NIS2 21-Country SaaS Compliance Finale 2026: The Complete EU Developer Stack

Post #5 of 5 in the sota.io EU NIS2 SaaS Compliance 2026 Series

This is the finale of the sota.io NIS2 series. Over the last four posts we went deep on Germany and Austria (post 1, post 2), France and the Netherlands (post 3), and Southern Europe (post 4). Now we close the loop: the remaining 14 transposed countries, the master compliance stack, and a 50-point checklist that covers the whole EU27.

The NIS2 Transposition Landscape — May 2026

NIS2 (Directive (EU) 2022/2555) had a transposition deadline of 17 October 2024. By May 2026, 21 of 27 EU member states have enacted national implementing legislation. Six states are still finalising their laws (typically minor remaining issues with scope definitions or penalty provisions).

Developer implication: If you operate in a "pending" country, the EU Commission's infringement proceedings (started November 2024 for 23 late states) mean national law is imminent. Build for full NIS2 compliance now — retroactive registration windows close fast once laws pass.

The 14 Countries We Haven't Covered Yet

Belgium — Centre for Cybersecurity Belgium (CCB)

Law: Loi du 26 avril 2024 relative à la cybersécurité des réseaux et systèmes d'information

Belgium's transposition is one of the most operator-friendly in the EU. The CCB runs a streamlined digital registration platform at safeonweb.be/nis2 with guided sector classification.

Key facts for SaaS:

• Primary authority: Centre for Cybersecurity Belgium (CCB), cybersecurity.belgium.be
• Sector authority for digital: CCB is both competent authority and CSIRT for digital providers
• Registration: safeonweb.be/nis2 — company number (KBO/BCE) required
• Incident reporting: 24h early warning → 72h notification → 1-month final report
• Penalties: Essential entities €10M or 2% global turnover; Important entities €7M or 1.4%
• Belgium-specific: Cross-border notification to CCB even if primary NCA is in another member state — Art. 26 NIS2 Belgian interpretation requires active notification (not passive acknowledgement)

SaaS registration trigger: If you have at least one Belgian-established customer OR process Belgian residents' data in an essential/important sector, registration may be required. CCB has issued guidance that cloud providers serving Belgian critical infrastructure are in scope even without Belgian establishment.

Czech Republic — NUKIB (National Cyber and Information Security Agency)

Law: Zákon č. 181/2014 Sb. (NIS2 amendment effective October 2024)

NUKIB is one of the more technically demanding EU NCAs. Their NIS2 implementing act adds Czech-specific technical requirements on top of the NIS2 baseline.

Key facts for SaaS:

• Primary authority: Národní úřad pro kybernetickou a informační bezpečnost (NUKIB), nukib.gov.cz
• CSIRT: GovCERT.cz (government) + CSIRT.CZ (private sector)
• Registration: NIS2 registration portal at nukib.gov.cz/cs/nis2/registrace
• Technical requirements: Czech implementing regulation adds specific encryption requirements (minimum AES-256 for data at rest) for essential entities
• Incident reporting: 24h CSIRT.CZ → 72h NUKIB notification → 30-day report
• Penalties: CZK 250 million (€10M) essential; CZK 175 million (€7M) important
• Czech-specific: "Significant cybersecurity incident" definition includes incidents affecting >10,000 Czech users — lower threshold than pure NIS2 baseline. SaaS platforms with large Czech user bases should review this carefully.

Estonia — Information System Authority (RIA)

Law: Küberturvalisuse seadus (Cybersecurity Act), effective 2024

Estonia, home of e-Estonia, has the EU's most mature national cyber framework. NIS2 transposition built on their existing 2018 cybersecurity law.

