NIS2 and SaaS: EU Compliance Guide for IT Leaders

What Is NIS2?

The Network and Information Security Directive 2 (NIS2) is the European Union's updated cybersecurity framework. It replaces the original NIS Directive from 2016 and represents the most significant expansion of EU cybersecurity regulation since GDPR.

NIS2 entered into force on January 16, 2023, and EU member states were required to transpose it into national law by October 17, 2024. Organizations in scope must now comply with comprehensive cybersecurity risk management requirements — or face penalties of up to €10 million or 2% of global annual turnover, whichever is higher.

For IT leaders, NIS2 is not just a compliance exercise. It fundamentally changes how organizations must approach cybersecurity, including how they manage, secure, and govern their SaaS environments.

Does NIS2 Apply to Your Organization?

NIS2 dramatically expanded the scope of EU cybersecurity regulation. The original NIS Directive applied to a few hundred organizations per member state. NIS2 applies to tens of thousands across the EU.

Essential Entities (Higher Obligations)

Organizations in these sectors with 250+ employees or €50M+ turnover:

Energy (electricity, oil, gas, hydrogen)
Transport (air, rail, water, road)
Banking and financial market infrastructure
Health (hospitals, labs, pharma, medical devices)
Drinking water and wastewater
Digital infrastructure (DNS, TLDs, cloud, data centers, CDNs)
ICT service management (managed service providers, managed security providers)
Public administration
Space

Important Entities (Standard Obligations)

Organizations in these sectors with 50+ employees or €10M+ turnover:

Postal and courier services
Waste management
Chemicals manufacturing and distribution
Food production and distribution
Manufacturing (medical devices, electronics, machinery, vehicles)
Digital providers (online marketplaces, search engines, social platforms)
Research organizations

The Supply Chain Effect

Even if your organization is not directly in scope, NIS2 has a supply chain provision (Article 21(2)(d)) that requires in-scope entities to address cybersecurity in their supply chain relationships. If you are a supplier to an essential or important entity, your customer may impose NIS2-derived security requirements on you.

This means NIS2's influence extends far beyond the directly regulated entities.

NIS2 Requirements That Impact SaaS Management

NIS2's cybersecurity risk management requirements (Article 21) include several provisions that directly affect how organizations manage their SaaS environments.

1. Supply Chain Security (Article 21(2)(d))

The requirement: Organizations must address cybersecurity risks in their supply chain, including "security-related aspects concerning the relationships between each entity and its direct suppliers or service providers."

SaaS implication: Every SaaS vendor is a supplier. Under NIS2, you must:

Maintain an inventory of all SaaS vendors (including shadow IT)
Assess the cybersecurity posture of each vendor
Ensure contractual security requirements are in place
Monitor vendors for security incidents and posture changes

The challenge: You cannot assess what you don't know about. If your organization uses 200+ SaaS applications and IT is aware of 60, you have 140+ unassessed suppliers — a direct compliance gap. This is where shadow IT discovery becomes essential.

2. Risk Management and IT Asset Inventory (Article 21(2)(a))

The requirement: Organizations must implement risk analysis policies and information system security policies, including maintaining an inventory of IT assets.

SaaS implication: SaaS applications are IT assets. NIS2 requires a comprehensive, up-to-date inventory of all IT assets — which includes every SaaS application in use, who has access, what data it processes, and what security controls are in place.

A spreadsheet updated annually does not meet this standard. The inventory must be current and comprehensive.

3. Incident Handling (Article 21(2)(b))

The requirement: Organizations must have incident detection, reporting, and response capabilities.

SaaS implication: If a SaaS vendor suffers a security incident that affects your data, you must be able to:

Detect the incident (or be notified promptly)
Assess its impact on your organization
Report it to the relevant national authority within 24 hours (early warning) and 72 hours (full notification)
Take remediation steps

For shadow IT applications, detection is impossible — you don't know the application exists, so you won't learn about a breach until the damage is done. You also cannot assess impact for applications not in your asset inventory.

