NIS2 and SMEs: Obligations, What to Do, and How to Comply Before the 2026 Deadlines
9 min read · AstraLoop Studio
If you run an SME and think NIS2 is something for big banks or energy multinationals, this article concerns you more than you'd think. The EU cybersecurity directive (transposed into Italian law via Legislative Decree 138/2024) has significantly widened the pool of obligated entities, and 2026 brings the first concrete operational deadlines. The twist that catches most business owners off guard isn't technical. It's the direct, personal liability that falls on you, the CEO, and the board of directors. This is no longer something \"IT takes care of.\"
Here you'll find an operational checklist of obligations, explained in terms of financial risk and legal liability, not specialist jargon. No alarmism, but no downplaying either: the numbers in the 2026 Clusit Report show SMEs are the target of 72% of attacks in Italy, and that changes the calculation of what's worth doing.

Is my company actually obligated? How to find out in 3 questions
Before you panic, check whether you're in scope. NIS2 doesn't apply to every business with a sign on the door. The scope depends on three factors: size, sector, and role in the supply chain. Run this quick check.
- Size: as a rule, companies with at least 50 employees or over €10 million in annual turnover or balance sheet total are in scope. Below these thresholds, you're generally outside the direct obligation (but read the point on the supply chain).
- Sector: you need to operate in one of the \"essential\" or \"important\" sectors listed in the directive's annexes (energy, transport, healthcare, water, digital infrastructure, managed ICT services, manufacturing of certain goods, food, chemicals, waste, space, postal services, and others). Not every sector is covered.
- Supplier to a NIS2 entity: even if you're a micro-business outside the scope, if you're a critical supplier to an obligated company, its supply-chain security obligations will flow down to you contractually.
If you answered \"yes, maybe\" to two of these, you're probably involved. For a case-by-case assessment, we've dedicated an in-depth piece to how to find out if NIS2 applies to your company. The first formal step, in any case, is registering on the ACN (National Cybersecurity Agency) platform: identified entities had to register within the set windows, and the ACN then confirms inclusion in the official lists.
Why this time the ball is on your desk, not IT's
This is the point I want to nail down, because it's the real revolution NIS2 brings compared to the past. Article 20 of the directive (and its Italian transposition) establishes that management and administrative bodies must approve cyber risk management measures, oversee their implementation, and answer for violations. In practice:
- The board and CEO must formally approve security measures. It's not enough for IT to implement them: a conscious resolution is required.
- Leadership has an obligation to be trained on cybersecurity, so they're able to assess risks. Training for executives is mandatory, not optional.
- In case of non-compliance, the ACN can hold individuals in top roles personally liable, up to temporary suspension from executive functions for essential entities in the most serious cases.
Translated into business owner's language: you can no longer say \"I didn't know, the technician handled it.\" The signature on security governance is yours. That's why a structured IT security assessment isn't an IT cost but a governance decision: it exists so you know what you're approving.
Operational checklist: NIS2 obligations, translated into things to do
The directive requires \"appropriate and proportionate technical, operational, and organizational measures.\" Sounds vague, but Article 21 lists ten minimum areas. I've summarized them into an actionable checklist, with the concrete question to ask yourself for each one.
| NIS2 obligation area | What you need in place | Verification question |
|---|---|---|
| Risk analysis and management | A written process that identifies assets and risks | Is there an up-to-date risk assessment document? |
| Incident management | Detection, handling, and notification procedure | Who does what in the first 24 hours of an attack? |
| Business continuity | Backup, disaster recovery, crisis management | Are backups tested and isolated from the network? |
| Supply chain security | Assessment of critical ICT suppliers | Do your supplier contracts include security clauses? |
| Security in development and maintenance | Vulnerability and patch management | How often do you update systems, CMS, and plugins? |
| Effectiveness of measures | Periodic testing and audits | Does anyone verify the defenses actually work? |
| Cyber hygiene and training | Basic training for all staff | Do people know how to recognize phishing? |
| Encryption | Encryption of sensitive data | Is critical data encrypted at rest and in transit? |
| Access control and MFA | Multi-factor authentication, privilege management | Is MFA active on email, VPN, business systems? |
| Human resources and asset security | Policies on devices and staff access | Is there a written BYOD and tools policy? |
If halfway down the questions column you realized you can't answer, that's normal, and it's exactly the signal that you need an initial assessment. Many of these areas overlap with obligations you already know: cybersecurity for SMEs in 2026 is now one single block of overlapping requirements.

The 2026 deadlines to mark on your calendar
2026 is the year NIS2 stops being theory. The ACN has staggered the requirements to avoid overwhelming companies all at once, but the dates are precise. The main ones to watch:
- From January 1, 2026: the obligations to notify significant incidents to the ACN take effect, with the staggered timeline set by the directive: early warning within 24 hours, notification within 72 hours, final report within one month. This is the part that surprises many: failing to report a significant incident is itself a violation.
- By October 2026 (the 18-month window from registration): entities must have implemented the basic security measures set out in the ACN's determinations. This is the \"substantive\" deadline: registering isn't enough, real defenses need to be in place.
Be careful not to confuse registration with compliance: registering on the ACN platform is only the initial formal step. The bulk of the work (and the penalties, if it falls through) lies in the technical and organizational adjustment that follows. You'll find the full calendar with all the windows in our dedicated piece on the 2026 NIS2 deadlines.