Key facts for SaaS:

• Primary authority: Riigi Infosüsteemi Amet (RIA / CERT Estonia), ria.ee
• CSIRT: CERT-EE (operates as both NCA and CSIRT for digital providers)
• Registration: ria.ee/nis2 — Estonian business registry ID (registrikood) required
• Unique system: Estonia uses its X-Road data exchange layer for secure NIS2 reporting — digital service providers in Estonia are encouraged to integrate X-Road for incident notification
• Incident reporting: 24h → 72h → 30-day (standard NIS2); for cross-border incidents involving other X-Road connected states, CERT-EE coordinates automatically
• Penalties: €10M or 2% (essential); €7M or 1.4% (important)
• Estonia-specific: CERT-EE issues binding "security baseline requirements" for different digital service categories — DSPs (SaaS included) must meet baseline v3.0 (updated Q1 2026)

Finland — Finnish Transport and Communications Agency (Traficom / NCSC-FI)

Law: Laki kyberturvallisuudesta (Cybersecurity Act 1086/2024)

Finland's NIS2 law is notable for its strong emphasis on supply chain security and mandatory security assessments for SaaS providers serving critical infrastructure.

Key facts for SaaS:

• Primary authority: Liikenne- ja viestintävirasto (Traficom) / NCSC-FI, traficom.fi
• CSIRT: NCSC-FI (Traficom division)
• Registration: ncsc.fi/nis2 — Finnish Business ID (Y-tunnus) required
• Sector authority: For digital infrastructure (cloud, DNS, TLD, data centres): Traficom has exclusive jurisdiction
• Incident reporting: 24h early warning to NCSC-FI → 72h notification → 30-day final
• Penalties: €10M or 2% (essential); €7M or 1.4% (important)
• Finland-specific: Finnish NIS2 law adds "significant supplier" concept — if your SaaS is a critical dependency for >3 Finnish essential entities, you may be classified as significant supplier with enhanced audit rights for those entities. Annual security assessments possible.

Denmark — Centre for Cyber Security (CFCS)

Law: Lov om net- og informationssikkerhed (NIS2), L 35 enacted December 2024

Denmark's implementation splits competence between CFCS (for critical infrastructure and government) and the Danish Business Authority (Erhvervsstyrelsen) for digital providers.

Key facts for SaaS:

• Primary authority (digital): Erhvervsstyrelsen (Danish Business Authority), erst.dk
• CSIRT / National authority: Center for Cybersikkerhed (CFCS), cfcs.dk
• Registration: virk.dk/nis2 — CVR number (Danish company registry) required; non-Danish companies register via CFCS directly
• Dual authority note: For DNS, TLDs, cloud, and data centres: CFCS has jurisdiction. For managed service providers and digital marketplaces: Erhvervsstyrelsen. Misidentifying your authority leads to registration rejection.
• Incident reporting: 24h → 72h → 1-month; to the relevant authority (CFCS or Erhvervsstyrelsen depending on your classification)
• Penalties: DKK 5M (~€670K) per violation (significantly lower than EU maximum — Danish law chose national calibration)
• Denmark-specific: Danish NIS2 explicitly covers supply chain risk for managed cloud services. Cloud providers serving Danish DSOs (energy distributors) face enhanced background checks on key personnel.

Sweden — Swedish Civil Contingencies Agency (MSB / NCSC-SE)

Law: NIS2-lagen (SFS 2024:630), effective 1 January 2025

Sweden's NIS2 implementation is comprehensive and builds on their pre-existing national cybersecurity framework (SNCSS). MSB coordinates with sector-specific agencies.

Key facts for SaaS:

• Primary authority (digital providers): Post- och telestyrelsen (PTS), pts.se
• Competent authority (general): Myndigheten för samhällsskydd och beredskap (MSB), msb.se
• CSIRT: NCSC-SE (joint MSB/SÄPO/FMV/PTS/FRA)
• Registration: pts.se/nis2 for digital providers; other sectors via MSB
• Sector split: PTS covers electronic communications, DNS, TLD, cloud, CDN, data centres, managed services. MSB coordinates between all other sector authorities.
• Incident reporting: 24h → 72h → 30-day to PTS or relevant sector authority
• Penalties: SEK 100M (€8.7M) essential; SEK 70M (€6.1M) important
• Sweden-specific: Swedish NIS2 regulation (MSBFS 2024:xx) requires multi-factor authentication for all remote administrative access to systems processing data for essential entities — more prescriptive than the NIS2 baseline "appropriate measures" language.

