NIS2: what SMB leaders really need to know.

Context: why NIS2 changes everything

The first NIS directive (2016) only concerned about 500 critical infrastructure operators in France: energy, transport, hospitals. Since then, cyberattacks have exploded — 48% of ransomware victims in 2025 were SMBs and mid-caps. Europe decided to strengthen the framework.

Result: NIS2, adopted in December 2022, goes from 500 to over 15,000 entities covered in France, including mid-size companies, subcontractors and digital service providers. The scope now covers 18 sectors (energy, transport, health, food, digital services, manufacturing, postal services, waste management…).

Are you affected? (even if you think you're not)

To be directly subject to NIS2, you need to meet two criteria:

1. Belong to one of the 18 sectors listed by the directive
2. Exceed a size threshold: 50 employees, €10M in turnover or €43M in balance sheet

But here's the most underestimated point: even if your SMB is below the thresholds, you can be affected by ripple effect. The directive requires regulated entities to secure their supply chain. In practice, your large clients will demand guarantees about your cybersecurity level — compliance questionnaires, audits, reinforced contractual clauses.

Not preparing means closing business doors. It's exactly the same logic as cyber-insurers tightening their conditions: no proof of cyber maturity, no coverage.

The 18 sectors covered by NIS2

The directive covers 18 sectors split into two categories:

11 "highly critical" sectors (Annex I)

1. Énergie (électricité, pétrole, gaz, hydrogène)
2. Transports (aérien, ferroviaire, maritime, routier)
3. Banque
4. Infrastructures des marchés financiers
5. Santé
6. Eau potable
7. Eaux usées
8. Infrastructure numérique (DNS, cloud, data centers, CDN, télécom)
9. Services TIC interentreprises (MSP/MSSPManaged Service Provider / Managed Security Service Provider — Prestataires de services informatiques et de sécurité managés — comme TIPTOP.) — c'est nous
10. Administration publique
11. Espace

7 "critical" sectors (Annex II)

12. Services postaux et d'expédition
13. Gestion des déchets
14. Fabrication, production et distribution de produits chimiques
15. Production, transformation et distribution de denrées alimentaires
16. Fabrication (dispositifs médicaux, informatique, électronique, optique, machines, véhicules…)
17. Fournisseurs numériques (places de marché, moteurs de recherche, réseaux sociaux)
18. Recherche

Note: your clients in food & beverage, healthcare (dental, ophthalmology) or real estate may be affected directly or indirectly — through their principals' supply chain.

The 5 obligations you need to know

Article 21 of the directive lists 10 mandatory cybersecurity measures. Here are the 5 that most directly impact a multi-site SMB:

1. Documented security policy — your IT risk approach must be written, known and updated. No more "playing it by ear".
2. Incident management — detection, response and notification. Strict deadlines: 24h alert to ANSSIAgence Nationale de la Sécurité des Systèmes d'Information — L'autorité française de référence en cybersécurité., full notification within 72h, final report within 1 month.
3. Plan de continuité d'activité (PCA/PRAPlan de Continuité d'Activité / Plan de Reprise d'Activité — Les dispositifs qui garantissent la poursuite ou la reprise de votre activité après un incident.) — in case of cyberattack, how do you resume business? This plan must exist and be tested.
4. Supply chain security — assess the security level of your critical IT suppliers and providers.
5. Leadership training — NIS2 requires board members to be trained on cyber issues. It's no longer a CIO-only topic.

Sanctions: what has changed

NIS2 significantly strengthens sanctions compared to NIS1:

• Jusqu'à 10 millions d'euros ou 2 % du chiffre d'affaires mondial pour les entités essentielles
• Jusqu'à 7 millions d'euros ou 1,4 % du CA mondial pour les entités importantes
• Personal liability of directors — including temporary ban from holding office in case of proven negligence (no MFAMulti-Factor Authentication — Authentification à plusieurs facteurs : deux ou plus parmi mot de passe, code PIN, SMS, e-mail, empreinte digitale, Face ID, clé FIDO, notification push mobile, montre connectée… Plus il y en a, plus c'est sûr., no continuity plan, no documented policy)
• Public disclosure of failures — your reputation is at stake as much as your finances

It's no longer 'we'll see when it happens'. It's 'we'll be asked to prove we had planned for it'.

