The NIS2 Directive Explained: What SaaS and eCommerce Businesses Actually Need to Do
Remember in my last post about the [EU Cyber Resilience Act](eu-cyber-resilience-act-what-it-means-for-your-business) where I mentioned that pure SaaS products don't fall under the CRA? That they fall under a different regulation instead? Well, that different regulation is the NIS2 Directive. And honestly, for a lot of SaaS and ecommerce businesses, NIS2 might be the one that actually matters more. The NIS2 Directive (officially Directive EU 2022/2555) is Europe's overhauled cybersecurity law for critical infrastructure and digital services. It replaced the original NIS Directive in October 2024, and it massively expanded who's covered. We're talking 18 sectors, an estimated 160,000 plus entities across the EU, and fines of up to 10 million euros or 2% of global annual turnover. If you're running a cloud based SaaS platform, operating an online marketplace, providing managed IT services, or even just running digital infrastructure that other businesses depend on, NIS2 very likely applies to you. Even if you're based outside the EU but serve EU customers. Let me break down what this means in practical terms, who needs to worry, and what you should be doing right now.
What Is the NIS2 Directive and How Is It Different from the CRA?
Let me clear up the confusion straight away, because the alphabet soup of EU regulations is enough to make anyone's head spin.
The Cyber Resilience Act (CRA) applies to products with digital elements, meaning things you sell, distribute, or ship to users. Think hardware, downloadable software, apps, plugins. If you make a product and put it on the EU market, CRA is your regulation.
The NIS2 Directive applies to services, specifically to entities that provide essential or important services in the EU. Think cloud platforms, SaaS providers, online marketplaces, managed service providers, and digital infrastructure operators. If you run a service that other people or businesses depend on, NIS2 is your regulation.
And then there's GDPR, which applies to personal data handling. You might need to comply with all three. Fun times.
The key difference between NIS2 and the CRA is scope. The CRA is about making products secure before they hit the market. NIS2 is about making sure the organisations running critical services have robust cybersecurity practices in place. CRA requires SBOMs and conformity assessment. NIS2 requires risk management frameworks, incident reporting, and board level accountability.
If you're running a pure SaaS platform with no downloadable components, you're looking at NIS2 (not the CRA). If you ship an app alongside your SaaS, you might need both. Welcome to EU compliance.
Who Does NIS2 Actually Apply To?
This is where most people either panic unnecessarily or dangerously assume they're exempt. Let me be precise.
NIS2 covers entities in 18 sectors divided into two groups.
Sectors of high criticality (Annex I) include energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure (cloud computing, data centres, DNS providers, CDNs, trust services, telecoms), ICT service management (managed service providers, managed security service providers), public administration, and space.
Other critical sectors (Annex II) include postal and courier services, waste management, chemicals, food production and distribution, manufacturing (including medical devices, electronics, machinery, and vehicles), digital providers (online marketplaces, search engines, social networks), and research.
The size threshold matters. NIS2 generally applies to medium and large enterprises. That means 50 or more employees, or annual turnover exceeding 10 million euros. But some entities fall in scope regardless of size, including DNS providers, trust service providers, and telecoms operators.
There are two categories with different consequences.
Essential entities are large enterprises in Annex I sectors. They face proactive supervision (regulators come looking for you) and fines of up to 10 million euros or 2% of global annual turnover.
Important entities are medium enterprises in Annex I sectors and all qualifying entities in Annex II sectors. They face reactive supervision (regulators act if they find evidence of non compliance) and fines of up to 7 million euros or 1.4% of global annual turnover.
Here's a practical example. You run a SaaS company in Vienna with 60 employees and 12 million euros in annual turnover. You provide cloud computing services to EU businesses. That puts you in the digital infrastructure sector under Annex I, classified as an important entity (medium sized in a high criticality sector). You need to comply with NIS2.
Another example. You run an online marketplace built on Solidus selling products across the DACH region. You have 55 employees and 15 million euros turnover. Online marketplaces fall under Annex II (digital providers). You're an important entity. NIS2 applies.
And here's the kicker: even if you're based outside the EU, if you provide services within the EU, you fall under the jurisdiction of the member state where you provide those services.
The Timeline: Where Are We Now?
Unlike the CRA which has clear future deadlines, NIS2 is already here. The directive took effect on 17 October 2024 when it replaced the original NIS Directive. But the implementation across member states has been uneven.
Member states were supposed to transpose NIS2 into national law by 17 October 2024. Many missed that deadline. As of early 2026, here's the situation.
Already active: Belgium (fully active since October 2024), Italy, Denmark, Hungary, Croatia, Greece, Finland, Lithuania, Latvia, Malta, Romania, Slovakia, and Slovenia have all transposed NIS2 into national law.
Recently enacted: Germany passed its NIS2 implementation act (NIS2UmsuCG) in November 2025. Essential and important entities must register with the BSI by April 2026.
Still in progress: Austria, France, the Netherlands, Ireland, Poland, Spain, Sweden, and others are still in various stages of transposing the directive. The European Commission has launched infringement proceedings against states that missed the deadline.