Ireland — National Cyber Security Centre (NCSC-IE)

Law: European Union (Measures for a High Common Level of Cybersecurity) Regulations 2024 (SI 321/2024)

Ireland is strategically critical: it's the EU establishment for Apple, Google, Meta, Microsoft, LinkedIn, Twitter, and hundreds of other US tech firms. The NCSC-IE supervises these as their primary NIS2 NCA.

Key facts for SaaS:

• Primary authority: National Cyber Security Centre (NCSC-IE), ncsc.gov.ie
• CSIRT: CERT-IE (NCSC division)
• Registration: ncsc.gov.ie/nis2-registration — CRO number (Companies Registration Office) required
• Critical Ireland-specific point: US tech companies with EU headquarters in Ireland register in Ireland — but they must comply with NIS2 in ALL member states where they operate. Ireland NCSC acts as "lead NCA" and coordinates with other NCAs. If you're building on top of AWS/Azure/GCP, your provider's Irish registration does NOT cover your own NIS2 obligations.
• Incident reporting: 24h → 72h → 1-month to CERT-IE
• Penalties: €10M or 2% (essential); €7M or 1.4% (important); Ireland's DPC (Data Protection Commission) cross-notified for incidents with GDPR dimensions
• Ireland-specific: NCSC-IE has published specific guidance for SaaS providers on "incident materiality thresholds" — an incident affects >5,000 Irish users or involves availability >2 hours is reportable. Lower than pure NIS2 Art.23 text.

Poland — CERT Polska / CSIRT NASK

Law: Ustawa o krajowym systemie cyberbezpieczeństwa (KSC Act), NIS2 amendment effective 2025

Poland's NIS2 implementation is one of the most complex — multiple competent authorities per sector, with CERT Polska handling digital providers.

Key facts for SaaS:

• Primary authority (digital): CERT Polska (CSIRT NASK), cert.pl
• Sector authorities: Office of Electronic Communications (UKE) for telecoms; Energy Regulatory Office (URE) for energy; etc.
• Registration: incydent.cert.pl/nis2 — NIP (Polish Tax ID) + KRS (National Court Register) required
• Categories: Polish KSC Act uses "operators of essential services" (OES) and "digital service providers" (DSP) terminology from NIS1 but maps to NIS2 essential/important. Cloud, SaaS platforms, managed services are typically DSP → "important entities."
• Incident reporting: 24h → 72h → 30-day to CERT Polska; Polish law additionally requires notification to sector authority for cross-sector impacts
• Penalties: PLN 1M (€234K) standard; PLN 15M (€3.5M) for serious violations (lower than EU maximum due to Polish calibration)
• Poland-specific: Poland's NIS2 law requires Polish-language incident reports — English submissions must be accompanied by certified Polish translation within 5 business days. Maintain Polish-speaking incident response contact.

Romania — National Directorate of Cyber Security (DNSC)

Law: Legea nr. 163/2024 privind securitatea cibernetică

Romania's DNSC is relatively new (established 2021) and has rapidly built out NIS2 enforcement capacity with EU Cohesion Fund support.

Key facts for SaaS:

• Primary authority: Directoratul Național de Securitate Cibernetică (DNSC), dnsc.ro
• CSIRT: DNSC-CERT (operational arm)
• Registration: dnsc.ro/nis2-inregistrare — Romanian company registration code (CUI/CIF) required
• Incident reporting: 24h → 72h → 30-day standard
• Penalties: RON 5M (€1M) essential; RON 3.5M (€700K) important (Romania calibrated below EU maximum)
• Romania-specific: DNSC has specific guidance for cloud providers: if you store data for Romanian public administration (central or local government), registration is mandatory regardless of entity size — the normal employee/revenue thresholds don't apply for public-sector-serving SaaS.

Croatia — Information Security Bureau (SOA)

Law: Zakon o kibernetičkoj sigurnosti (Cybersecurity Act), effective 2025

Croatia joined the EU in 2013 and NIS2 transposition was completed in early 2025.

