NIS2 for SaaS: what do you need to arrange now?

Who this affects

NIS2 sounds like legislation for governments and large infrastructure companies. But if you offer SaaS to European businesses, or run a fintech platform yourself, there is a good chance NIS2 affects you directly or indirectly.

Directly: as a digital service provider, you may fall under the regulation yourself. Indirectly: your enterprise customers do fall under NIS2 and must demonstrate that their suppliers also operate securely. You are that supplier.

This article explains whether your company is in scope, what the obligations are, and what you need to arrange now, without waiting for a customer to demand it.

Do you fall under NIS2 as a SaaS company?

NIS2 distinguishes two categories: essential entities and important entities. Digital service providers are by definition in scope if they exceed the thresholds: more than 50 employees or more than €10 million in revenue. Smaller organisations can also fall in scope if they are specifically designated as critical.

Directly in scope as a digital service provider:

• Cloud computing providers (IaaS, PaaS, SaaS above the threshold)
• Providers of managed services or managed security services
• Online marketplaces and search engines above the threshold
• Datacentre services

NIS2 distinguishes more categories, including for example domain registrars. Use the [official government tool] (https://regelhulpenvoorbedrijven.nl/NIS-2-NL/) to check whether your organisation falls in scope.

Indirectly in scope via the supply chain:

Even if you formally fall outside the direct scope, NIS2 requires your customers to assess and manage the security of their suppliers. In practice this means: if your customer falls under NIS2, they will expect contractual assurance from you. Without demonstrable compliance, you will lose tenders.

Fintech specifically: If your platform supports financial services, such as payment processing, credit assessment or asset management, you may fall under DORA in addition to NIS2. DORA applies to financial entities and their ICT suppliers. Overlap is the rule rather than the exception.

What does NIS2 require in practice?

NIS2 does not require a certificate, but a demonstrably functioning risk management system. The four core obligations:

1. Risk management measures

You need policies covering: network and information security, access management, encryption of data in transit and at rest, vulnerability management and patching, and physical security of systems. Not standalone documents, but a coherent ISMS. ISO 27001 is explicitly recognised by NIS2 as a compliance path and is the fastest route to demonstrable conformity.

2. Incident reporting

In the event of a significant cyber incident, you must submit an initial notification to the competent national authority within 24 hours (in the Netherlands: NCSC or a sectoral CSIRT). A more detailed report follows within 72 hours, and a final report after one month. This requires a pre-documented incident response procedure that is ready before an incident occurs.

3. Supply chain security

You must assess your own suppliers. Does your platform run on AWS, Azure or GCP? You are responsible for the configuration and use. Do you use external SaaS tools for HR, CRM or communication? These also fall under your supply chain assessment.

4. Business continuity

You need a documented Business Continuity Plan and Disaster Recovery plan. Incidents must not bring your services to a standstill for weeks.

The 5 steps you need to take now

Step 1 - Determine whether you are in scope

Check your size (employees, revenue) and the nature of your service. Start with the [official government self-assessment tool] (https://regelhulpenvoorbedrijven.nl/NIS-2-NL/) to determine whether your organisation falls directly in scope. Not sure what the outcome means for your specific situation? Get in touch with us for a personal consultation experts.

Step 2 - Document your risk analysis

You need a formally documented risk analysis: which threats are relevant, what risk do they carry, and how do you manage them? This is the foundation for everything that follows.

Step 3 - Set up an incident response procedure

Who calls whom when a data breach is discovered at 3 in the morning? Which systems do you log? Who communicates with customers and authorities? Without a procedure, the 24-hour requirement is unachievable.

Step 4 - Map your supplier chain

Create a list of all critical suppliers: name, service, what data they process, and whether they themselves have demonstrable security measures in place.

Step 5 - Link to ISO 27001

NIS2 compliance via ISO 27001 is the proven approach. It gives you a structured framework, external verification, and a certificate that customers immediately recognise. If you have not yet started an ISO 27001 journey, now is the time.

Not sure where you stand? Take the free Tidal Quickscan and find out your NIS2 readiness in 10 minutes.

Frequently asked questions

Does NIS2 apply to small SaaS companies?

Organisations with fewer than 50 employees and less than €10 million in revenue fall outside the direct scope, unless they are specifically designated as critical or provide managed services to organisations that are in scope. However, customers who do fall in scope will assess you as a supplier, even if you yourself fall outside the direct scope.

What is the difference between NIS2 and DORA for fintech?

NIS2 is broad and applies to all sectors above the threshold. DORA is sector-specific for financial entities and their ICT suppliers, and sets stricter requirements for third-party risks and operational resilience testing. If you work as an ICT supplier for banks, insurers or investment firms, you fall under DORA, in addition to any NIS2 obligations.

Can I demonstrate NIS2 compliance without a certificate?

Yes. NIS2 does not require a certificate. But without a certificate you must demonstrate yourself that your measures are working. ISO 27001 offers the most widely accepted external verification and is immediately recognised by regulators and customers as proof. Is ISO 27001 too big a step for your organisation right now? A NIS2-specific certificate also exists, offering a lighter but recognised route to demonstrable compliance.

What are the fines for non-compliance with NIS2?

For essential entities: up to €10 million or 2% of global annual turnover. For important entities: up to €7 million or 1.4% of turnover. In the Netherlands, the NCSC and/or the sectoral regulator is responsible for supervision.