The NIS2 obligations the IT director assumed did not apply to them

The IT director read the early NIS2 coverage, filed it under "energy, water, telecoms," and moved on. Their company writes software for a midsize logistics group. Not an operator of essential services, not a household name. The assumption was reasonable under the original 2016 NIS rules. It is wrong now, and the way it is wrong puts the director's own name on the hook rather than the company's.

The trap is treating NIS2 as a size test. It was never one. It is a sector-and-position test, and most of the people who assumed exemption read only half the scoping logic.

How NIS2 expanded essential and important entity scope

NIS2 splits covered organisations into essential entities and important entities, and the second category is where the surprises live. The directive pulled in sectors the original framework ignored: digital and managed service providers, postal and courier services, food production, manufacturing of medical devices and electronics, waste management. A medium-sized firm in one of those sectors is in scope by default. The size threshold (broadly 50+ staff or €10M+ turnover) is a floor that brings entities in, not a ceiling that keeps them out, and member states can designate smaller entities individually.

On 20 January 2026 the Commission proposed targeted amendments to ease obligations for roughly 28,700 companies, including about 6,200 SMEs. Read that the other way around: that many entities sit close enough to in-scope that easing their burden is now a policy project. If you are betting on exemption, you are betting against a population the regulator is actively counting.

The supply-chain clause that pulls you in through your customers

Even if your sector does not name you, your customers do. Article 21(2)(d) requires in-scope entities to manage the security of their supply chain, including the practices of their direct suppliers. That obligation does not stay inside the regulated company. It travels down the contract.

In practice a covered customer rewrites your agreement: NIS2-equivalent security clauses, a supplier incident-notification duty, evidence of your controls, and the right to assess them. You are not regulated directly, but you are contractually bound to behave as if you were, on someone else's timeline. The entity above you has to file an early warning within 24 hours of becoming aware of a significant incident, so they need to hear it from you well before that. Miss it and you are the gap in their compliance, and they will replace you to close it.

Management body accountability and personal liability under Article 20

Here is the part the IT director did not see coming. Article 20 puts approval and oversight of cybersecurity risk-management measures on the management body, and that responsibility cannot be delegated down to the security team. The board approves the measures, the board oversees them, and board members take mandatory training on cyber risk. The accountability is personal, not departmental.

Member states can enforce that with teeth: fines up to €10M or 2% of global annual turnover for essential entities, €7M or 1.4% for important entities, and for essential entities the option of temporarily barring named individuals from management functions. The director who waved the directive away as "not us" is, if the entity turns out to be in scope, exactly the person whose signature the regulator now expects on the risk-management approval, and whose name appears when it is missing.

Turning Article 21 measures into one exportable control set

The ten measures in Article 21 read like ten separate projects: risk policies, incident handling, business continuity, supply-chain assurance, access control, MFA, encryption, training. The failure mode is running each one inside a different tool with its own export, so that when an auditor or a national authority asks for evidence, you assemble it by hand from eight places and hope the timestamps reconcile. Three questions tend to break that approach:

Spot Suite keeps identity, billing, and the audit trail hanging off one record per tenant, so a Customer Environment answers these as a single export instead of ten stitched together. When a regulated customer pushes Article 21 obligations down your contract, or your management body has to prove it approved the measures, the evidence is already in one place. You can see how that maps to your control set on the security page.