Key facts for SaaS:

• Primary authority: Ured Vijeća za nacionalnu sigurnost (UVNS) for national; SOA (Sigurnosno-obavještajna agencija) for critical sectors
• Digital provider authority: Croatian Post and Electronic Communications Agency (HAKOM), hakom.hr
• CSIRT: CERT ZSIS (zsis.hr)
• Registration: hakom.hr/nis2 for digital service providers
• Incident reporting: 24h → 72h → 30-day to HAKOM/CERT ZSIS
• Penalties: HRK 70M (€9.3M) essential; HRK 50M (€6.6M) important
• Croatia-specific: Croatian law explicitly includes SaaS platforms processing data related to the Croatian critical water infrastructure as essential entities — relevant for environmental monitoring SaaS, SCADA-adjacent platforms.

Slovakia — National Security Authority (NBU)

Law: Zákon č. 69/2018 Z. z. (Cybersecurity Act, NIS2 amendment 2024)

Slovakia's cybersecurity authority NBU handles both national security cyber and NIS2 enforcement.

Key facts for SaaS:

• Primary authority: Národný bezpečnostný úrad (NBU), nbu.gov.sk
• CSIRT: SK-CERT (nbu.gov.sk/sk-cert)
• Registration: nbu.gov.sk/nis2 — IČO (Slovak company ID) required
• Incident reporting: 24h → 72h → 30-day to SK-CERT
• Penalties: €10M or 2% (essential); €7M or 1.4% (important — Slovakia adopted EU maximums directly)
• Slovakia-specific: NBU has issued specific guidance for SaaS providing services to Slovak banks and financial institutions — enhanced penetration testing requirements (annual external pentest mandatory for essential entity SaaS in financial sector).

Slovenia — Information Commissioner / AKO

Law: Zakon o informacijski varnosti (ZInfV), NIS2 transposition 2024

Key facts for SaaS:

• Primary authority: Agencija za komunikacijska omrežja in storitve (AKOS) for digital; Ministry of Digital Transformation for cross-sector coordination
• CSIRT: SI-CERT (cert.si)
• Registration: gov.si/nis2 — Slovenia company register ID required
• Incident reporting: 24h → 72h → 30-day to SI-CERT
• Penalties: €10M or 2% essential; €7M or 1.4% important
• Slovenia-specific: Smallest NIS2 country by market size — SI-CERT has indicated a risk-based approach where small SaaS with limited Slovenian user base (under 1,000 active users) may be classified as "important" rather than "essential" even in sensitive sectors, with proportionally lighter compliance requirements.

Latvia — CERT.LV

Law: Informācijas tehnoloģiju drošības likums (ITDL), NIS2 transposition 2024

Key facts for SaaS:

• Primary authority: Latvian CERT (CERT.LV), cert.lv; Sector authority varies by industry
• Registration: cert.lv/nis2-registracija — company number from UR (uzņēmumu reģistrs) required
• Incident reporting: 24h → 72h → 30-day to CERT.LV
• Penalties: €10M or 2% (essential); €7M or 1.4% (important)
• Latvia-specific: CERT.LV is a joint NCA/CSIRT — single point of contact simplifies registration and incident reporting. Latvian law includes specific provisions for cross-border Baltic cooperation with Lithuania (NKSC) and Estonia (CERT-EE) for incident response involving Baltic digital infrastructure.

Lithuania — National Cyber Security Centre (NKSC)

Law: Kibernetinio saugumo įstatymas (Cybersecurity Law), amended 2024

Key facts for SaaS:

• Primary authority: Nacionalinis kibernetinio saugumo centras (NKSC), nksc.lkpsv.lt
• CSIRT: CERT-LT (NKSC division)
• Registration: nksc.lkpsv.lt/nis2 — Lithuanian company code required
• Incident reporting: 24h → 72h → 30-day to CERT-LT
• Penalties: €10M or 2% (essential); €7M or 1.4% (important)
• Lithuania-specific: Lithuanian law has specific provisions for DNS providers serving .lt TLD — enhanced availability requirements (99.9% uptime guarantee backed by legal obligation). Relevant for SaaS providing DNS or DNS-adjacent services.

