Back to Blog
EU Regulation13 min read

NIS2 for SaaS Companies: A Practical Guide for US and Global Vendors

A

Alexander Sverdlov

Security Analyst

5/7/2026
NIS2 for SaaS Companies: A Practical Guide for US and Global Vendors

EU Regulation · SaaS · May 2026

NIS2 for SaaS Companies: A Practical Guide for US and Global Vendors

If your SaaS has even one EU customer, the question is no longer "does NIS2 apply to us?" It is "are we in scope directly, indirectly through our customers' supply chain, or both?" Here is how to find out, what it means, and what to do in the next 90 days.

Key Takeaways

  • A SaaS company can fall under NIS2 in two distinct ways: direct scope as a digital service provider, or indirect scope through a customer's supply chain obligations
  • Geographic location is irrelevant for direct scope. A US SaaS that provides services in the EU can be in scope even with no EU office or staff. A representative in a member state must be appointed.
  • If your EU customers are NIS2-regulated, expect contractual amendments in 2026 that pass NIS2 obligations down to you. This is the more common path.
  • Fines reach EUR 10 million or 2% of global turnover for "essential" entities and EUR 7 million or 1.4% for "important." Member-state implementations vary.
  • Personal liability for management goes up to EUR 100,000 or more in several member states, with possible temporary disqualification from leadership roles
  • SOC 2 and ISO 27001 cover most but not all of NIS2's requirements. Gap is roughly 20-30% of controls plus member-state-specific reporting and registration steps.

In April we got an email from the founder of a 35-person US SaaS that helps banks reconcile cross-border payments. They had been working with a German Landesbank for two years. The bank had just sent them a 22-page contract amendment titled "NIS2-aligned ICT supplier requirements." The amendment had a 60-day signature deadline and a list of obligations, including the right of the bank to audit them annually, four-hour incident notification clauses, mandatory penetration testing, exit strategy documentation, and sub-processor controls.

"We have SOC 2 Type 2," the founder wrote. "Doesn't that cover this? Also, are we in NIS2 directly? We are based in Delaware. We do not have an EU office. We have eleven EU customers."

Two questions that this post answers in detail. The short version: SOC 2 covers about 70 percent of what the German bank is asking for, the gap is real, and yes, it is also possible the SaaS is in direct scope of NIS2 even with no EU presence. We walked them through the assessment, helped negotiate the amendment, and built a 90-day plan. They signed the new contract three weeks later and kept the largest customer in their book.

📐

Step One

The Two Paths a SaaS Company Falls Under NIS2

Most US and non-EU SaaS founders think of NIS2 the way they thought of GDPR in 2018: a thing that happens to European companies, that maybe applies to us through some convoluted contract clauses. This framing is wrong, and it has been wrong since NIS2 went into force on October 17, 2024. There are now two distinct ways a SaaS company is in scope, and most companies in scope are in scope through both.

Two Paths to NIS2 Scope for a SaaS Company Two Paths a SaaS Company Falls Under NIS2 Most companies in scope are in scope through both paths simultaneously Path A: Direct Scope You provide a service in the EU Common SaaS in direct scope: - Cloud computing service providers - Managed service providers - Managed security service providers - Online marketplaces - Online search engines - Social networking platforms - Data center service providers - Content delivery networks - DNS providers, TLD registries - Trust service providers (eIDAS) Path B: Indirect via Supply Chain Your customer is a regulated entity Customers who push obligations down: - EU banks and financial institutions - EU energy and utilities - EU healthcare and hospitals - EU transport (air, rail, road) - EU public administration - EU telecom operators - EU food and chemical industry - EU manufacturers in 18 sectors Pushed down via: - Contract amendments + new clauses - Vendor security questionnaires If both paths apply, the direct-scope obligations supersede the contract-driven ones, but customers may add stricter clauses.
Figure 1. Direct scope is determined by EU regulation; indirect scope is determined by your customer's procurement contracts. Most SaaS in scope hit both paths.

