigate after an incident or a complaint, not proactively. Fines can reach €7 million or 1.4% of global annual turnover.
For SMEs, this distinction is significant. A medium-sized entity classified as important is less likely to face proactive audits and more likely to encounter regulatory scrutiny only if something goes wrong. This does not mean compliance is optional — ex-post enforcement can still result in substantial fines — but it does affect how you allocate resources. An important entity can reasonably prioritise incident response capability and evidence preservation over audit-readiness documentation, knowing that the most likely regulatory interaction will follow an incident rather than precede one.
A medium-sized entity classified as essential — a 60-person DNS service provider, for example — faces a different calculation. Proactive audits mean that compliance evidence must be ready at any time, not assembled after a triggering event.
Cost-Effective Compliance Strategies for Smaller Teams
Proportionality permits pragmatic implementation. Several strategies reduce the cost of NIS2 compliance for medium-sized entities without reducing its effectiveness.
Start with what you have. Most medium-sized entities already implement significant security measures — firewalls, endpoint protection, backups, MFA on key systems. NIS2 compliance often involves documenting and formalising existing practices rather than building from scratch. The implementation guide should begin with a gap assessment against Article 21(2), not a greenfield programme.
Outsource monitoring, not governance. An MSSP can provide 24/7 monitoring, alert triage, and incident detection at a fraction of the cost of building an internal SOC. But governance — risk acceptance decisions, management body approval, supplier risk assessment — cannot be outsourced. The management body's Article 20 obligations require internal ownership of cybersecurity governance even when technical capabilities are outsourced.
Use automation to reduce manual burden. Compliance automation platforms that map controls to regulatory requirements, track evidence, and generate audit-ready documentation reduce the ongoing operational cost of NIS2 compliance. For a team without dedicated GRC resources, this is not a luxury — it is the mechanism that makes compliance sustainable.
Leverage sector-specific ENISA guidance. ENISA has published sector-specific guidance for several NIS2 sectors, including suggested measures calibrated to different entity sizes. These documents provide a defensible baseline: an entity that implements ENISA's recommended measures for its sector and size category has a strong argument that its implementation is proportionate.
Group compliance for affiliated entities. NIS2 Article 21(1) permits Member States to allow group-level compliance arrangements. If a medium-sized entity is part of a larger group, leveraging group-level security infrastructure (shared SOC, shared incident response capability, group-wide training programme) can significantly reduce per-entity costs.
ENISA's SME Guidance and National Support Programmes
ENISA has recognised that SME readiness is a systemic vulnerability in the NIS2 framework. Its 2025 publication on NIS2 implementation for SMEs provides practical guidance organised around the Article 21(2) measures, with implementation examples scaled to smaller organisations.
Several Member States have also established national support programmes:
- Germany's BSI has published NIS2 implementation guides segmented by entity size and offers a self-assessment tool for medium-sized entities
- France's ANSSI provides sector-specific workshops and has established a certification scheme for MSSPs that SMEs can rely on for outsourced monitoring
- The Netherlands' NCSC has published plain-language guidance for medium-sized entities and operates a threat intelligence sharing programme that includes important entities
These programmes represent an investment by Member States in achieving broad compliance rather than enforcement-first approaches. SMEs should engage with their national competent authority's support offerings before investing in commercial compliance solutions — the baseline guidance may be sufficient to structure an initial programme.
Key Takeaways
- Proportionality is a legal requirement, not a loophole. Article 21(1) mandates that measures be proportionate to the entity's size, risk exposure, and impact potential. Medium-sized entities are expected to implement the same categories of controls as large enterprises, but at a depth and formality commensurate with their resources and risk profile.
- Most medium-sized entities are closer to compliance than they think. NIS2 measures align with security practices that well-managed IT organisations already follow. The gap is typically in documentation, governance formalisation, and management body involvement — not in technical controls.
- Essential vs important classification determines supervision intensity. Important entities face ex-post supervision (investigation after incidents), while essential entities face ex-ante audits. Allocate resources accordingly: important entities should prioritise incident response; essential entities need standing audit readiness.
- Cost-effective compliance is achievable. Outsourced monitoring, compliance automation, ENISA guidance, and national support programmes collectively make NIS2 compliance accessible at SME budgets. Check pricing structures that scale with entity size rather than imposing enterprise costs on medium-sized organisations.