NIS2 readiness for cloud and B2B SaaS
Most of the market sells you NIS2 readiness before asking the only question that matters first: are you actually in scope? For a cloud or B2B SaaS company that is not a given. Two separate gates both have to be met, and a smaller company can be squarely out.
Kellwick tests the size threshold and the Article 6(30) cloud test, works out which Member State's transposition applies, and hands you a written scope position - in or out, essential or important - before a single control is built.
Licensed as a financial entity? DORA may govern instead of NIS2 →
Can your company answer these 5 things?
Why scope-first saves you money
NIS2 bites through national law now, so the pressure is real. But the first cost most companies take on is unnecessary work, because nobody tested scope before the project started.
NIS2 is Directive (EU) 2022/2555. It reaches cloud computing services as digital infrastructure - but being in scope depends on two independent gates, and cloud is not on the list of sectors that are in regardless of size. Assume you are in, and you over-build. Assume you are out, and a customer's question catches you flat.
Get the scope answer in writing first. Everything else is cheaper once you have it.
Both gates must be met
The two gates
Miss either gate and you are out. This is exactly why the honest first step is a scope determination, not a readiness sprint.
Cloud is not on NIS2's size-blind list. Under Article 2(1) you are only in scope if you are medium-sized or larger, measured against Commission Recommendation 2003/361/EC. You leave the small category only if you have 50 or more staff, or if your turnover and your balance sheet total both exceed EUR 10 million - the financial limb is conjunctive.
So a 30-person SaaS with EUR 15 million turnover but a modest balance sheet is out. Partner and linked-enterprise ownership is aggregated into the figures, which is how venture backing can push a startup over.
Being a cloud service is a legal test, not a label. Article 6(30) defines a cloud computing service as a digital service that enables on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources. Recital 33 lists IaaS, PaaS and SaaS as models, but a recital is not a deeming provision - the operative Article 6(30) test still has to be met.
There is no EU classification test and no case law, and regulators disagree: Germany treats SaaS as generally in scope, even on third-party infrastructure; Denmark says it is not automatic. Multi-tenant, elastic, self-serve SaaS usually meets it; single-tenant, fixed-capacity or manually provisioned services are the genuinely arguable cases.
If you are in scope
None of this applies until scope is confirmed. Once it is, these are the obligations that follow through your Member State's national law.
Under Article 20 the management body must approve the security measures, oversee them, and can be held liable. Training for the management body is required; training for the wider workforce is encouraged, not mandated.
Article 21(2) sets out ten minimum risk-management measures - from policies on risk analysis and incident handling to business continuity, supply-chain security and cryptography - proportionate to your exposure.
Article 23 sequences reporting for a significant incident, all timed from when you become aware: an early warning within 24 hours, a notification within 72 hours, and a final report within one month.
In-scope entities register with the competent authority in their Member State and fall under its supervision. Which authority, and what registration follows, depends on your entity type and where you operate.
Article 34 sets fines for essential entities at a maximum of at least EUR 10 million or 2% of worldwide annual turnover, whichever is higher; for important entities, EUR 7 million or 1.4%. Which band applies depends on your classification.
Incident reporting
Under Article 23, once you become aware of a significant incident, a defined sequence of reports to the competent authority begins, each on its own deadline.
| Report | Deadline |
|---|---|
| Early warning | Within 24 hours of becoming aware of a significant incident. |
| Incident notification | Within 72 hours of becoming aware, updating the early warning with an initial assessment. |
| Final report | Within one month of the notification. |
Timelines per Article 23 of Directive (EU) 2022/2555. There is no 4-hour reporting figure in NIS2 - the 4-hour deadline belongs to DORA, a separate regime. Applying it to NIS2 is a common and costly mistake.
Quick NIS2 scope self-check
If the scope answer is not clear, you are not ready to build. You are guessing at whether the regulation is even yours.
Not ready for a full review?
Start with a 2-day Mini Gap Review.
Scoped and priced on a short call. We hand back your top Stage 1 blockers and the single next step that matters most.
What you receive
What you actually are under Annex I and II - a cloud computing service, a different digital-infrastructure entity, or none of them. The Article 2(1) question most advice skips.
The medium-sized-or-larger test, done properly. For a lot of companies this, not the entity type, is what decides scope.
Which Member State's national law applies to you, and its current state - because NIS2 bites through national transposition, not the directive directly.
A short opinion you can hand to a buyer or a regulator: in or out, essential or important, which authority, and only then what readiness actually follows.
Where scope goes wrong
| Area | What NIS2 requires | Common mistake | Kellwick output |
|---|---|---|---|
| Entity type | A tested Article 6(30) position | SaaS assumed in, or assumed out, but never tested | Written Article 6(30) analysis, argued both ways |
| Size threshold | Medium-sized-or-larger, with aggregation | Headcount checked, balance-sheet limb and aggregation missed | Full size assessment, partner and linked included |
| Transposition | The right Member State's national law | The directive read directly, national act ignored | Applicable transposition and authority identified |
| Incident readiness | A 24-hour awareness clock | A 4-hour DORA figure applied to NIS2 by mistake | Correct 24 / 72 / one-month reporting workflow |
| Governance | Management-body approval and training | Measures owned by IT, the board never trained | Board-owned, approved governance position |
The process
You share how the service is delivered - multi-tenant or single-tenant, elastic or fixed capacity, self-serve or manually provisioned - plus your headcount, turnover, balance sheet, ownership structure and where you operate.