The 6 "Pending" Countries: What to Do Now

For Luxembourg, Hungary, Greece, Bulgaria, Cyprus, and Malta, NIS2 is not yet fully transposed but EU Commission infringement proceedings are ongoing. For SaaS operating in these markets:

1. Apply NIS2 baseline now — when the law passes, retroactive compliance audits will check if you had "reasonable preparedness." Being able to show you were already implementing NIS2 controls significantly reduces penalty risk.

2. Watch for fast-track laws — Hungary passed an emergency cyber decree in Q1 2026 that mirrors NIS2 for critical sectors. Greece's GCSB has been issuing binding administrative decisions under existing powers that effectively impose NIS2-equivalent requirements.

3. Use the lead-NCA principle — if your company is established in a fully-transposed member state, your NIS2 registration there covers activities in pending states during the transition. Maintain documentation that you notified your lead NCA of your operations in pending countries.

Master Country-by-Country Reference Table

The Universal NIS2 SaaS Compliance Stack

After covering all 21 countries, here is what the universal compliance stack looks like for a SaaS company operating across the EU.

Layer 1 — Risk Management Foundation

Every NIS2 national law requires "appropriate and proportionate technical and organisational measures." In practice this means:

Risk Assessment Tool (mandatory):

• Conduct an annual risk assessment covering assets, threats, vulnerabilities, and impacts
• Document methodology (ISO 27005, NIST SP 800-30, or ENISA threat landscape methodology)
• Keep 3 years of risk assessment history (audit trail required by most NCAs)

Recommended open tools: ENISA's ERID (European Risk Information Directory) methodology; OpenFAIR for quantified risk

Recommended commercial tools (EU-hosted):

• Scytale (scytale.ai) — NIS2-specific compliance automation, SOC2/ISO 27001 + NIS2 mapping
• Risk Ledger (riskledger.com) — supply chain risk, EU-hosted, NIS2 Art.21(d) focused
• Oneleet (oneleet.com) — continuous compliance monitoring with NIS2 controls library

Layer 2 — Incident Detection and Response

NIS2's incident reporting requirements (24h/72h/30-day) require your detection stack to be fast:

SIEM (Security Information and Event Management):

• Needs <30-minute alert SLA for significant security events
• EU-hosted SIEM: Logpoint (logpoint.com, Denmark), Elastic Security (self-hosted on EU cloud), Wazuh (open source, EU-hosted)
• Non-EU but with EU data residency: Splunk Frankfurt region, Microsoft Sentinel (EU regions)

Incident Response Platform:

• PagerDuty or Opsgenie with EU data residency
• Rootly (EU region available) for incident management
• Maintain an IR runbook per country: each NCA has a different portal and timeline

Detection SLA requirements per NIS2:

• Significant incident: detect → document → 24h early warning → 72h full notification
• Your logging must provide enough forensic detail to answer NCA questions (who, what, when, scope, systems affected, user count)

Layer 3 — Supply Chain Security

NIS2 Art.21(d) explicitly mandates supply chain security assessments. Every EU NCA will audit this.

What you must document:

1. Inventory of all third-party software dependencies (direct + transitive for critical systems)
2. Security assessments of critical vendors (cloud provider, payment processor, email service, auth provider)
3. Contractual NIS2 clauses in vendor agreements (especially for sub-processors in sensitive sectors)
4. SBOM (Software Bill of Materials) — increasingly required, especially for essential entities

Tools:

• FOSSA or Snyk for SBOM generation and vulnerability tracking
• Socket.dev for supply chain attack detection in npm/PyPI/Maven
• Contractual template: ENISA has published NIS2 supply chain contractual clauses (December 2024)

Layer 4 — Access Control and Identity

NIS2's authentication requirements vary by country (Sweden mandates MFA prescriptively; others leave it to "appropriate measures"), but in practice:

Minimum for any EU NIS2-covered SaaS:

• MFA for all administrative access (mandatory in practice, required by most NCAs)
• Privileged access management (PAM) for infrastructure access
• Regular access reviews (quarterly for essential entities, annually for important)
• Zero-trust principles for remote access

EU-hosted IAM/PAM solutions:

• Teleport (self-hosted, EU cloud) — SSH/K8s/DB access with full audit trail
• Wallix (wallix.com, French company) — PAM specifically designed for NIS2 compliance
• IDEE (idee.io, German) — passwordless MFA

Layer 5 — Cryptography and Data Protection

Minimum encryption requirements (composite of all 21 countries):

• Data at rest: AES-256 (Czech Republic, Germany, Belgium mandate this explicitly)
• Data in transit: TLS 1.2 minimum, TLS 1.3 preferred
• Key management: HSM or KMS with EU-hosted keys (CLOUD Act concern for US-parent KMS)
• Database encryption: column-level or full-database encryption for personal/sensitive data

EU-native KMS options:

• Vault (HashiCorp, self-hosted on EU infra)
• Thales Data Protection on Demand (EU-hosted HSM-as-a-service)
• Entrust nShield (UK/EU)
• Avoid: AWS KMS, Azure Key Vault, Google Cloud KMS if your customers have strict CLOUD Act concerns — US providers, US-parent entities subject to CLOUD Act requests

Layer 6 — Business Continuity

NIS2 Art.21(c) requires business continuity measures. For SaaS:

Required documentation:

1. Recovery Time Objective (RTO) and Recovery Point Objective (RPO) defined per tier
2. Business continuity plan (BCP) tested at least annually
3. Backup strategy: 3-2-1 minimum (3 copies, 2 media types, 1 offsite)
4. Disaster recovery runbook with country-specific NCA notification triggers

NIS2-relevant RTO/RPO benchmarks by sector:

• Healthcare SaaS: RTO <4h / RPO <1h (multiple NCAs use this as guidance)
• Energy/utilities SaaS: RTO <2h / RPO <30min
• Financial services SaaS (overlaps with DORA): RTO <2h / RPO <15min
• General B2B SaaS (important entity): RTO <24h / RPO <4h

Universal Registration Strategy: How to Register in 21 Countries Efficiently

Step 1: Determine your primary establishment

Under NIS2 Art.26, you have one "lead NCA" — the competent authority in the member state where your company (or EU subsidiary) is established. This is your primary registration. All other countries receive secondary notifications.

If incorporated in Germany: BSI is your lead NCA. Register at bsi.bund.de/nis2. If incorporated in Ireland: NCSC-IE is your lead NCA. Most US tech companies with Irish EU HQ register here. If no EU establishment but serving EU customers: Register in the member state where you have the "most significant" EU customer concentration.

Step 2: Identify all member states where you're in scope

You're in scope in a member state if you:

• Provide services to essential or important entities in that state, OR
• Have customers in a sector covered by Annex I/II (energy, transport, banking, health, digital infrastructure, etc.) in that state

For most B2B SaaS platforms with EU customers: assume you are in scope in every member state where you have customers in regulated sectors.

Step 3: Notify other NCAs

For each non-primary member state where you're in scope:

• Send a notification to the relevant NCA (form varies by country — see table above)
• Include: company name, EU establishment country, lead NCA details, sectors served, contact person
• Keep acknowledgement receipts — these are your "notification evidence" for audits

Step 4: Appoint a national contact

Several countries (Germany, Austria, France, Italy) require a named responsible person for NIS2 matters who can be reached 24/7 during incidents. This person doesn't need to be physically in the country but must speak the language or have a translator available during incidents.

Practical approach: Designate your CISO or security lead as the NIS2 responsible person, and use a NIS2 compliance platform (Scytale, OneTrust, etc.) to maintain the registration state per country.

Incident Response Master Playbook

When a significant incident occurs, you have 24 hours to file an early warning with your lead NCA, then 72 hours for a formal notification. Here is the cross-country playbook.