In January 2026, the Commission proposed targeted amendments to simplify NIS2 compliance, which should ease the burden for around 28,700 companies. But don't wait for simplifications. The core obligations are here.
What Does NIS2 Actually Require You to Do?
The requirements are extensive but practical. Here's what it comes down to in plain English.
Risk management measures (Article 21). You must implement appropriate and proportionate technical, operational, and organisational measures to manage cybersecurity risks. This is a risk based approach, meaning you assess your specific threats and implement proportionate controls. The directive spells out at least 10 minimum measures you need.
These include: policies on risk analysis and information system security, incident handling procedures, business continuity and crisis management (including backup management and disaster recovery), supply chain security (including security aspects concerning relationships with direct suppliers and service providers), security in network and information systems acquisition, development, and maintenance (including vulnerability handling and disclosure), policies and procedures to assess the effectiveness of your cybersecurity measures, basic cyber hygiene practices and cybersecurity training, policies on the use of cryptography and encryption, human resources security and access control policies, and the use of multi factor authentication and secured communication systems.
That's a proper list. But it's essentially what any well run tech company should be doing anyway.
Incident reporting (Article 23). When a significant incident happens, you have tight deadlines. Within 24 hours of becoming aware, you must submit an early warning to your national CSIRT (Computer Security Incident Response Team) or competent authority. Within 72 hours, you must provide an incident notification with an initial assessment including severity and impact. Within one month, you must submit a final report with a detailed description, root cause analysis, and mitigation measures.
A "significant" incident is one that has caused or can cause severe operational disruption, or has affected or can affect other persons by causing considerable damage.
Board level accountability (Article 20). This is the bit that makes C suite executives sit up and pay attention. Management bodies are explicitly required to approve and oversee the implementation of cybersecurity risk management measures. They must undergo cybersecurity training. And here's the sharp end: in cases of non compliance, members of management can be temporarily suspended or banned from exercising management functions. This isn't just an IT problem anymore. It's a boardroom problem.
Supply chain security. You must address cybersecurity risks in your supply chain, including the relationships with your direct suppliers and service providers. If you're using third party cloud services, open source libraries, or outsourced development, you need to assess and manage the risks those dependencies create.
Registration. In most member states, entities falling under NIS2 need to register with the relevant national authority. In Germany, that's the BSI. In Belgium, it's the CCB. Check your national implementation for specific registration deadlines and procedures.
How NIS2 Relates to Other Regulations
Let me map out how NIS2 fits alongside the other regulations you might need to worry about.
NIS2 and CRA are complementary. CRA covers the products you sell. NIS2 covers the services you operate. If you sell downloadable software AND operate a cloud service, you may need both.
NIS2 and GDPR overlap on data protection but have different focuses. GDPR is about personal data. NIS2 is about the security of the systems processing that data. In practice, many NIS2 measures (encryption, access controls, incident response) also support GDPR compliance. But they're separate obligations.
NIS2 and DORA both apply to the financial sector. Where they overlap, DORA takes precedence as the sector specific regulation. If you're a SaaS provider serving financial institutions, you may need to comply with both, using DORA as the primary framework for your financial sector clients.
The Pitfalls: Where SaaS and eCommerce Businesses Get Caught Out
Assuming you're too small. The 50 employee threshold is lower than many think. And turnover counts too. A 30 person SaaS company with 12 million euros in revenue is in scope. Some entities are in scope regardless of size.
Ignoring the supply chain obligation. NIS2 explicitly requires you to manage supply chain risks. That means your cloud hosting provider, your third party APIs, your open source dependencies, and your outsourced development team all need to be part of your risk assessment. If you're running on Hetzner, that's straightforward. If you're on AWS, you need to understand the shared responsibility model and document it.
No incident response plan. The 24 hour early warning deadline is brutal. If you don't have monitoring, alerting, and a documented response plan in place, you won't meet it. By the time you've figured out what happened, your reporting window will have closed.
Management not trained. NIS2 requires board level cybersecurity training. Not just awareness. Actual training that enables management to approve and oversee cybersecurity measures. If your CEO thinks a firewall is a fire safety feature, you've got work to do.
Treating NIS2 as a tick box exercise. National supervisory authorities have real enforcement power. They can conduct on site inspections, demand evidence of compliance, issue binding instructions, and impose fines. For essential entities, supervision is proactive, meaning they'll come looking for you even if nothing has gone wrong.
Not checking your national implementation. NIS2 is a directive, not a regulation. Each member state implements it differently. Austria's version may differ from Germany's, which may differ from France's. You need to check the specific requirements in every country where you provide services.
The Cybersecurity Angle: What This Means in Practice
NIS2 compliance isn't about buying a compliance tool and ticking boxes. It requires genuine, ongoing security practices. Here's what a practical implementation looks like.
Risk assessment framework. Build a formal risk assessment process that identifies your critical assets, evaluates threats and vulnerabilities, and determines proportionate controls. For a Rails based SaaS, your critical assets include your production database, your authentication system, your API endpoints, and your customer data. Map these, assess the risks, and document your controls.
