NIS2 for SMBs: a practical guide
NIS2 is not only a legal obligation. For SMBs it means measurable security controls, evidence of risk management, and the ability to respond quickly to incidents.
Author: Marco Zoratto, founder of Splnit.eu
When to start
Start by assessing your sector, company size, and role in the supply chain. Even a company outside direct regulation may face customer pressure to prove cybersecurity processes.
The first practical step is an inventory of systems and owners. Without it, it is hard to decide where MFA belongs, who handles incidents, and which evidence an auditor or customer will ask for.
- Assign a person responsible for cybersecurity.
- List key systems, identities, and suppliers.
- Introduce recurring checks for MFA, backups, and incident response.
What must be provable
The authority will not only look for the existence of a policy. You need records showing that a control actually runs, when it was last checked, and who handled exceptions.
Typical evidence includes identity provider exports, access review records, incident logs, vulnerability reports, and approved security policies.
How to make it a process
NIS2 can be managed as a set of repeatable controls. Each control has an owner, status, evidence, and next review date. That keeps compliance from becoming a one-off audit project that goes stale.
Related regulation overview
Open overview: NIS2 →Turn NIS2 into a first control checklist
Start with MFA, incident response, and suppliers: Splnit.eu maps them to controls, owners, and evidence you can check continuously.
Open the NIS2 overview