Skip to Content

Navigating NIS2 in 2025: Cybersecurity Compliance for Europe’s Tech SMEs and Telcos

7 September 2025 by
Navigating NIS2 in 2025: Cybersecurity Compliance for Europe’s Tech SMEs and Telcos
Fabio Genovese

Europe’s cybersecurity landscape is shifting fast. With the NIS2 Directive (EU 2022/2555), companies across the continent now face tougher, standardized rules on digital resilience. And this time, the focus goes well beyond critical national infrastructure. From tech SMEs and cloud providers to regional telcos and online service companies, thousands of mid-sized organizations will soon fall under the same obligations once reserved for Europe’s largest utilities and operators.


Who Falls Under NIS2?

NIS2 broadens the original 2016 directive, extending coverage to medium and large entities across a wide range of sectors:​

  • Digital infrastructure: data centers, cloud providers, DNS services, CDNs.
  • ICT and digital services: many B2B providers and online platforms.
  • Telecom operators: not just national carriers, but also smaller public telcos providing connectivity.
  • Other “essential” and “important” sectors: energy, transport, healthcare, public administration, postal services, manufacturing, and more

Entities are categorized as:
- Essential: generally ≥ 250 employees or ≥ €50M turnover.
- Important: ≥ 50 employees or ≥ €10M turnover.
Smaller companies can also be designated if they provide critical services or if their member state decides so.
​ 

What NIS2 Requires

Here’s what organizations now need to implement:

  • tronger risk management: technical and organizational measures, supply-chain security, encryption, access control.
  • Board-level accountability: management must approve and oversee cybersecurity strategy, and can be held personally liable for negligence.
  • Fast incident reporting: notify within 24 hours, provide an in-depth report within 72 hours, followed by updates and a final report. 
  • Operational resilience: structured backups, disaster recovery, crisis simulations, and red-team testing. 
  • Heavy penalties: fines of up to €10 million or 2% of global turnover, plus potential liability for executives. 

The Reality: Delayed Transposition

EU member states were required to transpose NIS2 into national law by October 17, 2024. Yet several — including Germany, Spain, France, and the Netherlands — have not completed the process. That leaves businesses facing uncertainty over enforcement details in their jurisdiction.

Meanwhile, ENISA has flagged that sectors like ICT, healthcare, government, and space remain behind on readiness, often due to outdated infrastructure, limited budgets, and supply-chain complexity.

A Practical Roadmap for 2025

StepWhat to Do
Eligibility checkConfirm if your company falls under “essential” or “important” entities.​
Gap assessmentMap existing controls against NIS2 requirements. (Aon )
Governance & trainingGet the board engaged, designate a NIS2 officer, and roll out staff awareness programs.
Technical measuresDeploy MFA, patch management, encryption, secure backups, and monitoring.
Supply-chain oversightCatalogue critical vendors, add resilience clauses into contracts.
Incident responseBuild playbooks that meet the 24h/72h reporting deadlines.
Testing & drillsRun tabletop exercises and penetration tests.
Track national updatesMonitor how your country transposes NIS2 into law.

Not Just Compliance: A Competitive Edge

Preparing for NIS2 isn’t just about avoiding fines. Done right, it’s an opportunity to:

  • Strengthen customer and partner trust.
  • Demonstrate operational resilience in competitive markets.
  • Stay ahead of peers, especially in countries lagging behind on transposition.


As ENISA warns, cyber threats are intensifying. For Europe’s SMEs and telcos, NIS2 is more than a regulatory hurdle: it’s a resilience blueprint. And those who start now will be the ones customers rely on when the next disruption hits.

Want to get a free check of your compliance readiness? Request an initial assessment with our cybersecurity experts. Get in touch today, contact us!