Skip to content
runtiq

NIS2 Compliance — What Your Team Needs to Know in 2026

A practical guide to NIS2 compliance for tech teams. Learn what the EU NIS2 directive requires, when national laws take effect, how hosting choices impact compliance, and why EU-sovereign infrastructure matters.

By runtiq Team

NIS2 is in force. If your company has 50+ employees or €10M+ annual turnover and operates in the EU, this probably applies to you.

The directive (Directive 2022/2555) came into force in January 2023. The enforcement deadline was October 2024. National laws are now taking effect — Germany’s since December 2025, Austria’s from October 2026, with most other EU countries following through 2026.

This post covers:

  • What NIS2 requires and who it applies to
  • When national laws actually take effect (country-by-country)
  • Why your hosting and infrastructure choices are a compliance factor
  • Practical steps you can take this week

What Is NIS2?

NIS2 (Directive 2022/2555) replaces the original NIS Directive from 2016. The original left too much room for member states to implement it differently — which produced inconsistent security baselines across the EU. NIS2 fixes this: broader scope, stricter requirements, and real penalties. For essential entities, fines go up to €10 million or 2% of global annual turnover.

The core goal is raising the security baseline for organizations running critical or important services across the EU. Think of it as GDPR, but for your security operations rather than your data handling.

National Transposition — Where Things Stand in 2026

The EU deadline for transposing NIS2 into national law was October 2024. Most member states missed it. As of May 2025, the European Commission sent infringement proceedings (reasoned opinions) to 19 out of 27 member states — including Germany, France, Austria, the Netherlands, Spain, and Poland — for failing to notify full transposition.

National laws are now coming into force through 2025 and 2026. Here is the status for the largest markets:

Germany — NIS2UmsuCG (in force since December 2025)

Germany’s NIS2 implementation law (NIS2UmsuCG) was published on 5 December 2025 and took effect immediately. Over 30,000 companies are affected — approximately 8,250 “particularly important” and 21,600 “important” entities. There are no transition periods: obligations apply once you register with the BSI (Federal Office for Information Security), which must happen within 3 months of self-identification.

Austria — NISG 2026 (effective 1 October 2026)

Austria’s NISG 2026 was published on 23 December 2025 and enters into force on 1 October 2026. Key milestones after that:

  • 1 January 2027 — registration with the authority must be completed
  • 1 October 2027 — self-declaration on implemented risk management measures due
  • 1 October 2028 — earliest point the authority can demand an independent audit

Until 1 October 2026, the existing NISG 2018 remains in force.

Other EU Countries

Belgium, Croatia, Greece, Italy, Lithuania, Malta, Romania, and Slovakia were not subject to the May 2025 infringement action — suggesting they have transposed or are close. The remaining 19 countries (including France, Spain, Netherlands, Poland, and the Nordics) are expected to finalize national legislation through 2026.

Who Is Affected?

NIS2 splits covered organizations into two tiers.

Essential Entities

These face the strictest obligations and proactive supervision from regulators:

  • Energy, transport, banking, financial market infrastructure
  • Health, drinking water, wastewater
  • Digital infrastructure — DNS providers, TLD registries, cloud computing providers, data centers, CDNs
  • ICT service management — managed service providers, managed security service providers
  • Public administration

Important Entities

Same technical requirements, but supervision is reactive — audits are triggered by incidents or complaints rather than proactively:

  • Postal and courier services
  • Waste management
  • Chemicals, food production
  • Manufacturing (medical devices, electronics, machinery, motor vehicles)
  • Digital providers — online marketplaces, search engines, social networking platforms

The Size Threshold

The general size threshold is 50+ employees or €10M+ annual turnover. Organizations above this threshold in covered sectors are likely in scope — but sector-specific rules vary, and some critical sectors have no size threshold at all. Check Annex I and II of the directive for the full list of covered sectors and their specific criteria.

You may also be in scope indirectly. If your product serves customers in essential or important sectors, you are part of their supply chain. NIS2 Article 21 explicitly requires covered entities to manage supply chain security. Your customers will start asking you to demonstrate your security posture. Questionnaires, contractual security clauses, and audit rights will become standard parts of enterprise deals.