Network and application security. Implement defence in depth. That means firewalls, network segmentation, intrusion detection, web application firewalls, and regular security testing. For Rails applications, that means keeping Rails and all gems updated, using Rack::Attack for rate limiting, implementing Content Security Policy headers, and running regular penetration tests with tools like Kali Linux and OWASP ZAP.
Identity and access management. NIS2 explicitly requires multi factor authentication. Implement it everywhere: admin panels, production servers, CI/CD pipelines, cloud provider consoles. Use proper role based access control (RBAC) in your application. For Solidus stores, that means locking down the admin backend and segmenting permissions properly.
Encryption. Encrypt data at rest and in transit. TLS 1.3 for all connections. Encrypted database fields for sensitive data. Encrypted backups. For Rails applications, use Active Record Encryption for sensitive attributes and ensure your database connections use SSL.
Monitoring and logging. You need to know when something goes wrong, ideally before the 24 hour reporting clock starts ticking. Implement centralised logging, security monitoring, and anomaly detection. Tools like Grafana and Prometheus for infrastructure monitoring, combined with application level logging and alerting, give you the visibility you need.
Business continuity and disaster recovery. NIS2 requires backup management, disaster recovery planning, and crisis management procedures. Test your backups. Run disaster recovery drills. Document your recovery time objectives and recovery point objectives. Know exactly how long it takes to restore your service from scratch.
Cybersecurity training. Everyone needs training, from developers to management. Developers should understand secure coding practices, the OWASP Top 10, and your incident response procedures. Management needs to understand the threat landscape and their legal obligations under NIS2.
How I Can Help: SaaS, eCommerce, and Growth That Doesn't Cut Corners
This is where everything I do comes together. I don't just build SaaS platforms and ecommerce stores. I build them to be secure, compliant, and resilient from the start.
NIS2 readiness assessments. I help SaaS and ecommerce businesses figure out whether NIS2 applies to them, which category they fall into, and what gaps exist between their current security posture and NIS2 requirements. This includes mapping your services against the sector definitions, assessing your size threshold, and identifying your national registration obligations.
Secure SaaS architecture on Ruby on Rails. I design and build Rails based SaaS platforms with NIS2 compliance baked into the architecture. That means encrypted data handling, multi factor authentication, role based access controls, comprehensive logging, automated security scanning, and documented incident response procedures. Every architectural decision considers the security implications.
Solidus ecommerce with NIS2 in mind. If your Solidus store qualifies as an online marketplace (and if you have 50 plus employees or 10 million plus in turnover, it might), NIS2 applies. I help Solidus merchants implement the technical and organisational measures NIS2 requires: secure payment processing, customer data encryption, access controls, vulnerability management, and business continuity planning.
Supply chain risk management. I audit your entire technology supply chain, from hosting providers to third party gems and npm packages, and help you build a documented risk management framework that satisfies NIS2's supply chain security requirements. This includes evaluating your cloud provider's security certifications, assessing open source dependency risks, and establishing vendor security requirements.
Penetration testing and security audits. Using Kali Linux and industry standard tools (Nmap, Burp Suite, Metasploit, OWASP ZAP), I conduct thorough security assessments that directly feed into your NIS2 risk management documentation. Every finding is documented with severity ratings, business impact analysis, and remediation guidance.
Incident response planning. I build and test incident response plans that meet NIS2's reporting deadlines. That includes setting up monitoring and alerting, defining escalation procedures, creating communication templates, and running tabletop exercises to make sure everyone knows what to do when something happens.
Growth hacking that respects security. This is my differentiator. Most growth hackers add tracking scripts, third party widgets, and marketing tools without thinking about the security or compliance implications. I build growth systems that are NIS2 compliant by design: first party analytics, secure form handling, privacy respecting attribution, and marketing automation that doesn't introduce new attack vectors into your platform.
What You Should Do Right Now
Here's your practical action plan.
First, determine if NIS2 applies. Check your sector, your size (employees and turnover), and the countries where you provide services. If in doubt, assume it applies.
Second, identify your national obligations. NIS2 is implemented differently in each member state. Check the specific requirements in every country where you operate. In Germany, check with the BSI. In Austria, monitor the national transposition process.
Third, register if required. Many national implementations require entities to self register with the competent authority. Don't miss your deadline.
Fourth, conduct a gap analysis. Map NIS2's 10 minimum risk management measures against your current practices. Where are the gaps? Prioritise them by risk.
Fifth, get your board involved. NIS2 makes management personally accountable. Brief your leadership team on their obligations. Arrange cybersecurity training. Make sure cybersecurity is a standing agenda item.
Sixth, build your incident response capability. You need to be able to detect, assess, and report incidents within 24 hours. If you can't do that today, this is your number one priority.
Seventh, document everything. Supervisory authorities will want evidence. Document your risk assessments, your security measures, your training records, your incident response plans, and your supply chain assessments.
NIS2 is not going away. If anything, it's only going to get stricter. But the businesses that treat it as an opportunity to build genuine security and resilience rather than a compliance burden will come out ahead. Better security means fewer breaches, more customer trust, and a genuine competitive advantage.
And if you need help getting there, particularly with Ruby on Rails, Solidus, or custom SaaS platforms, that's what I do. Let's talk.