NIS2 for SaaS vendors: six months to pass the audit

The NIS2 directive (Network and Information Security 2) entered into force on 17 October 2024, transposed into French law in November 2024. For 18 months, the SaaS ecosystem looked the other way — it was mostly seen as a topic for critical operators: banks, hospitals, energy. In 2026, the perimeter is becoming clearer, and many B2B SaaS vendors are discovering that they are, in fact, classified as "important entities" under Annex II.

Who is really concerned?

Annex II lists digital service providers: cloud computing services, online marketplaces, search engines, managed services, datacenters, TLD registries. For a SaaS vendor, classification almost systematically goes through "cloud computing services" or "managed services" as soon as the solution hosts customer data (which is the case by construction).

Thresholds: ≥ 50 employees or ≥ €10m revenue is enough to fall under "important entity" scope. Above 250 employees or €50m, you become an "essential entity" with a stricter control regime. Concretely, a Series-B SaaS vendor with 80 employees and €12m ARR is classified as "important entity" with direct obligations, even though no one ever notified them.

The technical obligations that hurt

Incident notification within 24h / 72h

Any security incident with a "significant impact" must be notified to the French ANSSI: early warning within 24h, detailed notification within 72h, final report within 1 month. The "significant impact" notion is deliberately broad (service disruption, data breach, propagation to third parties). In practice, the difficulty isn't knowing how to notify — it's knowing you have an incident at all, which requires real-time supervision and a tamper-proof audit log.

Minimum technical measures (article 21)

Article 21 of the directive lists 10 categories of measures to implement: risk-analysis policy, incident management, business continuity, supply-chain security, network and IS security, MFA and encryption, training, and notably the hardest one — supply-chain security (vendor risk management). For a SaaS vendor consuming 30-50 technical sub-contractors (CDN, observability, payments, email, AI), this requires a living register and supplier compliance audits.

Personal liability of executives

NIS2 novelty: the directive engages executives personally. The CEO and CTO can have their civil liability triggered, or even be barred from managerial roles. That is what changes the board posture the most: NIS2 is no longer a CISO topic, it is a board topic.

The gap between SOC 2 and NIS2

SaaS vendors that passed SOC 2 Type II often think they are NIS2-compliant by construction. They are not. SOC 2 is an American framework, audited by a private firm, on 5 trust principles (Security, Availability, Processing Integrity, Confidentiality, Privacy). NIS2 is a European directive, controlled by ANSSI, with specific obligations (24h/72h notification, supplier register, continuity exercises). Overlaps exist (encryption, MFA, audit logs) but represent no more than 60-70% of NIS2 scope.

The right sequencing: SOC 2 Type II first (because enterprise customers require it in their DPAs), NIS2 next (because the directive imposes it), without confusing the two, and knowing that NIS2 will require 3-6 additional months of work after SOC 2.

2026 controls: targeted, not systematic

ANSSI will not control every SaaS vendor. Its 2026 strategy is to target actors that: (1) have had a notified incident, (2) are mentioned in a customer or competitor complaint, (3) are identified via public registers above suspect thresholds. The audit, when it comes, is documentary first (review of policies, registers, supplier contracts), then technical (audit of architecture, logs, procedures).

For an SME SaaS vendor wanting to be ready in 2026, the work fits into four work-streams: (1) declaration to the regulator, (2) incident register and notification procedure, (3) supplier register with annual audits, (4) tested business-continuity plan. None of these is insurmountable, but none is done in 2 weeks.