Key Requirements

1. Risk Management Measures

NIS2 Article 21 lists a minimum set of security measures. These are not suggestions:

  • Risk analysis and security policies — documented, reviewed regularly, not just a PDF nobody reads
  • Incident handling — defined procedures for detection, response, and recovery
  • Business continuity — backup management, disaster recovery, crisis management
  • Supply chain security — actually assessing the security practices of your vendors, not just ticking a box
  • Secure development practices — vulnerability handling, security in acquisition of network and information systems
  • Cryptography policies — encryption at rest and in transit, key management
  • Human resources security — access control, need-to-know, security training
  • Multi-factor authentication — required for all relevant access points

None of this is unusual. Most of it is standard security hygiene — but the key word is documented. NIS2 requires you to show your work.

2. Incident Reporting

This is the most operationally demanding part. Significant incidents must be reported to your national CSIRT (Computer Security Incident Response Team) on a tight timeline:

  • 24 hours: Early warning after you become aware of a significant incident
  • 72 hours: Incident notification with initial assessment — severity, indicators of compromise
  • 1 month: Final report with full details, root cause, and remediation steps

A “significant incident” is one that causes or could cause severe operational disruption or financial loss, or affects other organizations. The bar is lower than you might expect — this is not only about large data breaches.

3. Supply Chain Security

NIS2 explicitly requires organizations to assess the security practices of their direct suppliers and service providers. This has a cascading effect through the whole ecosystem.

For your own supply chain, you need to evaluate:

  • Your cloud and hosting providers — jurisdiction, certifications, security practices
  • Third-party software and open source dependencies
  • Managed service providers with access to your systems
  • SaaS tools that touch sensitive data

How Hosting Choice Impacts NIS2 Readiness

Your infrastructure provider is part of your supply chain. Under NIS2, you need to assess and document their security practices. This makes the hosting decision a compliance question, not just an operational one.

Data Residency and Jurisdiction

NIS2 does not mandate EU-only data storage, but it does require you to manage risks. Data stored outside the EU introduces legal and operational risks that are hard to control. US cloud providers are subject to US law, including CLOUD Act requests, which can conflict with EU data protection obligations. This is not a hypothetical — it is a real tension that your customers’ legal teams will raise.

For organizations serving EU customers in regulated sectors, NIS2 compliant hosting increasingly means hosting that keeps data and operations within EU jurisdiction, with providers that can demonstrate their own security certifications — ISO 27001, SOC 2, BSI C5.

Sovereignty and Control

EU-sovereign infrastructure — hosted and operated entirely within the EU, by EU-based entities — reduces legal and regulatory risk. You know which jurisdiction governs your data, which courts have authority, and which regulators you are accountable to.

This matters because your customers in regulated industries will ask these questions. “Our infrastructure is sovereign, hosted in the EU, operated by an Austrian entity” is a much cleaner answer than explaining the data transfer mechanisms and Standard Contractual Clauses (SCCs) you use with a US hyperscaler.

Certifications and Audit Evidence

NIS2 requires you to document your risk management measures. A hosting provider with relevant certifications gives you audit evidence you can point to. This is much easier than trying to extract equivalent assurances from a large cloud provider’s generic compliance documentation — which tends to be extensive but not specific.

DORA: The Fintech Parallel

If you are building for financial services, you also need to know about DORA — the Digital Operational Resilience Act, which applies from January 2025. DORA overlaps significantly with NIS2 but goes further for financial entities: mandatory ICT risk management frameworks, incident classification and reporting, digital operational resilience testing including penetration testing, and strict requirements for ICT third-party providers.

If you are a vendor selling into financial services, your customers’ DORA obligations will flow down to you contractually. The infrastructure and security practices you need for NIS2 are largely the same ones you need to satisfy DORA supply chain requirements.

Practical NIS2 Checklist

Use this as a starting point, not a substitute for legal review.

Scoping

  • Determine size threshold — does your organization have 50+ employees or €10M+ annual turnover? If yes, and you operate in a covered sector, work through the rest of this list.
  • Identify your sector — is it listed as essential or important under NIS2? Check the Annex I and II of the directive for the full list.
  • Assess customer exposure — even if you are below the threshold, are your customers NIS2-covered entities? If so, their supply chain requirements will flow to you contractually.