Each path has different requirements, different counterparties (regulators versus customers), and different remedies. You can litigate the indirect path; you cannot litigate the direct one. You can decide not to renew customers in the indirect path; you cannot decide to "stop being" a digital service provider in the EU without leaving the market entirely.

🌐

Step Two

Path A: Direct Scope as a Digital Service Provider

NIS2 Annex I includes "digital infrastructure" as a sector with high criticality, and Annex II adds "digital providers" as another critical sector. The two together cover the categories most SaaS companies fall into. The criteria are:

You are in direct scope as a digital service provider if:

  1. You provide one of the listed services (cloud computing, MSP, MSSP, marketplace, search engine, content delivery, data center, social network, DNS, TLD registry, trust services), AND
  2. You provide that service to customers in at least one EU member state, AND
  3. You meet the size threshold of medium or large enterprise (50+ employees OR EUR 10M+ annual turnover), with exceptions for certain critical roles where size does not matter.

If all three are true, you are in scope regardless of where your headquarters is located. The question of "where are you established" is decided by where you provide your services, not where your office is. This is a significant departure from earlier EU regulation. A US SaaS with no EU office and 30 EU customers can be in direct scope. A US SaaS with no EU customers but a marketing presence at EU events generally is not.

If you are in direct scope, NIS2 requires you to:

  • Appoint a representative in one of the EU member states where you offer services, who acts as the regulatory contact (similar to GDPR Article 27).
  • Register with the competent authority (CSIRT) in that member state.
  • Notify significant incidents within 24 hours (early warning) and 72 hours (full report). The clock starts when you become aware of the incident.
  • Implement minimum security measures covering risk management, governance, supply chain, encryption, access control, incident handling, business continuity, training, and twelve other domains.
  • Demonstrate management oversight with documented training of executives on cybersecurity risk and approval of risk management measures.
  • Cooperate with inspections by the competent authority on reasonable notice.
🔗

Step Three

Path B: Indirect Scope Through Your Customers' Supply Chain

NIS2 Article 21(2)(d) requires regulated entities to manage the cybersecurity of their supply chain, "including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers." This is the clause that pushes obligations downstream.

In practice, this means your EU customers in regulated sectors (banks, energy, healthcare, transport, manufacturing, public administration, etc.) are now under a regulatory obligation to assess and manage your security as their supplier. They typically execute this through contract amendments. We have seen the same set of clauses appear in amendments from German banks, Dutch energy operators, French hospitals, Italian manufacturers, and Spanish telecoms over the past nine months. The clauses are remarkably similar:

Clause Typical wording
Right to audit"Customer or its appointed third-party auditor shall have the right to audit Supplier annually with 30 days notice."
Incident notification"Supplier shall notify Customer within 4 to 24 hours of any security incident affecting Customer data or services."
Penetration testing"Supplier shall conduct independent penetration testing at least annually and provide the executive summary to Customer."
Sub-processor controls"Supplier shall maintain a list of sub-processors and notify Customer of any changes 60 days in advance."
Exit strategy"Supplier shall maintain a documented exit strategy, including data return and migration support, accessible upon request."
Security certifications"Supplier shall maintain SOC 2 Type 2 or ISO 27001 certification and provide annual report."
Liability and indemnity"Supplier liability cap shall not apply to security incidents resulting in Customer regulatory fines."
Geographic restrictions"Customer data shall be stored and processed only in EU member states or countries with an adequacy decision."

The good news is that these clauses are negotiable. The bad news is that the strongest negotiating leverage you have is to actually meet the clauses, not to argue them out of existence. EU procurement teams have a regulatory backstop: they cannot accept supplier risk that puts their own NIS2 compliance at risk. This is why the most common outcome of these negotiations is a few softened clauses (the right-to-audit usually narrows to "right to receive an annual SOC 2/ISO 27001 report") and most other clauses surviving largely intact.

