ShieldPage
← All articles
Use Cases · · 7 min read

A B2B SaaS Company's Journey to NIS2 Compliance

How a 200-person SaaS company in the ICT sector navigated NIS2 requirements — from scoping to implementation to ongoing compliance.

When NIS2's transposition deadline hit in October 2024, a 200-person B2B SaaS company providing ICT services to European enterprises found itself squarely in scope as an "important entity." Here's how they approached compliance.

Determining scope

The first challenge was confirming they were in scope. As an ICT service management provider with over 50 employees and revenue above €10M, they met both the sector and size thresholds. Their legal team confirmed: NIS2 applied.

  • Their SaaS platform and infrastructure
  • Their internal corporate IT
  • Their supply chain (cloud providers, third-party libraries, SaaS tools)
  • Their incident response capabilities
  • Their management's cybersecurity knowledge

Gap analysis

  • Incident reporting — 24-hour early warning capability didn't exist. Their incident response process was thorough but not fast enough for NIS2's timeline.
  • Supply chain security — They assessed their own security but hadn't formally assessed suppliers.
  • Management accountability — Board members hadn't received cybersecurity training.
  • Business continuity — Documented but never tested against NIS2-specific scenarios.

Implementation (6 months)

  • Implemented 24/7 monitoring with automated alerting
  • Created rapid assessment templates for 24-hour early warning reports
  • Established direct communication channels with their national CSIRT
  • Tabletop exercises with incident reporting timeline scenarios
  • Inventoried all critical suppliers and service providers
  • Sent security assessment questionnaires to top 20 suppliers
  • Updated contracts to include NIS2-relevant security requirements
  • Established supplier monitoring process
  • Board-level cybersecurity training (half-day workshop)
  • Updated governance structure to include explicit cybersecurity accountability
  • Documented management's oversight responsibilities
  • Updated all security policies for NIS2 alignment
  • Conducted full business continuity test
  • Performed incident simulation with 24/72-hour reporting
  • Updated trust center to reflect NIS2 compliance measures

Cost and resources

  • External NIS2 consultant: €40,000
  • Monitoring tooling upgrade: €30,000/year
  • Management training: €10,000
  • Internal team allocation: ~800 hours over 6 months
  • Legal review: €10,000

Key lessons

  • ISO 27001 is 70% of the way there — but the remaining 30% (incident reporting speed, supply chain, management accountability) is where the real work lives
  • 24-hour reporting requires automation — You can't rely on someone checking email to meet a 24-hour window
  • Supply chain assessment is ongoing — One-time assessments aren't enough; NIS2 expects continuous awareness
  • Management buy-in is literal — NIS2's personal liability provisions got the board's attention in a way "best practice" never did