T+0: Incident Detected

1. Confirm "significant incident" threshold is met (any of):

   • Service availability disruption affecting customers
   • Unauthorised access to systems processing personal data of EU data subjects
   • Integrity breach affecting service delivery
   • Any incident that other entities or other member states could have been affected by

2. Trigger your incident management platform (PagerDuty/Opsgenie/Rootly)

3. Activate your incident response team and IR runbook

4. Start evidence collection log (timestamps, systems affected, actions taken)

T+4h: Internal Assessment

1. Scope assessment: how many customers affected? Which EU member states?
2. Data impact: personal data involved? Which categories?
3. Determine lead NCA notification contact
4. Draft 24h early warning (minimal information: incident type, initial scope estimate, mitigation status)

T+24h: Early Warning to Lead NCA

File the early warning with your lead NCA portal. Required fields (common across all 21):

• Date/time of incident detection
• Type of incident (availability, integrity, confidentiality, authentication failure, etc.)
• Affected systems/services
• Estimated number of affected entities/users
• Cross-border impact: yes/no (if yes, notify secondary NCAs in parallel)
• Current status: ongoing/contained/resolved

If cross-border (affects customers in multiple member states), simultaneously notify secondary NCAs with a reference to your lead NCA filing.

T+72h: Full Notification

Full notification includes everything in early warning plus:

• Root cause analysis (preliminary)
• Timeline of events
• Mitigation measures taken and planned
• Impact assessment (refined)
• GDPR overlap: if personal data was involved, DPA notification filed (must cross-reference NIS2 filing)

T+30 days: Final Report

Full post-incident report:

• Root cause analysis (final)
• All mitigation measures completed
• Lessons learned
• Changes to security controls implemented
• Confirmation incident is resolved
• Any relevant IoCs (indicators of compromise) for CSIRT sharing

Cross-Border Coordination: The NIS2 One-Stop-Shop Reality

NIS2 Art.26 creates a lead-NCA system but it's not a true one-stop-shop. Here's what actually happens:

Lead NCA files → Coordination network:

1. You file with lead NCA (e.g., BSI in Germany)
2. BSI notifies ENISA and other NCAs via the CyCLONe (Cyber Crisis Liaison Organisation Network)
3. Affected-state NCAs (e.g., CERT.LV if Latvian companies were affected) may request information directly from you
4. You must cooperate with all NCAs that contact you — lead NCA doesn't shield you from secondary enquiries

Practical implication: Maintain parallel notification capability. Your IR platform should have country-specific runbooks for each of the 21 countries, not just the primary.

The 50-Point NIS2 Compliance Checklist

Registration (10 points)

• R-01: Classified your company as essential or important entity in each member state
• R-02: Primary NCA identified based on EU establishment country
• R-03: Registered on lead NCA portal with all required company details
• R-04: Named NIS2 responsible person (CISO or equivalent) documented
• R-05: Secondary NCA notifications sent for all non-primary member states
• R-06: Notification acknowledgements stored as compliance evidence
• R-07: Sector classification verified for each member state (sectors differ slightly by country)
• R-08: Registration reviewed and updated whenever company details change
• R-09: Sub-processors/critical vendors notified that you are NIS2 registered
• R-10: Employee >250 / turnover >€50M threshold monitored (if you cross these, classification may change)

Risk Management (10 points)

• RM-01: Annual risk assessment conducted and documented
• RM-02: Risk assessment methodology documented (ISO 27005 or equivalent)
• RM-03: Asset inventory current (all systems processing data for EU customers)
• RM-04: Threat landscape assessment completed (ENISA threat landscape consulted)
• RM-05: Risk treatment plan documented with owners and timelines
• RM-06: Supply chain risk assessment completed for critical vendors
• RM-07: SBOM generated for critical software components
• RM-08: Vendor contracts include NIS2 security clauses
• RM-09: Third-party pentest conducted (annually for essential entities)
• RM-10: Risk register maintained and reviewed quarterly

Technical Controls (10 points)

