UrbaHiveUrbaHive
    Compliance & Security

    NIS2 and SMEs: How IT Mapping Helps You Achieve Compliance

    Concrete NIS2 directive obligations for SMEs: discover how mapping your IT system helps you achieve compliance and pass audits successfully.

    March 20, 2026
    8 min read
    F

    Frédéric Le Bris

    CEO & Co-founder

    NIS2 and SMEs: How IT Mapping Helps You Achieve Compliance

    The NIS2 Directive (Network and Information Security Directive 2) represents the most significant overhaul of cybersecurity regulation in the European Union since the original NIS Directive of 2016. While the first directive primarily targeted large operators of essential services, NIS2 dramatically expands the scope to include thousands of mid-market companies and SMEs that were previously unaffected.

    If your company operates in a covered sector and meets the size thresholds, NIS2 compliance is not optional -- it is a legal obligation with substantial penalties for non-compliance. Yet for many SME leaders, the path from awareness to compliance remains unclear.

    This article cuts through the regulatory complexity to explain what NIS2 requires, who it applies to, and -- most importantly -- how IT mapping provides the structural foundation for achieving and maintaining compliance.

    What Is NIS2 and Who Does It Affect?

    The Directive in Brief

    NIS2 (Directive (EU) 2022/2555) was adopted by the European Parliament in November 2022. EU Member States were required to transpose it into national law by October 17, 2024. The directive establishes a common set of cybersecurity requirements for organizations operating in sectors deemed critical to the European economy and society.

    The key changes from the original NIS Directive include:

    • Dramatically expanded scope. NIS2 covers 18 sectors (up from 7), divided into "essential" and "important" entities.
    • Size-based inclusion. Companies with 50 or more employees or annual revenue exceeding EUR 10 million in covered sectors are automatically in scope. Member States may also designate smaller companies if they play a critical role.
    • Management accountability. Senior management can be held personally liable for non-compliance, including potential temporary bans from management functions.
    • Harmonized penalties. Fines of up to EUR 10 million or 2% of global annual turnover (whichever is higher) for essential entities, and EUR 7 million or 1.4% for important entities.
    • Mandatory incident reporting. Organizations must report significant cybersecurity incidents within 24 hours (initial notification) and provide a full report within 72 hours.

    Covered Sectors

    Essential entities (Annex I):

    • Energy (electricity, oil, gas, hydrogen, district heating)
    • Transport (air, rail, water, road)
    • Banking and financial market infrastructure
    • Health (hospitals, laboratories, medical device manufacturers)
    • Drinking water and wastewater
    • Digital infrastructure (DNS, TLD registries, cloud providers, data centers, CDN)
    • ICT service management (managed service providers, managed security providers)
    • Public administration
    • Space

    Important entities (Annex II):

    • Postal and courier services
    • Waste management
    • Manufacturing of critical products (chemicals, medical devices, electronics, machinery, motor vehicles)
    • Food production, processing, and distribution
    • Digital providers (online marketplaces, search engines, social networks)
    • Research organizations

    Are You in Scope?

    Use this quick assessment:

    1. Does your company operate in one of the 18 sectors listed above?
    2. Does your company have 50 or more employees, OR annual revenue exceeding EUR 10 million?
    3. Has your national authority designated your company as in scope regardless of size?

    If you answered yes to question 1 AND question 2 (or question 3), your organization falls under NIS2.

    What NIS2 Actually Requires

    The directive mandates that in-scope organizations implement appropriate and proportionate technical, operational, and organizational measures to manage cybersecurity risks. Article 21 specifies the minimum measures, which include:

    1. Risk analysis and information system security policies
    2. Incident handling (prevention, detection, response, recovery)
    3. Business continuity and crisis management (backup management, disaster recovery)
    4. Supply chain security (including assessment of suppliers and service providers)
    5. Security in network and information systems acquisition, development, and maintenance (including vulnerability handling and disclosure)
    6. Policies and procedures to assess the effectiveness of cybersecurity risk management measures
    7. Basic cyber hygiene practices and cybersecurity training
    8. Policies on the use of cryptography and encryption
    9. Human resources security, access control policies, and asset management
    10. Use of multi-factor authentication (MFA), secured communication, and secured emergency communication

    For SMEs, the critical phrase is "appropriate and proportionate." NIS2 does not require every company to implement the same controls as a major bank. The measures must be proportionate to the organization's size, the nature of its operations, the severity of potential incidents, and the likelihood of their occurrence.

