Which companies are covered by the NIS2 obligation?

The legislation distinguishes between key and important sectors. Below is an overview of the sectors as laid down by the European Commission:

NIS2 primarily applies to medium-sized and large companies (≥50 employees or ≥€10 million turnover) in both essential and important sectors. In exceptional cases, smaller organisations may also fall under NIS2, for example, when they play a critical role or are explicitly designated as important. Furthermore, if you collaborate with an organisation subject to NIS2, you may indirectly face the same requirements through contracts and audits.

Why are small businesses often not yet working on NIS2?

Because NIS2 primarily applies to companies with more than 50 employees or an annual turnover exceeding €10 million, many smaller organisations are not yet dealing with it. Cybersecurity often only gains priority when there is a concrete obligation or reason. But that reasoning doesn't account for how quickly a company can grow or change. What isn't applicable today, may suddenly become relevant tomorrow.

In which situations might you suddenly fall under NIS2?

There are various scenarios where companies might face NIS2 sooner than expected. These often relate to growth, collaboration, or strategic choices.

1. You're growing faster than expected

Growth is positive, but it also brings new responsibilities. When your organisation expands in terms of staff or revenue, you can relatively quickly exceed the thresholds. This often happens in a short period, especially with scale-ups.

Many companies first invest in sales, operations, or product development. Cybersecurity only follows later, creating a gap just as stricter expectations begin to take effect.

2. You will be given a client who is subject to NIS2

Even if you don't fall under NIS2 yourself, you can indirectly be affected through your customers. Organisations that do fall under the NIS2 directive are obliged to secure their supply chains more effectively. This specifically means they will also scrutinise their suppliers. In practice, this translates to:

• Security questionnaires during sales processes
• Stricter contract terms
• Audits of controls

Security therefore also becomes a contractual condition. If you are not compliant, you will have a competitive disadvantage compared to compliant competitors.

3. Your activities are moving towards a critical sector.

You don't have to be an energy company or hospital to fall within the scope. Companies that supply services to these sectors, or will work more closely with them, may also come under increased scrutiny. Consider, for example:

• Software companies developing solutions for the healthcare sector
• IT partners who infrastructure Support in logistics or industry
• Organisations that begin processing sensitive data

A relatively small strategic shift can be enough to end up in a context where stricter requirements apply.

4. You will become part of a larger group

During an acquisition or merger, your position often changes faster than you expect. When you become part of a larger organisation that *does* fall under NIS2, it becomes logical for security and compliance to be aligned across the entire group. This means your organisation will also have to comply with certain standards, even if they weren't applicable before.

5. You expand to other countries

International growth brings added complexity. Although the NIS2 Directive is a European directive, it is implemented at a national level. This means that there can be differences in interpretation, oversight, and enforcement. For companies operating in multiple countries, this can lead to:

• Stricter local expectations
• Additional checks
• Higher demands from international customers

What is not yet a requirement in Belgium today could become a necessity more quickly in another country.

Why you're better off starting the implementation of NIS2 now

Many companies don't see NIS2 as urgent yet, especially if they are currently below the thresholds. But waiting until it becomes mandatory can have significant consequences:

• Missing out on contracts: Customers expect your security to be in order.
• Additional audits and checks Organisations subject to NIS2 will strictly vet their suppliers.
• Last-minute measures: Putting everything in order at once costs time, money, and stress.

By starting now already with a NIS2 audit, you gain an advantage:

• Understanding your current security level Know where you stand before it becomes urgent.
• Identifying risks Discover the biggest focal points for your organisation.
• Prioritising Plan your improvements in phases, so you don't have to act under pressure.
• Building trust with customers Demonstrate a proactive approach to security and compliance.

VanRoey can support you with that. With a NIS2 readiness audit, we quickly map out your current situation, identify key areas for improvement, and help you step by step towards full compliance.