For most B2B software, cloud and managed IT companies, the answer is yes, NIS2 applies. The question is under which category.
The categories SaaS usually falls into
The NIS2 Directive (Directive (EU) 2022/2555) lists several digital categories in Annex I (high-criticality):
- Cloud computing service providers - if you run infrastructure, platform or software as a service at scale, you are likely a cloud computing service.
- Managed service providers (MSPs) and managed security service providers (MSSPs) - listed under ICT service management. Most B2B IT and security vendors qualify here.
- Data centre service providers and content delivery networks.
- DNS service providers, TLD name registries - in scope regardless of size.
If your product fits one of these, you are in scope once you cross the size threshold.
The size threshold
NIS2 generally applies from the medium enterprise level: 50+ employees, or EUR 10M+ annual turnover or balance sheet. Below that you are usually out of scope, except for the size-independent categories above (DNS, TLD, trust services).
Essential or Important?
Cloud and digital-infrastructure providers that are large (250+ staff or EUR 50M+ turnover) are typically Essential Entities; medium-sized ones are Important Entities. Both must implement the Art. 21 measures and meet the incident-reporting deadlines.
Do not forget supply-chain reach
Even if a customer is the in-scope entity, NIS2's supply-chain security requirement (Art. 21(2)(d)) pushes obligations onto their providers contractually. So SaaS vendors increasingly must meet NIS2 expectations to keep enterprise customers.
Confirm your status
-> Run the NIS2 Applicability Checker - select your digital category and size for an instant result.
-> Read the full NIS2 scope guide.
Source
Directive (EU) 2022/2555 (NIS2)
Last verified: 21 June 2026.