SaaSFort
nis2 compliance-scope saas-security regulatory eu

Am I in Scope for NIS2? A SaaS Vendor Scope Check

NIS2 scope confuses most SaaS founders. Here is a direct decision path: the size threshold, the sector test, and the supply-chain rule that pulls you in even when you think you are exempt.

ST
SaaSFort Team
· 6 min read · 1,116 words

Most SaaS founders ask the wrong first question about NIS2. They ask “is my company big enough to be regulated?” The question that actually matters is “does one of my customers think I am in their supply chain?” Both can pull you in. Here is how to tell.

The Two Ways NIS2 Reaches You

NIS2 applies to your company through one of two routes. You need to check both, because the second one catches vendors who assume they are too small for the first.

Route 1: You are directly in scope. Your company meets a size threshold and operates in a covered sector.

Route 2: You are in a covered company’s supply chain. You do not meet the threshold yourself, but a customer who does is now required to assess your security, and they push that requirement down to you through their vendor review.

Route 1 is a legal obligation. Route 2 is a commercial one. For a SaaS selling into mid-market and enterprise, Route 2 arrives first and hits harder, because it shows up as a stalled deal, not a regulator letter.

Route 1: The Direct Scope Test

Direct scope has two parts that both have to be true: size and sector.

The size threshold. NIS2 covers medium and large entities. In practice that means 50 or more employees, or annual turnover and balance sheet above 10 million EUR. Below that, you are generally outside direct scope, with exceptions for certain critical providers regardless of size.

The sector test. NIS2 splits covered sectors into “essential” and “important” entities. The digital sector is explicitly listed. If you provide cloud computing, data centre services, managed services, managed security services, online marketplaces, search engines, or social platforms, you are in a covered sector. Many B2B SaaS products fall under cloud or managed services more directly than founders expect.

If you clear both the size threshold and the sector test, you are directly in scope and the obligations are legal. If you are a German entity, the BSI registration requirement applies, and our checklist for German SMBs covers the specifics.

Route 2: The Supply-Chain Rule

This is the one that surprises people. NIS2 Article 21 requires covered entities to manage the security of their supply chain. That means every company directly in scope now has to assess the security posture of its vendors, including you.

So even a 12-person SaaS with 2 million EUR turnover, well under the direct threshold, gets pulled in the moment it sells to a company that is covered. The covered customer cannot simply trust you. They have a legal duty to check, and they discharge it by sending you a security questionnaire and asking for evidence.

You will feel Route 2 as:

  • A security questionnaire attached to a deal you thought was closed
  • A procurement team asking for your NIS2 or ISO 27001 alignment
  • A request for proof of your external security posture before onboarding

None of that requires you to be directly regulated. It requires your customer to be. For the mechanics of answering that request fast, see how to answer a vendor security questionnaire in 48 hours.

A Straight Decision Path

Run yourself through this in order:

  1. Do you have 50+ employees or 10M+ EUR turnover, and operate in a digital or other covered sector? If yes, you are directly in scope. Register and build evidence.
  2. If no, do you sell to companies that meet that bar? If yes, you are in scope commercially through their supply-chain duty. You will be asked for security evidence whether or not you are legally regulated.
  3. If no to both today, the picture changes the moment you win one covered customer. Most growing B2B SaaS vendors cross into Route 2 well before Route 1.

For almost every SaaS with enterprise ambitions, the honest answer is that you are in scope through Route 2 already, or you will be with your next enterprise deal.

What Being In Scope Actually Requires

Whichever route applies, the technical evidence a reviewer or auditor asks for is the same short list. Our breakdown of what auditors actually ask for under NIS2 Article 21 maps each measure to its proof. The external-posture part, the piece a customer can verify from outside without trusting your word, comes down to:

  • TLS configuration with no deprecated versions
  • Security headers present, including HSTS
  • No exposed admin panels, staging environments, or source maps
  • Email authentication (SPF, DKIM, DMARC) in place
  • No public pages running JavaScript with known CVEs

You can see exactly where you stand on all of these in about a minute. Run a free external security scan on your domain and read the A-F grade. That tells you whether a NIS2-driven review would pass you or flag you today.

The Fastest Way to Answer the Question in Practice

The theoretical scope question matters for your legal team. The practical one, “can I show a customer I am secure right now?”, matters for your next deal. Those are different problems, and the second is the one that closes revenue.

SaaSFort scans your domain across 60 external checks, grades it A to F, and maps every finding to its NIS2 Article 21 control. The one-time audit pack is €39: a branded PDF you attach to a security review, no subscription, no card on the first scan. When a covered customer sends the supply-chain questionnaire, that document is the answer to the external-posture section.

Get your NIS2 evidence pack for €39

FAQ

We are under 50 employees. Are we exempt from NIS2? From direct legal scope, usually yes. From the practical requirement, often no. If you sell to companies that are covered, their supply-chain duty under Article 21 means they must assess your security, so you get pulled into the evidence requirement regardless of your own headcount.

Which sectors count as “covered” for a SaaS? The digital infrastructure and digital provider categories are the common ones: cloud computing services, managed services, managed security services, data centres, online marketplaces, and search engines. Many B2B SaaS products qualify as cloud or managed service providers.

What is the difference between “essential” and “important” entities? Both are in scope. The distinction mainly affects supervision and penalty ceilings, essential entities face stricter oversight. For scope purposes, if you land in either category you have the same core Article 21 obligations.

How do I prove scope compliance to a customer? Attach current evidence to their review: an attestation if you hold one, a data-handling summary, and a dated external-posture report. The audit pack covers the external-posture piece with a control-mapped PDF you can hand over directly.

Ready to put this into practice?

Two ways to start — pick what fits. Free Scan if you want to see your security grade in 60s with no commitment. Free 14-day Growth trial if you're ready to monitor multiple domains, export NIS2 reports, and download Deal Reports — no credit card required.

No credit card · Cancel anytime · GDPR-ready · EU-hosted

Continue reading