NIS2 for small business: how it affects you.
NIS2 is the European cybersecurity directive that most of you have probably received at least one anxious email about. The good news: for most small companies, the panic is unwarranted. The less good news: “it doesn’t apply to me directly” is not the same as “it doesn’t reach me at all.” Let’s separate the two, calmly.
Who it applies to directly
NIS2 (the EU’s network and information security directive) applies first to medium and large companies in sectors deemed essential or important: energy, transport, healthcare, digital infrastructure, certain types of manufacturing, and others like them. The rough threshold starts at 50 employees or €10 million in turnover, within the covered sectors, and in Romania the authority that supervises the field is DNSC.
If you run a 15-person company doing accounting, retail, or ordinary services, you are most likely not on the list of directly regulated entities. Before you breathe out, read on anyway.
How it still reaches you: through your clients
The directive requires regulated companies to verify the security of their supply chain, which means, among others, you, if you supply them. In practice this turns into security questionnaires, new contract clauses, and sometimes audits requested by the client. For many small companies, the first encounter with NIS2 is not a fine; it is a spreadsheet with a hundred questions, sent over by their largest client.
At that point, “we’ve got someone who knows his way around computers” is no longer an answer. The client wants to see concrete things: backups taken and verified, controlled access to data, updates kept current, and a record of incidents and how they were resolved.
What to do, without panic
The reassuring part is that the baseline NIS2 requirements are, broadly, the IT hygiene a serious company should have anyway: backups taken and verified, updates applied on time, passwords and access kept in order, and a clear way to respond when an incident occurs. Nothing exotic, just maintenance and discipline, done consistently rather than once a year.
Our recommendation is simple. Don’t buy a “NIS2 package” under the pressure of an email, and don’t ignore the subject entirely either. Start with the concrete question instead: if tomorrow your largest client asks you for proof of security, what do you show them? If the answer is “I’m not really sure,” that is where you begin, and an ordinary on-site IT audit shows you exactly where you stand. For the precise legal classification of your company, the correct source remains DNSC, not marketing emails.