NIS2 compliance: practical guide for SMEs — technical measures and hardening

NIS2: how the directive changes things for French SMEs

The European NIS2 Directive (EU 2022/2555), adopted in December 2022, significantly broadens the scope of companies subject to cybersecurity obligations. ANSSI estimates that between 10,000 and 15,000 French entities are now affected (compared to a few hundred under NIS1), spread across 18 sectors: industry, healthcare, transportation, energy, digital services, public administration, agri-food, and many others.

In France, transposition will be achieved through the Resilience Act, adopted by the Senate in March 2025 and then by a committee of the National Assembly in September 2025. Final enactment is expected in early 2026. The companies concerned will then have three years to comply. But waiting would be a strategic mistake: cyber insurers are already demanding concrete measures, and ANSSI's controls will be retroactive for incidents occurring after the law comes into force.

Sources: ANSSI — European Commission — Wavestone (NIS2 Transposition Tracker, January 2026)

Who is affected by NIS2?

NIS2 creates two categories: essential entities (EE) and important entities (IE). Classification depends on the sector of activity and the size of the organization. SMEs with more than 50 employees or €10 million in turnover in the 18 sectors covered are potentially affected. Certain entities may be designated regardless of their size if they are the "sole supplier" in their region. ANSSI offers an indicative simulator on MonEspaceNIS2 to check eligibility.

NIS2 sanctions: a real risk for executives

The penalties are significant and personal. For essential entities: up to €10 million or 2% of global turnover. For important entities: up to €7 million or 1.4% of global turnover. A major innovation is that managers can be held personally liable and temporarily banned from exercising management functions in the event of a breach. ANSSI audits will be paid for by the entities being audited.

Sources: EU Directive 2022/2555 — Resilience Bill (France)

The technical measures required by NIS2

The directive requires the implementation of "appropriate and proportionate" technical measures to manage risks. Specifically, Article 21 of the directive covers: risk management and threat analysis, incident handling and mandatory notification (initial alert within 24 hours, interim report within 72 hours), business continuity and crisis management, supply chain security, system hardening and vulnerability management, access control and encryption policies.

Hardening: the most direct technical measure for NIS2 compliance

Of all the technical measures requested, hardening workstations and servers offers the best compliance/effort ratio. Hardening configurations in accordance with CIS Benchmark standards or ANSSI recommendations produces tangible and auditable evidence. The CIS-CAT compliance report is a deliverable that can be used directly during an audit.

Hardening simultaneously meets several NIS2 requirements: reduction of the attack surface (vulnerability management), access control (LAPS, restriction of privileged accounts), logging (advanced auditing), encryption (BitLocker). It is a cross-functional measure that ticks several boxes in the reference framework in a single service. And let's not forget that, according to the Semperis 2024 report, Active Directory is targeted in 9 out of 10 ransomware attacks, which places identity hardening at the heart of compliance.

Source: Semperis, 2024 Ransomware Risk Report

Discover our solutions for protecting workstations and mobile devices →

5-step NIS2 compliance plan for SMEs

Step 1: Assess whether your company is affected

Use the ANSSI's MonEspaceNIS2 simulator. If in doubt, assume you are affected: it is better to be compliant without obligation than non-compliant with obligation. Orange Cyberdefense points out that a cyberattack costs a French SME an average of €466,000, which puts the cost of compliance into perspective.

Source: Orange Cyberdefense

Step 2: Conduct an IT security audit

The audit assesses your current security posture and identifies any gaps in relation to NIS2 requirements. It provides an essential foundation for your action plan.

Read our article "IT security audit: comprehensive method"

Step 3: Hardening workstations and servers

Deploy CIS Level 1 security configurations or ANSSI recommendations across the entire fleet. This step immediately produces evidence of compliance and tangibly reduces risk. The CIS-CAT "before/after" report is an auditable deliverable.

Step 4: Deploy detection and response (EDR/SOC)

NIS2 requires the ability to detect and respond to incidents, with strict notification deadlines. A managed EDR or outsourced SOC meets this requirement without requiring dedicated internal resources. According to IBM, organizations using AI and automation in their security reduce the lifecycle of breaches by an average of 80 days.

Source: IBM Cost of a Data Breach Report 2025

Step 5: Document, train, and maintain

NIS2 compliance is an ongoing process. Policy documentation, executive training (a legal requirement), employee training, periodic reviews, and incident response plans must be maintained over time. NIS2 recognizes that 90% of successful cyberattacks exploit human error, hence the importance of ongoing awareness.

‍

FAQ -NIS2 compliance: practical guide for SMEs

‍

What is the NIS2 Directive?

NIS2 (EU 2022/2555) is a European directive adopted in December 2022 that strengthens cybersecurity obligations for businesses. It extends the scope to 18 sectors and affects between 10,000 and 15,000 entities in France. In France, the transposition is being carried out through the Resilience Law, which is expected to be enacted in early 2026.

Is my SME affected by NIS2?

SMEs with more than 50 employees or €10 million in turnover in one of the 18 sectors covered (industry, health, transport, energy, digital services, etc.) are potentially affected. Certain entities may be designated regardless of their size. ANSSI offers an indicative simulator on MonEspaceNIS2.

What are the NIS2 penalties for executives?

For essential entities: up to €10 million or 2% of global turnover. For significant entities: up to €7 million or 1.4% of global turnover. Managers may be held personally liable and temporarily banned from exercising management functions.

What is the deadline for NIS2 compliance?

The companies concerned will have a period of three years after the national law comes into force. But waiting would be a strategic mistake: cyber insurers are already demanding concrete measures, and ANSSI's controls will be retroactive for incidents occurring after the law comes into force.

Where should an SME start with NIS2 compliance?

Five steps: check your eligibility on MonEspaceNIS2, perform an IT security audit to identify gaps, harden workstations and servers (CIS Benchmark hardening), deploy an EDR or SOC for incident detection and response, then document and provide ongoing training. Hardening is the measure that offers the best compliance/effort ratio.

‍