How much non-compliance costs: penalties and financial risk
Let's talk money, because that's where the decision gets concrete. NIS2 introduces heavy penalties, calibrated by severity and type of entity:
- Essential entities: up to €10 million or 2% of worldwide annual turnover, whichever is higher.
- Important entities: up to €7 million or 1.4% of turnover.
- On top of this comes the possibility of measures against leadership and, in the most serious cases for essential entities, temporary suspension from executive functions.
But the penalty is only one side. The other is the cost of the incident NIS2 is meant to prevent. The average cost of a ransomware attack for an Italian SME ranges between €35,000 and €250,000 between ransom, operational downtime, and recovery, and in 2026 the trend is shifting toward data corruption and double or triple extortion. If you want the full breakdown of the real damage, we analyzed the real cost of a data breach for an SME, weighing it against the cost of prevention. The detailed breakdown of penalties case by case is covered in our article on NIS2 penalties for businesses.
One connection almost nobody makes: many cyber insurance policies today require a minimum level of security measures to be valid. A well-done audit doesn't just serve NIS2 compliance, it makes you insurable on better terms (or insurable at all).
Not sure where you stand against the NIS2 checklist? Talk to us: we start with an honest assessment of your current state and tell you the real priorities, no smoke and mirrors.
NIS2 isn't alone: how it combines with the AI Act and GDPR
Here's the most common mistake among SMEs: treating NIS2, GDPR, and the AI Act as three separate piles of paperwork. In reality they overlap, and it pays to tackle them together because many measures coincide.
- GDPR: if a NIS2 incident also involves a personal data breach, the obligation to notify the Italian Data Protection Authority (Garante Privacy) within 72 hours kicks in in parallel. These are two tracks that often run side by side.
- AI Act (EU Regulation 2024/1689): from August 2, 2026, obligations for some high-risk systems become operational, with ACN oversight and penalties that can reach up to €35 million or 7% of turnover. If you use or integrate AI systems, cybersecurity requirements stack on top. We cover this in detail in our guide to the 2026 AI Act obligations for SMEs.
There's also a phenomenon almost no company has under control, and it touches all three fronts: Shadow AI. Your employees paste company data into ChatGPT, Gemini, or Copilot to work faster: an estimated 38% share confidential information and 78% use AI tools they brought in themselves. It's a data-leak and GDPR/AI Act violation risk that originates from the inside, with no attack involved. Understanding what Shadow AI is and what risks it carries is now an integral part of a serious NIS2 policy, and it's exactly the kind of organizational measure (a policy on tool usage) the directive requires.
Where to actually start: the first 5 steps
If you've made it this far, you need an order of priority, not more theory. Here's the sequence that makes sense for an SME starting from close to zero.
- Check your scope. Establish with certainty whether and how you're in scope (directly or via the supply chain), and register on the ACN platform within the deadlines.
- Do an honest assessment. A real snapshot of your current state against the checklist above, to understand the gap to the finish line. Not an automated €50 scan: a properly done vulnerability assessment, with a human eye on priorities.
- Close the high-impact, low-cost gaps. MFA everywhere, isolated and tested backups, updated systems and CMS. These are the measures that cut risk the fastest.
- Put governance and procedures in writing. Board resolution on measures, incident notification procedure, policies on suppliers and on tool usage (including AI).
- Train your people. Leadership on risk governance, staff on recognizing corporate phishing, which in 2026 is supercharged by AI with hyper-realistic emails and voice deepfakes.
NIS2 doesn't demand perfection from day one: it demands appropriate and proportionate measures, and above all that you have an active, documented process in place. The difference between a company that gets fined and one that's compliant is often not the technology but the ability to prove you took the risk seriously. And that proof starts at your desk.
Note: this article is for informational purposes only and does not constitute legal advice. For your company's specific obligations, refer to the official texts (Legislative Decree 138/2024, EU Directive 2022/2555) and ACN determinations, or consult a qualified professional.
Frequently asked questions
Does NIS2 also apply to small businesses with under 50 employees?
As a rule, the direct obligation kicks in at 50 employees or €10 million in turnover, in specific sectors. But if you're a critical supplier to a NIS2 entity, its supply-chain security obligations reach you anyway through contract, even if you're a micro-business.
What are the main NIS2 deadlines in 2026?
From January 1, 2026, the obligations to notify incidents to the ACN apply (24h early warning, 72h notification, 1-month final report). Within the 18-month window from registration, roughly October 2026, basic security measures must be implemented.
Why does NIS2 liability fall on the CEO rather than IT?
The directive establishes that management bodies must formally approve security measures, oversee their implementation, and answer for violations. Leadership also has an obligation to be trained. It's no longer something you can delegate: the signature on security governance belongs to leadership.
How high are NIS2 penalties for an SME?
For essential entities, up to €10 million or 2% of worldwide annual turnover; for important entities, up to €7 million or 1.4%. In the most serious cases, measures against leadership and temporary suspension from executive functions are also possible.
Do I need to tackle NIS2, GDPR, and the AI Act separately?
No, it's better to tackle them together since many measures coincide. An incident can trigger a parallel notification to the Garante Privacy (GDPR), and from August 2, 2026, parts of the AI Act become operational. A combined audit cuts costs and duplication.
Where do I start if my company hasn't done anything yet?
In order: check your scope and register on the ACN platform, do an honest assessment of your current state, close the high-impact gaps immediately (MFA, isolated backups, updates), formalize governance and procedures, train leadership and staff.
Want to know for certain whether and how NIS2 affects your company, and where to start? Request a no-obligation initial analysis: we'll tell you where you stand and what's missing.