The timeline in France: where are we?

• Décembre 2022 — NIS2 directive adopted at European level
• Octobre 2024 — transposition deadline (France is late)
• Mars 2025 — Resilience Act adopted by the Senate
• Novembre 2025 — opening of MonEspaceNIS2Plateforme officielle de l'ANSSI — Permet aux entités concernées de se pré-enregistrer et de suivre leur mise en conformité NIS2. Accéder à MonEspaceNIS2 → (ANSSI pre-registration platform)
• Mars 2026 — publication of ReCyFRéférentiel Cyber France — Référentiel de cybersécurité publié par l'ANSSI, listant 152 mesures sur 20 objectifs pour atteindre la conformité NIS2. Consulter le ReCyF → (Référentiel Cyber France) par l'ANSSI : 152 mesures sur 20 objectifs de sécurité
• Été 2026 (prévu) — parliamentary vote and enactment
• Octobre 2026 — compliance deadline

ANSSI urges all entities not to wait for enactment to start. The ReCyF, though not yet mandatory, provides a concrete basis for structuring your approach. Entities that choose to apply it can rely on it in case of inspection.

The real cost for an SMB

Let's be concrete. For a 50-workstation SMB starting from zero, compliance costs between €15,000 and €40,000 in the first year (audit, implementation, training), then €5,000 to €15,000 per year for maintenance.

It's a significant investment — but less than the average cost of a cybersecurity incident (€466,000), and incomparably less than NIS2 sanctions. Not to mention that one in two SMBs closes within 18 months of a major uninsured cyberattack.

Your NIS2 compliance, turnkey.

The good news? You don't need to become a cybersecurity expert. You need an architect who is one on your behalf. That's exactly what TIPTOP has been doing for 20 years.

In summary: depending on your TOTALPro plan, all or part of NIS2 obligations are already covered by your subscription. Compliance depends on your plan — contact us to find out what's included in yours.

And for executives with public exposure who demand absolute confidentiality: TOTALPro VIP, by invitation.

NIS2 is coming. Cyber threats don't wait. But with the right partner, your compliance is in the bag — and your CyberSerenity too.

Sources and references

1. Directive (UE) 2022/2555 du Parlement européen et du Conseil du 14 décembre 2022 (NIS2) — Journal officiel de l'UE
2. ANSSI — Référentiel Cyber France (ReCyF), publié le 17 mars 2026 — messervices.cyber.gouv.fr
3. ANSSI — Plateforme MonEspaceNIS2 (pré-enregistrement) — club.ssi.gouv.fr
4. CERT-FRCentre gouvernemental de veille, d'alerte et de réponse aux attaques informatiques — Équipe nationale de réponse aux cybermenaces, rattachée à l'ANSSI. / ANSSI — Panorama de la cybermenace 2025 (48 % des victimes de rançongiciels = PME/TPE/ETI)
5. Numeum — « Directive NIS2 : comprendre le nouveau cadre européen » — numeum.fr
6. Coût moyen d'un incident cyber pour une PME française : 466 000 € — source sectorielle, 2025
7. CESIN — Panorama 2025 : durée moyenne d'interruption = 21 jours
8. Projet de loi Résilience — adopté au Sénat le 12 mars 2025, examen Assemblée nationale sept. 2025, vote hémicycle prévu été 2026

Publié sur : tiptop.eu.com
URL de cet article : tiptop.eu.com/blog/2026-06-01_CYBERSECURITE_NIS2-directive-pme-juin-2026.html