← All articles
NIS27 min

NIS2 for SMBs: a practical guide

NIS2 is not only a legal obligation. For SMBs it means measurable security controls, evidence of risk management, and the ability to respond quickly to incidents.

When to start

Start by assessing your sector, company size, and role in the supply chain. Even a company outside direct regulation may face customer pressure to prove cybersecurity processes.

The first practical step is an inventory of systems and owners. Without it, it is hard to decide where MFA belongs, who handles incidents, and which evidence an auditor or customer will ask for.

  • Assign a person responsible for cybersecurity.
  • List key systems, identities, and suppliers.
  • Introduce recurring checks for MFA, backups, and incident response.

What must be provable

The authority will not only look for the existence of a policy. You need records showing that a control actually runs, when it was last checked, and who handled exceptions.

Typical evidence includes identity provider exports, access review records, incident logs, vulnerability reports, and approved security policies.

How to make it a process

NIS2 can be managed as a set of repeatable controls. Each control has an owner, status, evidence, and next review date. That keeps compliance from becoming a one-off audit project that goes stale.

Turn this article into a control checklist

Splnit.eu maps obligations to controls, evidence, and deadlines so they can be checked continuously.

View platform

Cookies

We use required cookies and optional traffic measurement to improve Splnit.eu.

NIS2 for SMBs: a practical guide | Splnit.eu Blog