We determine your entity type against Annex I and the Article 6(30) cloud test, then apply the medium-sized-or-larger threshold with partner and linked aggregation. For many companies the size gate, not the entity type, decides it.
A short written opinion: in or out, essential or important, which competent authority, and only then what readiness actually follows. No control-building before the scope question is answered.
Before Kellwick
That sentence is not a scope position.
After Kellwick
Book this if
Led by a CQI/IRCA-trained ISO 27001 Lead Auditor
CQI/IRCA ISO/IEC 27001:2022 Lead Auditor trained. IRCA Associate Auditor - ISMS. CQI Practitioner Member - PCQI. 18 years in IT, SaaS, fintech, product and operations.
Kellwick is an independent advisory practice, not a certification body.
Typical starting points
Final scope and pricing are confirmed after a short call.
Scoped on a call
Cloud and B2B SaaS companies that need to know, in writing, whether NIS2 reaches them before spending anything on readiness.
Scoped on a call
Companies confirmed in scope that need the Article 21(2) measures, incident-reporting workflow and management-body governance assessed against national law.
Scoped on a call
In-scope companies that need the measures, reporting readiness and governance kept alive as national transposition and guidance evolve.
This is for you if
This is not for you if
Why Kellwick
Kellwick prepares regulated technology companies for the standards and regulations their customers and supervisors demand. NIS2 work is led by a CQI/IRCA-trained ISO/IEC 27001 Lead Auditor who reads the directive and the national transposition as they are written - not as a vendor deck summarises them.
That matters because NIS2 advice is unusually prone to overreach. The honest first answer is often that the size gate, the Article 6(30) test, or a sector-specific act like DORA changes the picture entirely. We would rather tell your company that in writing than sell it a programme it does not need.
FAQ
Not automatically. Two gates both have to be met. First the size gate: under Article 2(1) you are only in scope if you are medium-sized or larger, and cloud is not on the size-blind list. Second the entity gate: your service has to meet the Article 6(30) cloud-computing test. Most real B2B SaaS - multi-tenant, elastic, self-serve - meets Article 6(30), but the size gate often decides first, and a smaller company can be out.
You leave the small category, and become potentially in scope, if you have 50 or more staff, or if your annual turnover and your balance sheet total both exceed EUR 10 million. The financial limb is conjunctive - both figures have to exceed the amount. So a 30-person SaaS with EUR 15 million turnover but a small balance sheet is out. Partner and linked-enterprise ownership is aggregated into these figures, which is how venture ownership can push a startup over.
Not definitely. Article 6(30) defines a cloud computing service as a digital service that enables on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources. Recital 33 lists IaaS, PaaS and Software as a Service as cloud models, but a recital lists models - it is not a deeming provision, so the operative Article 6(30) test still has to be met. There is no EU classification test and no case law on it, and regulators differ: Germany treats SaaS as generally in scope, even on third-party infrastructure, while Denmark says it is not automatic. Multi-tenant, elastic, self-serve SaaS usually meets the test; single-tenant, fixed-capacity or manually provisioned services are the genuinely arguable cases.
Under Article 23, timed from when you become aware of a significant incident: an early warning within 24 hours, a notification within 72 hours, and a final report within one month of the notification. There is no 4-hour deadline in NIS2 - the 4-hour figure belongs to DORA, a separate regime, and applying it here is a common and costly mistake.
NIS2 is Directive (EU) 2022/2555 and takes effect through national law. The transposition deadline was 17 October 2024. As of mid-2026 a handful of Member States - among them Spain, France, Ireland and the Netherlands - had not fully transposed, but most had, so the obligations bite through national law across most of the EU. Which Member State's transposition applies to you is part of the scope question.
Under Article 20 the management body must approve the security measures, oversee them, and can be held liable. Training for the management body is required; training for the wider workforce is encouraged, not mandated. The measures themselves are the ten minimum items in Article 21(2).
From the blog
Scope, the cloud test and incident reporting for cloud and B2B SaaS companies.
AI features have quietly expanded your subprocessor list. Here is how to track, disclose, and govern them before a customer security review does it for you.
Read →FX & Trading GRCMT4 and MT5 admin credentials are among the highest-risk access points in any FX broker. Here is the ISO 27001 evidence gap that appears in almost every readiness review.
Read →SaaS Security GovernanceEveryone agrees with least privilege in principle. The hard part is running it in a fast-moving SaaS company without grinding engineering to a halt.
Read →Certification is issued by accredited certification bodies; DORA supervision is performed by regulators. Kellwick prepares you for these processes; it does not perform them and cannot guarantee their outcome.
In or out, in writing - then only what scope requires.
Kellwick is an independent advisory practice. We are not a certification body and do not issue ISO certifications. Certification decisions are made only by accredited certification bodies.