There's a European cybersecurity regulation that went into active enforcement this month, and if your business has any connection to the EU — even through your supply chain — it probably affects you. Most American business owners haven't heard of it yet. That's a problem, and I want to help you get ahead of it.
The regulation is called NIS2, and it's basically GDPR for cybersecurity. I recorded a quick video walking through what you need to know:
Here's the full breakdown for those who prefer to read.
What Is NIS2?
NIS2 is the EU's updated Network and Information Security Directive. It was passed in 2022, and EU member states have been implementing it over the past two years. As of April 2026, regulators have shifted from "get your plans together" to actively supervising and enforcing compliance.
It covers 18 critical sectors including energy, transport, healthcare, finance, and digital infrastructure. But here's the part that catches American businesses off guard: it also covers the supply chain. If you provide products, services, or IT support to any organization that falls under NIS2, you're in scope for their compliance requirements.
Why This Matters for US Businesses
NIS2 compliance for small businesses isn't about whether you operate in Europe. It's about whether anyone in your supply chain does. Ask yourself these questions:
- Do any of your customers have offices, operations, or clients in the EU?
- Do any of your vendors or suppliers operate in European markets?
- Do you provide any kind of technology, consulting, or professional service to a company that does business in Europe?
If the answer to any of those is yes — or even "I'm not sure" — you're potentially in scope for someone's NIS2 supply chain risk assessment.
The GDPR Parallel
Remember GDPR? Most American businesses ignored it for years. Then one day, their marketing teams couldn't run email campaigns to European contacts without a full privacy policy overhaul. It was a rude awakening.
NIS2 is the cybersecurity version of that wake-up call. European companies are already sending detailed cybersecurity questionnaires — sometimes 40 or 50 pages — to their American vendors and partners. If you can't answer those questionnaires satisfactorily, you risk losing the business relationship.
The Key Requirements You Need to Know
72-Hour Incident Reporting
NIS2 requires organizations to report significant cybersecurity incidents within 72 hours. If you're breached and you're part of someone's supply chain, that clock starts immediately — not when it's convenient, not after your lawyer reviews the situation, and not after your PR team drafts a statement.
This means you need to actually know when a breach happens. That requires real detection capabilities — not just prevention.
Management Liability
Under NIS2, company leadership is personally liable for cybersecurity compliance. This isn't a "the IT department handles it" regulation. Executives and management are required to approve cybersecurity risk management measures and oversee their implementation. Non-compliance can result in fines of up to €10 million or 2% of global annual turnover — whichever is higher.
Supply Chain Security
Organizations covered by NIS2 are required to assess and manage cybersecurity risks in their supply chains. That means they're going to be auditing their vendors — including you. They'll want to see documented policies, evidence of monitoring and detection, and proof that your leadership understands and approves your security posture.
What You Should Be Doing Right Now
1. Map Your Exposure
Start with a simple exercise: review your customer list, vendor list, and partner relationships. Do any of them have European operations, clients, or supply chain connections? If you're not sure, ask. It's a reasonable question, and the answer determines whether NIS2 is something you need to address now or can monitor for later.
2. Get Your Policies Written Down
Most small businesses have some version of an incident response plan, access control policy, and patch management process — but nothing formal, nothing documented, and nothing that would survive a third-party audit. Under NIS2 requirements, written documentation isn't optional. It's what gets reviewed when a partner or regulator comes asking.
At a minimum, you need documented policies for:
- Incident response and reporting
- Access control and authentication
- Patch management and vulnerability handling
- Business continuity and disaster recovery
- Supply chain security assessment
3. Invest in Detection, Not Just Prevention
There's a world of difference between knowing "we got breached" after the fact and seeing "we're detecting indicators of potential compromise right now — let's act before something happens." NIS2's 72-hour reporting window makes the second scenario essential. If you don't have real-time monitoring and alerting, you can't report what you don't know about.
This is where the investment matters most. Antivirus and firewalls are prevention. What you also need is active detection and response — systems that watch your environment continuously and alert when something doesn't look right.
4. Train Your Leadership
NIS2 explicitly requires management to be trained on cybersecurity risk. Even if you're not directly regulated, the companies sending you those questionnaires are going to want evidence that your leadership understands what they're approving. This doesn't mean your CEO needs to become a security expert — it means they need to understand the risks, the policies, and their role in maintaining compliance.
If Your IT Provider Hasn't Brought This Up
Here's the uncomfortable truth: if you're working with an IT provider or managed services company and they haven't mentioned NIS2 to you, that should concern you more than the regulation itself. It means either they don't know about it — which raises questions about their cybersecurity awareness — or they know and haven't told you, which raises different questions entirely.
A good IT partner should be proactive about regulations that affect your business. They should be the ones bringing this to your attention, helping you assess your exposure, and making sure your security posture is ready for the questionnaires that are already landing in inboxes.
The Bigger Picture
The EU is setting the global standard for cybersecurity regulation, just like they did with data privacy through GDPR. The American regulatory landscape is still fragmented — state-level laws, industry frameworks, and a patchwork of requirements that let most small businesses fly under the radar.
NIS2 doesn't care about your radar. It cares about the supply chain. And supply chains are global.
The businesses that take this seriously now will be the ones winning contracts 18 months from now while their competitors are scrambling to catch up.
Need help assessing your NIS2 exposure? We help businesses across Columbus and Phoenix evaluate their cybersecurity posture, build the documentation frameworks required for compliance, and implement the detection capabilities that make 72-hour reporting possible. Let's talk about where you stand.