    Why IT Mapping Is the Foundation of NIS2 Compliance

    Reading through the NIS2 requirements, a pattern emerges: nearly every obligation presupposes that the organization knows what IT assets it has, how they are connected, and what data they process. Without this foundational visibility, compliance is impossible.

    Here is how IT mapping directly supports each major NIS2 requirement:

    Asset Management and Inventory (Article 21.2.i)

    NIS2 requires organizations to maintain an inventory of their IT assets. This is not limited to hardware -- it includes applications, data stores, cloud services, and integration points.

    What IT mapping provides:

    • A centralized, continuously updated catalog of all applications and infrastructure components
    • Classification of assets by criticality and sensitivity
    • Ownership assignment for every asset (who is responsible for its security and maintenance)

    Risk Analysis (Article 21.2.a)

    Meaningful risk analysis requires understanding what assets you have, what data they process, and how they are interconnected. A risk that seems isolated in one system may propagate through integration pathways to affect critical business processes.

    What IT mapping provides:

    • Visual representation of application interdependencies, making it possible to assess how a compromise in one system could cascade to others
    • Identification of single points of failure where one application supports multiple critical processes
    • Data flow maps that show where sensitive data resides and how it moves between systems

    Incident Handling (Article 21.2.b)

    When a cybersecurity incident occurs, response speed depends on understanding the blast radius. Which systems are affected? What data may have been compromised? Which business processes are disrupted?

    What IT mapping provides:

    • Immediate visibility into which applications are connected to the compromised system
    • Ability to assess impact on business processes within minutes rather than hours
    • Documentation of system ownership, enabling rapid notification of the right stakeholders

    Supply Chain Security (Article 21.2.d)

    NIS2 extends security requirements to the supply chain. Organizations must evaluate the cybersecurity posture of their suppliers and service providers, particularly those with access to the company's network or data.

    What IT mapping provides:

    • A complete view of which vendors provide which applications and services
    • Identification of dependencies on third-party cloud services, APIs, and managed platforms
    • Ability to assess concentration risk (too many critical services from a single vendor)

    Business Continuity (Article 21.2.c)

    Disaster recovery and business continuity planning require knowing which systems support which business processes, in what priority order, and with what recovery time objectives.

    What IT mapping provides:

    • Mapping between applications and the business processes they support
    • Identification of which applications are critical (supporting revenue-generating or legally required processes) versus non-critical
    • Data to define Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) for each application based on business impact

    A Practical NIS2 Compliance Checklist for SMEs

    Use this checklist to assess your readiness and prioritize actions:

    Governance and Organization

    • [ ] Identify whether your company falls in scope as an essential or important entity
    • [ ] Inform senior management of their personal liability under NIS2
    • [ ] Designate a cybersecurity responsible person (CISO or equivalent function)
    • [ ] Establish a cybersecurity policy approved by management
    • [ ] Define roles and responsibilities for cybersecurity across the organization
    • [ ] Implement a cybersecurity training program for all employees

    Asset Visibility and IT Mapping

    • [ ] Create a comprehensive inventory of all IT assets (applications, infrastructure, cloud services)
    • [ ] Classify assets by criticality level (critical, important, standard)
    • [ ] Map interdependencies between applications and systems
    • [ ] Document data flows, especially for personal and sensitive data
    • [ ] Identify and document all third-party providers and their access to your systems
    • [ ] Assign an owner for every application and infrastructure component
    • [ ] Establish a process for keeping the inventory current (not a one-time exercise)

    Risk Management

    • [ ] Conduct a formal cybersecurity risk assessment based on your asset inventory
    • [ ] Identify and document risks for each critical application and data flow
    • [ ] Define risk treatment plans (mitigate, accept, transfer, avoid) for identified risks
    • [ ] Review and update the risk assessment at least annually

    Incident Management

    • [ ] Define an incident response plan with clear escalation procedures
    • [ ] Establish a 24-hour initial notification capability (who reports, to whom, through what channel)
    • [ ] Prepare templates for the 72-hour detailed incident report
    • [ ] Conduct at least one tabletop incident response exercise per year
    • [ ] Identify the national CSIRT or competent authority for your sector and establish the reporting relationship

