NIS2 Compliance for Small Businesses: The Ultimate 2026 Checklist

NIS2 enforcement started in October 2024. There is no grace period. There is no "we're working on it" exemption for small businesses. If your organization falls under the directive, the obligations are active now.

The fines are real: up to €10,000,000 or 2% of global annual turnover for Essential Entities, up to €7,000,000 or 1.4% for Important Entities — whichever is higher. Your national competent authority (NCA) administers enforcement, and the first wave of formal audits is already underway in several member states.

Most NIS2 compliance guides are written for enterprise legal and security teams. This one is written for the IT manager, founder, or sysadmin at a 30–200 person business who needs to know exactly what to do, in what order, and what constitutes sufficient evidence.

Step 0: Confirm Whether NIS2 Applies to You

Before building a compliance program, confirm your scope. NIS2 applies to medium-sized and larger organizations — 50+ employees or €10M+ annual turnover — operating in covered sectors.