Step Four

SOC 2, ISO 27001, and the NIS2 Gap

Most US SaaS companies have SOC 2. Many have ISO 27001. The most common question we get is "do these cover NIS2?" The honest answer is "they cover the security part well, the operational and regulatory parts not at all." Here is the comparison:

SOC 2 vs ISO 27001 vs NIS2 Coverage Comparison SOC 2 / ISO 27001 / NIS2 - Coverage by Domain Green: covered. Amber: partial. Red: not covered. Domain SOC 2 Type 2 ISO 27001 NIS2 fit Risk management Y Y Y Incident handling (process) Y Y Y 24/72-hour reporting to CSIRT N N Y Member-state registration N N Y Encryption Y Y Y Supply-chain due diligence P Y Y Management training N P Y Personal liability of mgmt N N Y EU representative requirement N N Y MFA, access control Y Y Y Business continuity / DR Y Y Y Public reporting / transparency P P Y Bottom line: SOC 2 / ISO 27001 cover ~70% of the security domains. The remaining ~30% is regulatory plumbing.
Figure 2. Coverage matrix of common SaaS security frameworks against NIS2 requirements. The gap is mostly regulatory, not technical.

If you already have SOC 2 Type 2 and ISO 27001, the additional work to be NIS2-ready is roughly: (1) appoint an EU representative, (2) register with the CSIRT in your representative's member state, (3) update your incident response plan to include the 24/72-hour notification path, (4) document management training on cybersecurity and have it approved, (5) review and adjust supply chain controls to include flow-down clauses to your sub-processors. We typically deliver this in 4 to 6 weeks for a US SaaS that already holds SOC 2 Type 2.

📅

Step Five

A 90-Day NIS2 Readiness Roadmap for SaaS

90-Day NIS2 Readiness Roadmap for SaaS 90-Day NIS2 Readiness Roadmap for a SaaS Company Three phases: Assess, Implement, Demonstrate Phase 1 - Assess Days 1 to 30 Week 1-2 - Direct vs indirect scope determination - Inventory of EU customers - Map their NIS2 status Week 3-4 - Gap analysis vs SOC 2/ISO - Choose representative MS - Budget and plan approval Phase 2 - Implement Days 31 to 60 Week 5-6 - Appoint EU representative - Update IR plan (24h/72h) - Sub-processor flow-downs - DPA and addenda updates Week 7-8 - Management training - Risk register refresh - Pen test if not current Phase 3 - Demonstrate Days 61 to 90 Week 9-10 - Register with CSIRT - Tabletop exercise on IR - Trust portal NIS2 page - Customer-facing FAQ Week 11-12 - Negotiate amendments - Independent attestation - NIS2-ready posture Compressed timelines (45 to 60 days) are achievable when SOC 2 Type 2 is already in place.
Figure 3. The 90-day roadmap that takes a US SaaS from "we got an NIS2 amendment" to "we are demonstrably ready."
💰

Step Six

What Does NIS2 Readiness Actually Cost a SaaS Company?

Costs depend heavily on starting position. Here are the ranges we see in practice for a 50-150 person US SaaS with EU customers in regulated sectors:

Starting position Year-one cost (USD) Time to ready
SOC 2 Type 2 + ISO 27001$15,000 - $30,0004-6 weeks
SOC 2 Type 2 only$25,000 - $50,0008-10 weeks
SOC 2 Type 1 only or in progress$45,000 - $80,00010-14 weeks
No formal program$80,000 - $150,00016-24 weeks

These ranges include the EU representative engagement (typically EUR 4,000 to EUR 12,000 per year), the assessment and gap remediation work, document updates, training delivery, and the supporting tabletop exercise. They do not include any pre-existing audit costs (you are paying those anyway) or ongoing CSIRT registration fees (usually nominal).

The math that matters more than the absolute cost: what is the value of the EU revenue you are protecting? For most US SaaS in this position, even one EU bank or healthcare customer represents annual contract value far exceeding the entire compliance budget. The decision is rarely about cost; it is about whether to invest now versus risk a non-renewal.

