Cybreach Consulting Prendre RDV
Back to articles
Methodology

NIS2: what it actually changes for your SME

NIS2 (Network and Information Security Directive 2) is the European directive that replaced NIS1 since October 2024. It considerably broadens the scope of affected entities, tightens obligations, and introduces significant sanctions. For many French SMEs, this is the first time a regulatory text obliges them to take cybersecurity seriously, not because it's good practice, but because it's a legal obligation.

Who is affected by NIS2?

NIS2 distinguishes two categories of entities: essential entities (EE) and important entities (EI). The criteria are primarily size and sector of activity.

  • Essential entities: large companies (250+ employees or turnover > €50M) in critical sectors, energy, transport, banking, health, water, digital infrastructure, space.
  • Important entities: mid-sized companies (50-249 employees or turnover €10-50M) in the same critical sectors, plus postal services, waste management, manufacture of critical products, digital services.
  • Smaller entities may also be affected if deemed critical by the Member State, or if they are part of the supply chain of an essential entity.

In France, ANSSI leads implementation. If you are unsure of your status, the first step is to check your sector in the directive's annex and contact ANSSI or a specialist advisor.

What NIS2 actually requires

The directive imposes technical and organisational measures proportionate to the risk. It is not prescriptive about tools, it requires results. Obligations cover in particular:

  • Risk analysis and security policies: map critical assets, identify threats, define documented policies.
  • Incident management: ability to detect, notify and respond to incidents. Notification to ANSSI within 24 hours for significant incidents, full report within 72 hours.
  • Business continuity: backup plans, recovery plans, cyber crisis management.
  • Supply chain security: assessment of the security of critical suppliers and service providers.
  • Testing and audits: regular assessment of the effectiveness of measures in place, this is where the pentest comes in.
  • Training and awareness: regular staff training, including management.

Where the pentest fits within NIS2

NIS2 does not explicitly mandate an annual pentest. But the obligation to conduct "regular tests and audits" to assess the effectiveness of security measures is clearly stated. A pentest is the most direct response to this obligation for exposed digital assets: web applications, APIs, network infrastructure, Active Directory.

A pentest answers two NIS2 questions simultaneously: do we have exploitable vulnerabilities? (risk identification) and do our security measures work as intended? (effectiveness assessment). The pentest report also constitutes documentary evidence in the event of an audit.

NIS2 doesn't say "run a pentest". It says "prove that your measures work". A well-conducted pentest is the strongest evidence you can provide, because it tests reality, not documentation.

What NIS2 does not do for you

NIS2 sets a framework, not a method. The directive does not tell you how to secure your infrastructure, it requires you to demonstrate that you have done so, proportionate to your risk level. This means two companies in the same sector with different risk profiles can have very different NIS2 responses.

This is also why "turnkey NIS2 compliance kit" approaches sold by some providers are risky: they tick documentary boxes without addressing real risks. A list of signed policies is not security. And during an audit or incident, technical reality is what counts.

How to approach NIS2 without drowning

For an SME starting from scratch, the priority is not to read the directive end-to-end, it's to honestly assess current maturity. What is exposed on the internet? Who has access to what internally? What happens if the information system is encrypted for 72 hours?

From these answers, priorities are defined: fix critical exposures first, document next, test regularly. NIS2 does not expect perfection, it expects evidence of a structured approach proportionate to actual risk.

NIS2 is not a documentary compliance exercise. It is an obligation of results on real security. The difference matters when an incident occurs.

Frequently asked questions

  • Is my company affected by NIS2?
    NIS2 distinguishes essential and important entities based on size and sector, and covers far more companies than NIS1. In France, ANSSI leads the rollout: the first step is to check your sector in the directive's annex.
  • What does NIS2 actually require?
    Technical and organisational measures proportionate to the risk. The directive doesn't mandate specific tools: it requires results in risk management, security, and incident notification.
  • Is a pentest enough to be NIS2-compliant?
    No: a pentest lets you verify your security level, but on its own it isn't proof of compliance. It fits into the broader risk-management approach the directive requires.

A question after reading?

Looking to assess where you stand on NIS2 or prepare for compliance? Send a message. No pitch, no automatic quote.

Or book a 30-minute scoping call directly

Book a call