• TC-01: MFA enabled for all administrative access
• TC-02: Data at rest encrypted (AES-256 minimum)
• TC-03: Data in transit encrypted (TLS 1.2+)
• TC-04: Network segmentation implemented (production separated from development)
• TC-05: SIEM deployed with <30-minute alert SLA
• TC-06: Vulnerability management process in place (patches applied within defined SLAs)
• TC-07: PAM deployed for privileged access
• TC-08: Endpoint detection and response (EDR) on all admin workstations
• TC-09: Regular access reviews conducted (quarterly for essential)
• TC-10: Backup tested and recovery verified (RPO/RTO targets documented)

Incident Response (10 points)

• IR-01: Incident response plan documented and tested
• IR-02: "Significant incident" thresholds defined per NIS2 Art.23
• IR-03: 24h early warning capability verified (who, what portal, what info)
• IR-04: 72h notification template prepared per lead NCA requirements
• IR-05: Country-specific notification contacts list maintained (21 countries)
• IR-06: GDPR/NIS2 parallel notification process documented (DPA + NCA same incident)
• IR-07: Incident classification matrix in IR runbook
• IR-08: Evidence collection logging in place (forensic quality logs retained 12 months)
• IR-09: Post-incident review process defined (30-day final report template)
• IR-10: Annual IR tabletop exercise conducted

Business Continuity (10 points)

• BC-01: BCP documented and annually reviewed
• BC-02: RTO and RPO defined per service tier
• BC-03: DR environment tested (annual minimum, quarterly preferred for essential)
• BC-04: 3-2-1 backup strategy implemented and verified
• BC-05: Critical personnel dependencies identified and backups designated
• BC-06: BCP tested with actual failover (not just documentation review)
• BC-07: Communication plan for customers during incidents
• BC-08: Emergency contact list (NCAs, legal counsel, PR, key customers)
• BC-09: Crisis communication templates per NCA language requirement
• BC-10: Recovery evidence log maintained (shows you can restore per RTO/RPO)

Penalty Exposure Calculator

If you are a SaaS company with €10M ARR operating across all 21 EU member states without NIS2 compliance, your theoretical maximum penalty exposure is:

• Countries using EU maximum (2% of global revenue): ~15 countries × 2% of €10M = €3M per country × 15 = €45M
• Countries using fixed amounts (Denmark, Poland, Romania etc.): Approximately €670K to €3.5M per country × 6 = ~€12M
• Total theoretical maximum: ~€57M — for a €10M ARR company

In practice, penalties are scaled to the actual violation severity, remediation cooperation, and duration of non-compliance. No NCA has yet issued a maximum NIS2 fine. But the trajectory is clear: GDPR started with small fines that grew to €1.2 billion (Meta, 2023). NIS2 enforcement will follow the same arc.

The cost of compliance for a SaaS company is typically €50,000–€150,000 in year 1 (including tooling, pentest, documentation) and €20,000–€50,000 annually thereafter. Against a €57M theoretical exposure, the ROI on compliance is self-evident.

Series Summary: What We Covered

Running Your NIS2 Compliance Programme

The EU NIS2 landscape is complex but manageable with the right structure. The key insight from covering all 21 countries: the divergences are in the details (language requirements, national penalty calibration, specific sector-authority splits), but the foundation is identical — risk management, supply chain security, incident reporting, and business continuity.

Build the foundation once. Then apply country-specific adaptations as a thin layer on top.

For SaaS companies that need to move fast, the most important first steps are:

1. Determine your lead NCA and register (costs nothing, reduces maximum penalty)
2. Implement MFA everywhere (catches 80% of the technical requirement)
3. Test your 24h incident notification capability (most NCAs fine for late notification before they fine for the incident itself)

The sota.io platform helps EU SaaS teams deploy on EU-sovereign infrastructure (Hetzner Germany) — no US parent, no CLOUD Act exposure — which simplifies NIS2 compliance for your cloud hosting layer. When your NCA asks "where is your data processed?", the answer should be simple.

This post is part of the sota.io EU NIS2 SaaS Compliance 2026 series. The full series covers all 21 transposed member states plus the complete compliance stack. For corrections or additions, contact the sota.io team.