SaaSFort
nis2 us-saas non-eu saas-security enterprise-deals regulatory

Does NIS2 Apply to a US SaaS Selling Into the EU?

You are a US or non-EU SaaS with European customers. NIS2 may not regulate you directly, but it still reaches you through every EU enterprise deal. Here is exactly how, and what evidence closes it.

ST
SaaSFort Team
· 5 min read · 928 words

You are based in the US, you have no EU office, and a European prospect just sent you a questionnaire asking about NIS2. Your first instinct is that an EU directive cannot apply to a US company. That instinct is half right and it will still cost you the deal. Here is the accurate picture.

The Direct Answer

NIS2 is an EU directive. It regulates entities that provide services within the EU and meet its size and sector tests. If you have no establishment in the EU and are not designated as a provider of a covered service there, NIS2 most likely does not name you as a regulated entity directly.

That is the half that is comforting. Now the half that matters for revenue.

How It Reaches You Anyway

NIS2 makes every covered EU company responsible for the security of its supply chain, under Article 21. Your European enterprise customer is a covered entity. To satisfy its own obligation, it must assess the security of the vendors it depends on, including a US SaaS.

So the directive does not send you a letter. It sends your customer a duty, and your customer passes that duty to you as a purchasing condition. In practice a non-EU SaaS feels NIS2 as:

  • A security questionnaire attached to an EU deal, asking about NIS2 alignment
  • A procurement requirement for evidence of your external security posture
  • A contract clause obliging you to maintain and demonstrate certain controls

None of that depends on you being regulated. It depends on your customer being regulated, and wanting to keep buying from you. To check if you are ever in direct scope too, our NIS2 scope self-check covers both routes.

Why “We Are US-Based” Is Not an Answer

The response that loses deals is telling the reviewer that NIS2 does not apply because you are American. From their side, that reads as either a misunderstanding of their supply-chain duty or an unwillingness to cooperate. Either way it stalls the review.

The reviewer is not asking you to become a regulated EU entity. They are asking you to show that your security posture meets the bar they are obliged to check. That is a request you can satisfy in an afternoon, whatever your headquarters address.

What They Actually Want to See

Strip the questionnaire down and the EU buyer wants the same evidence a domestic one would, framed against NIS2 language:

  1. An attestation if you hold one (SOC 2 is widely accepted in the EU as supporting evidence, though it is not a NIS2 or ISO equivalent). If you are weighing frameworks, see NIS2 vs ISO 27001.
  2. A clear data-handling summary: where EU customer data lives, who accesses it, how it is encrypted. For EU deals, data residency and transfer questions often sit next to the NIS2 ones.
  3. Current external-posture evidence: TLS, security headers, no exposed admin panels, email authentication, no public JavaScript with known CVEs.

The third item is the one that trips up vendors, because it is about the live state of your domain, not a policy you wrote. Our breakdown of what auditors actually ask for maps each of these to its Article 21 control.

The Fastest Path Through an EU Review

You do not need an EU entity, a German office, or a consultant on retainer to answer the technical half. You need to know your external posture and be able to hand over dated proof.

Run a free external scan on your domain and read the A-F grade in about a minute. That shows you exactly where an EU reviewer’s technical check would land today, and which items (usually TLS or headers) you can fix before you reply.

Then capture it. SaaSFort scans across 60 external checks, grades A to F, and maps each finding to its NIS2 Article 21 control and ISO 27001 Annex A reference. The one-time audit pack is €39: a dated, branded PDF you attach to the EU customer’s security review as external-posture evidence. No subscription, no card on the first scan, and no EU presence required to use it. It does not make you a regulated NIS2 entity, and it does not need to. It answers the supply-chain question your customer is obliged to ask.

Get your EU security-review evidence pack for €39

FAQ

We have no EU office. Are we exempt from NIS2? From direct regulation, most likely yes, if you have no establishment in the EU and are not a designated provider there. From the practical requirement, no. Your covered EU customers must assess your security under their own supply-chain duty, so you still get asked for evidence.

Can we just tell EU customers NIS2 does not apply to us? That answer stalls deals. The customer is not claiming you are regulated. They are discharging their own legal duty to check their vendors. Give them the evidence instead of the jurisdictional argument.

Is SOC 2 enough for an EU NIS2-driven review? It helps a lot, but it is not a NIS2 or ISO 27001 equivalent. EU reviewers commonly accept SOC 2 as supporting evidence, then still check your live external posture, which a SOC 2 snapshot does not show. Pairing SOC 2 with a current scan report covers both.

Do we need an EU data-residency setup to pass? Sometimes, depending on the customer and the data. That is a separate question from NIS2 posture. For the NIS2 supply-chain part specifically, current external-posture evidence plus clear data-handling answers is usually what unblocks the review.

Ready to put this into practice?

Two ways to start — pick what fits. Free Scan if you want to see your security grade in 60s with no commitment. Free 14-day Growth trial if you're ready to monitor multiple domains, export NIS2 reports, and download Deal Reports — no credit card required.

No credit card · Cancel anytime · GDPR-ready · EU-hosted

Continue reading