NIS2 for SaaS: minimum checklist for 2026

The NIS2 directive took effect on 17 October 2024, and national laws have since mandated concrete obligations on 'important' and 'essential' organisations. If your SaaS serves EU customers, you're probably 'important'. Our Cybersecurity service covers exactly this readiness work — here's the minimum checklist.

1. Incident reporting: 24h, 72h, 1 month

NIS2 mandates: an early-warning within 24 hours, an incident assessment within 72 hours, and a final report within one month. This is runbook work, not 'when-it-happens' work. Write it today.

• An on-call who can say 'I'm reporting it' at the push of a button.
• A severity rubric: Sev1 → immediate, Sev2 → within 24h, Sev3 → post-mortem.
• Pre-written early-warning template for the national CSIRT portal.

2. Supply-chain risk

List critical vendors (AWS, Stripe, SendGrid, …), rank by business risk, and have a DPA + security attestation (SOC2, ISO27001) for every 'important' one.

3. Access control: MFA, rotation, zero-standing

• MFA for everyone, no exceptions. Tech users too.
• Production SSH: just-in-time, 30-minute TTL.
• API-key rotation: quarterly at minimum, automated.

4. Patching and vulnerability management

NIS2 says 'reasonable timeframe'. Practical reading: critical CVE in 48h, high in 7 days, medium in 30 days. Run this as an SLA, not a 'we'll look at it'.

5. Training: twice a year minimum

Mandatory security awareness training. Don't stop at click-through; include phishing simulations. You must be able to show the record at audit.

We can help

Four of the five items above can be live in 2–3 weeks with your team. The fifth (patch SLA) is a 6-month project. Email us if you want hands-on help.