How Atlant Security Helps

NIS2 Readiness for SaaS, Built On Top of Your Existing Program

If you already have SOC 2 or ISO 27001, you do not need to start over. Our NIS2 readiness engagement starts with a gap analysis against your existing audit evidence and produces a delta-only plan. We help with EU representative selection, member-state registration, contract amendment review, management training, and the tabletop exercise. Final deliverable is an attestation letter you can attach to the next round of customer questionnaires.

  • Fixed pricing from $15,000 for SOC 2 + ISO 27001 holders
  • Delta-only scoping - we do not redo what you already have
  • EU representative network in 9 member states
  • Contract amendment negotiation support
  • Pay after delivery and review

Book a 30-minute call →

Frequently Asked

Questions We Hear From SaaS Founders Every Week

Our SaaS is in Delaware. We have no EU office. Are we really in NIS2 scope?

Possibly yes via Path A (direct), almost certainly yes via Path B (supply chain), if you have EU customers in regulated sectors. The geographic question NIS2 asks is about where you provide services, not where your headquarters sits. Even if Path A does not apply, your EU customers will likely impose obligations that look very similar.

Which member state should we pick for our EU representative?

The most common choices are Ireland, the Netherlands, Germany, and France, in that order. Ireland and the Netherlands have well-developed CSIRT and competent authority processes. Germany has strict requirements but the largest legal precedent base. France has the most prescriptive interpretation. We recommend Ireland for most US SaaS unless there is a specific reason (largest customer concentration in another country, language preferences, existing legal entity).

Does NIS2 conflict with US laws or our SOC 2 commitments?

In practice, no. The 24/72-hour notification timing is faster than typical SOC 2 commitments but not contradictory. The right-to-audit clauses are negotiable. The data residency clauses require care - some are workable with current AWS/GCP/Azure region selection, others (especially "EU-only data center") may require infrastructure changes. We have not seen a true conflict between NIS2 obligations and US law for any of our clients.

If we do nothing, what happens?

In the direct-scope case, member-state competent authorities have started enforcement in 2025 and 2026. Fines have already been issued in Germany and the Netherlands. In the indirect-scope case, your EU customers will start declining renewals or imposing punitive contract terms. We have one client whose largest EU customer reduced their contract by 40% pending demonstrated readiness; the loss alone exceeded what compliance would have cost.

Can we just say no to the contract amendment and renegotiate?

You can negotiate, but you cannot say no. Your customer is under regulatory obligation to manage your security as part of their NIS2 program. If you decline the entire amendment, they will eventually be forced to find a supplier who accepts. The smarter approach is to negotiate the language (right-to-audit narrowed to annual SOC 2 reports, notification timing realistic, data residency realistic) while accepting the substance.

How is NIS2 different from DORA, and do we need both?

NIS2 is the broader sectoral regulation; DORA is the sector-specific one for financial services. If your customers include EU banks, payment institutions, insurers, investment firms, or crypto-asset service providers, DORA applies on top of NIS2 obligations. The Article 30 contractual provisions in DORA are more prescriptive than the NIS2 supply chain language. We have a separate post on DORA for SaaS that covers the financial services overlay.

The pattern we see in inboxes right now is consistent: a US SaaS gets a contract amendment from one large EU customer, panics, calls a few people, decides it is too much, and gets the same amendment from a second customer two weeks later. By the third one the answer flips from "this is too much for one customer" to "this is what doing business in Europe looks like in 2026." The earlier you accept the inevitability and start the work, the better your contractual leverage and the smaller your eventual cost.

The good news is that for SaaS companies that already have SOC 2, the gap is not that large. Most of the work is regulatory plumbing rather than security engineering. Done well, it positions you to win more EU deals, not fewer.

Need help mapping your scope, negotiating an amendment, or building a 90-day plan? Book a 30-minute consultation or email alexander@atlantsecurity.com directly.

Alexander Sverdlov

Alexander Sverdlov

Founder of Atlant Security. Author of 2 information security books, cybersecurity speaker at the largest cybersecurity conferences in Asia and a United Nations conference panelist. Former Microsoft security consulting team member, external cybersecurity consultant at the Emirates Nuclear Energy Corporation.