Risk Management

  • Document your security policies — start with a simple document that lists your access controls, encryption standards, and update procedures. Review it every 6 months. A 5-page document that you actually follow is better than a 50-page one nobody reads.
  • Conduct a formal risk assessment — identify your critical systems, the threats they face, and the controls you have in place. Document the results. This does not need to be elaborate — a structured spreadsheet is fine to start.
  • Implement MFA — across all administrative access. Use an authenticator app, not SMS where possible. Document which systems require it and verify it is actually enforced.
  • Define encryption standards — at rest and in transit. Document which algorithms you use, where keys are stored, and who has access. If you use a managed key service, note that in your documentation.

Incident Response

  • Define “significant incident” — write down what this means for your specific systems. Examples: “any breach of customer data,” “any outage exceeding 4 hours,” “any unauthorized access to production.” Make it concrete enough that your on-call engineer can make the call at 2am.
  • Build an incident response runbook — with clear ownership and escalation paths. Who declares an incident? Who drafts the 24h report? Who is the legal contact? Write it down and keep it somewhere everyone can find it.
  • Identify your national CSIRT — find your country’s reporting portal at ENISA’s CSIRT inventory and bookmark it. Know the process before you need it.
  • Test your incident response — at least annually, actually run through a simulated incident. Assign roles, draft a mock report, time how long it takes. Fix the gaps you find.

Supply Chain

  • Inventory critical vendors — cloud, hosting, SaaS tools with data access. A simple list with vendor name, what data they touch, and their certifications is enough to start.
  • Collect certifications or questionnaire responses — from key vendors. Ask for their ISO 27001 or SOC 2 certificates. If they cannot provide them, that is itself a risk to document.
  • Review contracts — check for security clauses, Data Processing Agreements (DPAs), and audit rights. If a key vendor has no security clauses in your contract, add them at renewal.
  • Assess your hosting provider — jurisdiction, certifications, security practices. Can they answer: where does your data physically reside? Who can access it? What certifications do they hold?

Business Continuity

  • Document your backup strategy — what is backed up, how often, where backups are stored, and how long restoration takes. Test restoration at least quarterly — a backup you have never restored is not a backup you can rely on.
  • Define your RTO and RPO — RTO is how fast you need to recover after an outage. RPO is how much data you can afford to lose. For most services, start with “4 hours recovery, 1 hour data loss” and adjust from there. Write it down, test it quarterly.
  • Document your disaster recovery plan — who does what when production goes down? Even a one-page runbook is better than nothing. Include contact lists, escalation paths, and the steps to restore service.

Training and Governance

  • Brief leadership — management liability is explicit in the directive. Your CEO and board need to understand what NIS2 requires and sign off on your compliance approach. This is not optional.
  • Run security awareness training — for all staff, at least annually. Phishing simulations, password hygiene, how to report suspicious activity. Document who completed it.
  • Assign a named owner — for NIS2 compliance. Someone needs to own this, track the checklist, and be the point of contact for audits and incidents.

That Is Exactly Why We Built runtiq

NIS2 compliance is an ongoing operational task. For many companies, the infrastructure part is the hardest — setting up EU-sovereign hosting, collecting certifications, preparing incident reports, documenting your supply chain.

That is exactly why we built runtiq. We take over this burden so you can focus on your product:

  • EU-sovereign infrastructure out of the box — your workloads run in EU data centers, operated by an EU-incorporated company. No CLOUD Act exposure. No complex data transfer mechanisms to set up or explain.
  • Compliance evidence delivered automatically — certifications, audit reports, and supply chain documentation ready for your next vendor questionnaire. No need to chase your cloud provider for weeks to get a specific answer.
  • Incident reporting support — predefined workflows and report templates that help you meet the 24h/72h/1-month NIS2 reporting deadlines. When something happens at 2am, you need structure, not a blank page.
  • Business continuity built in — automated backups with documented RTO/RPO guarantees. Your disaster recovery plan for the hosting layer is already written.

For SMEs, the question is not whether NIS2 applies — for most companies above the threshold, it does. The question is how much of the compliance work you want to do yourself versus having your infrastructure provider handle it.

We built runtiq so the answer to your customers’ compliance questions is simple and documented. See our plans for details.