NIS2 for Engineers: What Actually Changes in Your Stack

Compliance

NIS2 swept in sectors and SaaS providers that NIS1 never touched. The 24-hour early warning, supply chain assessments, and MFA mandate are engineering work, not paperwork.

By Arjun Raghavan, Security & Systems Lead, BIPI · June 1, 2024 · 7 min read

When the NIS2 transposition deadline hit in October 2024, a lot of SaaS founders we work with assumed it was a problem for utilities and banks. By the time their EU customers started forwarding supplier questionnaires citing Article 21, the panic was real. NIS2 widened the net to roughly 160,000 entities across the EU, and a managed services provider with 30 staff is now in the same regulatory bucket as a regional power company.

We have walked four mid-market platforms through their first NIS2 self-assessment over the last six months. The pattern is consistent: the legal team reads the directive, panics about fines up to 10 million euros or 2 percent of global turnover, and then hands engineering a one-page summary that misses what actually has to change in the codebase.

The scope question nobody answers cleanly

NIS2 splits entities into Essential and Important. The threshold is 250 employees or 50 million in turnover for Essential, with lower bars for Important. But size is not the whole story. If you are a managed services provider, a cloud computing provider, a data center operator, or a digital infrastructure provider, you are in scope regardless of headcount. We had a 40-person observability vendor in Berlin discover they were Important purely because they qualified as a managed security services provider.

The practical move is to map your services against Annex I and II of the directive line by line. Do not let counsel rely on a vendor whitepaper. We have seen three different law firms reach three different conclusions on the same product.

Incident reporting: the 24 and 72 hour clocks

Article 23 sets two clocks that change how your incident response runbook reads. Within 24 hours of becoming aware of a significant incident, you owe the relevant CSIRT an early warning. Within 72 hours, you submit a formal notification with an initial assessment, severity, and indicators of compromise. A final report follows at one month.

Most incident response platforms were not built for a 24-hour deadline that starts at awareness, not at confirmation. We rewired one client's PagerDuty workflow so that the first SEV-1 page automatically opens a regulatory timer in their GRC tool. The on-call lead has to acknowledge or dismiss the regulatory implication within four hours. That single change moved their average notification readiness from 36 hours to under 18.

Supply chain: the article that ate Q4

Article 21 demands that you assess and manage supply chain risks, including the security practices of your direct suppliers. For a SaaS company with 80 third-party SaaS subscriptions, that is a real program. The lazy reading is to send everyone a questionnaire and call it done. The defensible reading is tiering.

1. Tier 1: any vendor that processes customer data or has production access. Annual review, SOC 2 Type II or equivalent, breach notification clause with 24-hour SLA.
2. Tier 2: vendors with access to your corporate environment but not production. Biennial review, certificate of attestation, MFA evidence.
3. Tier 3: marketing tools, low-risk SaaS. Self-attestation only.

We built this tiering for a logistics platform last quarter. It cut their vendor review workload by 60 percent and gave them an answer for auditors that was not theatrical.

MFA, encryption, and the technical baseline

Article 21(2) lists ten categories of measures. The crowd-pleasers are mandatory MFA for privileged access, encryption of data at rest and in transit, and basic cyber hygiene practices. None of this is novel. What is novel is that you have to evidence it for an entity that may show up unannounced.

Practical engineering work for the next two quarters: enforce phishing-resistant MFA on all admin consoles, document your cryptographic standards in a one-page policy, run a tabletop incident exercise and capture the artifacts, and build a register of every NIS2-relevant supplier. That register is the document a regulator will ask for first. If you cannot produce it in 48 hours, the rest of your program will not save you.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.