Securyza
Free Audit
NIS2

Which companies are subject to NIS2 and how to really find out

Find out which companies fall under the NIS2 directive, who is obligated, how to verify your position, and what to do immediately.

2026-04-28

The most searched question: are we obligated?

This is the first question almost every company asks when they hear about NIS2.

However, the answer is not always immediate.

Many companies think they are not included, when in reality they are already involved.

It's not just about large infrastructures

NIS2 is not just designed for energy, telecommunications, or major national operators.

It also involves:

  • healthcare
  • logistics
  • transport
  • cloud providers
  • digital services
  • schools and universities
  • public administration
  • critical manufacturing
  • strategic supply chains
  • suppliers of essential entities

    • And this is precisely where many companies underestimate the risk.

    Company size also matters

    Number of employees, turnover, operational impact, and role in the supply chain can completely change the assessment.

    It is not enough to say:

    “we are not a large company”

    to be excluded.

    Suppliers can also be included

    Many companies discover they are indirectly involved because they work with clients who fall fully under the directive.

    The supply chain is one of the most critical points.

    How to really verify it

    You need a serious gap analysis.

    Not an assumption.

    You must evaluate:

  • sector
  • size
  • operational dependencies
  • service criticality
  • systemic risk
  • real exposure

    • The most expensive mistake

    Waiting.

    Many companies only address NIS2 when a formal request or an incident arrives.

    At that point, the cost is always higher.

    Conclusion

    The real question is not:

    “are we obligated?”

    but:

    “if we were already included, would we realize it in time?”