    Technical Controls

    • [ ] Implement multi-factor authentication (MFA) for all critical systems and remote access
    • [ ] Deploy endpoint protection on all devices
    • [ ] Establish a vulnerability management process (patch management, vulnerability scanning)
    • [ ] Implement network segmentation to limit blast radius of incidents
    • [ ] Encrypt sensitive data at rest and in transit
    • [ ] Implement backup and recovery procedures and test them regularly

    Supply Chain

    • [ ] Inventory all suppliers with access to your IT systems or data
    • [ ] Assess the cybersecurity posture of critical suppliers
    • [ ] Include cybersecurity requirements in supplier contracts
    • [ ] Monitor supplier security performance on an ongoing basis

    NIS2 Compliance Timeline and Practical Steps

    Where Things Stand in 2026

    The NIS2 transposition deadline was October 2024. As of early 2026, most EU Member States have transposed the directive into national law, though some were delayed. National competent authorities are now actively overseeing compliance and have begun conducting audits.

    Practical Steps to Take Now

    If you have not started:

    1. Confirm your scope. Verify whether your company meets the sector and size criteria. Consult your national authority's website for country-specific guidance.
    2. Brief your executive team. Emphasize personal liability provisions and potential fines. NIS2 compliance requires management commitment and budget.
    3. Map your IT landscape. This is the most impactful first step. You cannot protect what you cannot see. Deploy an IT mapping tool to create a comprehensive, visual inventory of your applications, data flows, and dependencies.
    4. Conduct a gap assessment. Compare your current cybersecurity posture against the NIS2 requirements using the checklist above.
    5. Prioritize and execute. Address the highest-risk gaps first. Focus on asset visibility, incident response capability, and access control as immediate priorities.

    If you have started but are not yet compliant:

    1. Validate your asset inventory. Ensure it is complete, current, and includes shadow IT and cloud services.
    2. Test your incident response. Run a tabletop exercise. The 24-hour notification requirement is demanding -- make sure your process works before a real incident tests it.
    3. Address supply chain gaps. This is the area most SMEs underestimate. Document your critical suppliers and their access to your systems.
    4. Prepare for audits. National authorities will expect documented evidence of compliance. Ensure your policies, risk assessments, and asset inventories are documented and accessible.

    The Cost of Non-Compliance vs. the Cost of Action

    SME leaders rightfully ask: what does compliance cost, and is it worth it?

    The cost of compliance for a mid-market company (100-500 employees) typically ranges from EUR 50,000 to EUR 200,000 in the first year, including tooling, consulting, and internal effort. Ongoing annual costs are generally 30-50% of the initial investment.

    The cost of non-compliance includes:

    • Fines of up to EUR 10 million or 2% of global turnover
    • Personal liability for senior management
    • Reputational damage from publicized enforcement actions
    • Operational disruption from unmanaged cybersecurity incidents (the average cost of a data breach for an SME in Europe is approximately EUR 120,000)

    Beyond penalties, there is a positive business case. Organizations that achieve NIS2 compliance also gain:

    • Improved cyber resilience that reduces the likelihood and impact of incidents
    • Competitive advantage when selling to regulated customers who require supply chain compliance
    • Better IT governance that supports broader operational efficiency
    • Insurance benefits as cyber insurers increasingly factor compliance into coverage and pricing

    How UrbaHive Supports NIS2 Compliance

    NIS2 compliance begins with knowing what you have. UrbaHive provides SMEs and mid-market companies with the IT mapping foundation that makes compliance achievable and sustainable.

    With UrbaHive, you can:

    • Build and maintain a complete IT asset inventory that satisfies Article 21's asset management requirements
    • Visualize application interdependencies to support risk analysis and incident impact assessment
    • Document data flows between systems, identifying where sensitive data resides and how it moves
    • Assign ownership for every application, ensuring clear accountability as required by the directive
    • Collaborate with stakeholders across IT and business to validate information and maintain accuracy
    • Generate compliance-ready documentation that demonstrates your IT visibility to auditors and regulators

    IT mapping is not the entirety of NIS2 compliance, but it is the indispensable foundation. Without it, risk assessments lack data, incident response lacks context, and auditors lack evidence.

    Ready to build the IT visibility foundation for NIS2 compliance? Discover how UrbaHive can help you map your information system and accelerate your compliance journey. Request a demo today.

    Tags:
    NIS2
    NIS2-compliance
    cybersecurity-SME
    NIS2-directive
    IT-mapping

    Ready to transform your IT management?

    Discover how UrbaHive can help you.

    Free Trial