4. Access Control and Asset Management (Article 21(2)(i))

The requirement: Organizations must implement policies for access control and asset management, including human resources security and appropriate authentication measures.

SaaS implication: This requires:

Knowing who has access to which SaaS applications
Implementing appropriate authentication (MFA, SSO where possible)
Revoking access promptly when employees leave or change roles
Monitoring for unauthorized access

The offboarding challenge: When an employee leaves, NIS2 requires their access to be revoked across all systems. For sanctioned applications connected to your IdP, this can be automated. For shadow IT applications, it's impossible — you don't know the accounts exist. See our SaaS offboarding checklist for a comprehensive approach.

5. Business Continuity (Article 21(2)(c))

The requirement: Organizations must have business continuity management, including backup management, disaster recovery, and crisis management.

SaaS implication: If your organization depends on a SaaS application for business-critical processes, NIS2 requires:

Documented backup and recovery procedures for data in SaaS applications
Tested disaster recovery plans
Alternative arrangements if a critical SaaS vendor goes offline

You cannot have business continuity plans for applications you don't know your teams depend on.

The NIS2 Incident Reporting Timeline

NIS2 introduces a strict multi-stage incident reporting obligation that has direct implications for SaaS management:

Stage	Deadline	Requirement
Early warning	24 hours	Notify national CSIRT/authority of significant incident
Incident notification	72 hours	Provide initial assessment including severity and impact
Intermediate report	Upon request	Provide status updates when requested by authority
Final report	1 month	Detailed description, root cause analysis, mitigation measures

Why this matters for SaaS: A significant incident at any SaaS vendor in your environment could trigger this reporting obligation. Without a complete vendor inventory, you cannot:

Determine if an incident at a particular SaaS vendor affects your organization
Assess the severity and scope of impact
Provide accurate incident notifications
Perform meaningful root cause analysis for your organization's exposure

The 24-hour early warning deadline is particularly challenging. If you learn about a SaaS vendor breach through media reports, you need to immediately determine whether your organization uses that vendor and what data is at risk. With no SaaS inventory, this becomes a scramble rather than a process.

NIS2 Compliance Gaps in Typical SaaS Environments

Based on common SaaS management practices at mid-market companies, here are the most frequent NIS2 compliance gaps:

Gap 1: Incomplete Asset Inventory

NIS2 requirement: Comprehensive IT asset inventory Typical reality: IT tracks 30-40% of SaaS applications

Impact: You cannot perform risk analysis, apply security controls, or report incidents for assets you don't know about. This is the foundational gap that makes all other requirements harder to meet.

Gap 2: Unassessed Vendor Security

NIS2 requirement: Supply chain security assessment Typical reality: Security assessments exist only for major, IT-procured vendors

Impact: The majority of SaaS vendors — especially those adopted by individual employees or departments — have never been assessed for cybersecurity posture, data processing practices, or incident response capabilities.

Gap 3: No OAuth Governance

NIS2 requirement: Access control policies Typical reality: Employees grant OAuth permissions freely with no monitoring

Impact: Third-party applications with broad access to corporate data (email, files, calendars) represent uncontrolled access that NIS2 requires you to manage. Without OAuth governance, you have no visibility into what permissions have been granted to which applications.

Gap 4: Incomplete Offboarding

NIS2 requirement: Access revocation for departing employees Typical reality: Offboarding covers IdP-connected applications only

Impact: Former employees retain access to company data through shadow IT applications. This is both a security risk and a NIS2 compliance gap — access was not properly revoked across all systems.

Gap 5: No SaaS Incident Response

NIS2 requirement: Incident detection and 24-hour reporting Typical reality: No process for SaaS vendor incidents

Impact: When a SaaS vendor suffers a breach, the organization cannot quickly determine if they're affected, assess the impact, or meet the 24-hour early warning deadline.

NIS2 SaaS Compliance Checklist

Use this checklist to assess your organization's NIS2 readiness for SaaS environments:

Asset Inventory

Complete inventory of all SaaS applications in use (including shadow IT)
Each application mapped to: data processed, users, owner, risk level
Inventory updated continuously (not annually)
Shadow IT discovery automated via email and IdP scanning

Supply Chain Security

All SaaS vendors assessed for cybersecurity posture
Security requirements defined in vendor contracts or DPAs
Vendor risk register maintained and reviewed quarterly
High-risk vendors subject to enhanced monitoring

Access Control

OAuth permissions audited and excessive grants revoked
SSO/MFA implemented for all high-risk SaaS applications
Access reviews conducted regularly (at least quarterly)
Offboarding process covers all SaaS applications (including shadow IT)

Incident Response

SaaS vendor incident response procedure documented
24-hour early warning process defined and tested
Vendor incident monitoring in place (security advisories, breach notifications)
Impact assessment template ready for SaaS-related incidents

Business Continuity

Critical SaaS dependencies identified and documented
Backup and recovery procedures in place for SaaS-stored data
Alternative arrangements defined for critical SaaS vendor failures
Business continuity plan tested annually

Governance

SaaS procurement policy aligned with NIS2 requirements
Approved software catalog maintained and published
SaaS risk management responsibilities assigned
Board-level reporting on SaaS cybersecurity posture

NIS2 Penalties: What's at Stake

NIS2 introduces significantly higher penalties than the original directive:

Essential Entities

Maximum fine: €10 million or 2% of global annual turnover (whichever is higher)
Management liability: Senior management can be held personally liable for non-compliance
Supervisory measures: Authorities can conduct audits, issue binding instructions, and order specific remediation

Important Entities

Maximum fine: €7 million or 1.4% of global annual turnover (whichever is higher)
Enforcement: Primarily reactive (investigations triggered by incidents or complaints)
Remediation orders: Authorities can require specific compliance measures

Management Accountability

NIS2 Article 20 is particularly notable: it requires management bodies (boards, executives) to approve and oversee cybersecurity risk management measures. Management must also undergo cybersecurity training.

This means the CISO or IT leader cannot own NIS2 compliance alone. The board must be informed about SaaS-related cybersecurity risks, approve risk management measures, and take responsibility for compliance.

If your board doesn't know about your shadow IT problem, that's itself a compliance gap.

Getting NIS2-Ready: A Practical Approach

NIS2 compliance for SaaS environments doesn't require a multi-year transformation program. A practical approach focuses on closing the highest-impact gaps first:

Month 1: Visibility

Deploy automated SaaS discovery (email + IdP scanning)
Build a complete application inventory
Identify all shadow IT
Map applications to data types processed

Month 2: Assessment

Assess vendor security posture for all discovered applications
Prioritize by risk (data sensitivity × vendor security posture)
Identify and remediate critical gaps (e.g., high-risk vendors with no DPA)
Audit OAuth permissions and revoke excessive grants

Month 3: Governance

Implement SaaS procurement policy aligned with NIS2
Publish approved software catalog
Establish vendor monitoring and incident response procedures
Deploy continuous monitoring for new SaaS adoption

Ongoing

Monthly shadow IT reviews
Quarterly vendor risk assessments
Annual business continuity testing for SaaS dependencies
Board reporting on SaaS cybersecurity posture

The Bottom Line

NIS2 is not optional, and it's not something you can address with a checkbox exercise. For SaaS environments, the foundation of compliance is visibility — a complete, continuously updated inventory of every application, user, and data flow.

Most mid-market companies have a significant gap between their current SaaS management practices and what NIS2 requires. The good news is that closing this gap starts with a single step: discovering what's actually in your environment. See how Coax's shadow IT discovery and security features help you get NIS2-ready.

Need to get NIS2-ready? Book a demo and see your complete SaaS inventory — including shadow IT — in 15 minutes.