The NIS2 directive isn’t only about large corporations with extensive IT infrastructure. In fact, even small organizations with minimal staff or operational footprint may find themselves legally required to comply, simply due to their revenue, market role, or sectoral classification. So what does NIS2 compliance look like for these kinds of entities?
Lean Teams, High Impact
Imagine a small solar park operator with only 8 employees. It doesn’t have an internal IT department, and its digital systems are outsourced to an external provider. Still, its annual revenue exceeds €10 million and it operates in the energy sector. These two facts alone are enough to trigger compliance obligations under Hungary’s 2024 Cybersecurity Act.
This isn’t a unique case. Many businesses across different sectors fall into similar categories.
NIS2 Applicability: It’s Not Just About Size
Hungary’s Cybersecurity Act of 2024 (Act LXIX) implements the NIS2 Directive domestically. It defines “essential” and “important” entities not just by company size, but also based on industry risk level and economic indicators.
A company may fall under NIS2 scope if it operates in one of the sectors listed in Annex 2 or 3 of the Act, such as energy, healthcare, transportation, or digital infrastructure.
And if it meets either of the following size thresholds:
- More than 50 employees, OR
- Annual turnover or balance sheet total over €10 million
Then, compliance is mandatory, regardless of whether the company has its own IT infrastructure or not.
“But We Don’t Even Have Our Own IT System” – Still Not Exempt
Many smaller companies outsource their IT operations entirely. They use cloud services or rely on third-party vendors for system management. It’s a common situation, but unfortunately not an excuse under the law.
What changes is how these companies must comply.
Instead of focusing on complex technical deployments, the emphasis shifts to organizational-level cybersecurity measures, such as internal rules, accountability, and vendor governance.
What Should These Companies Do?
For small or low-operation companies under NIS2, the path to compliance involves:
- Establishing a cybersecurity policy
- Defining clear roles and responsibilities
- Implementing internal incident handling and access control procedures
- Ensuring staff training and awareness
When it comes to the IT systems themselves, especially if outsourced, companies must enforce compliance through contractual obligations with their providers. The responsibility for meeting the NIS2 standards may rest with the system operator, but it’s up to the organization to ensure those standards are met via legally binding terms.
Risk Management: The Core of NIS2 Compliance
One of the most overlooked, yet critical elements of NIS2 compliance is risk assessment and management.
Organizations must identify their information security risks, document them, and take measures to mitigate these risks. This is a legal requirement, not a recommendation.
The good news? Compliance doesn’t have to be complicated or expensive. Often, a well-structured set of policies and a few strategic decisions, developed with expert support, can satisfy most of the regulatory requirements.
Compliance Isn’t Optional
NIS2 compliance is mandatory for all entities covered under the directive, including small businesses that meet the criteria. Failing to comply can lead to significant penalties, including fines and other regulatory actions.
However, with a clear strategy, proper guidance, and early planning, even smaller organizations can navigate compliance effectively and strengthen their cybersecurity posture in the process.
Key Takeaways
- You don’t need to be a large enterprise to be NIS2-regulated
- Even without in-house IT, you still have compliance duties
- Focus on organizational and contractual measures
- Risk management is not optional—it’s the heart of the process
- Failing to comply can bring serious legal consequences
Start preparing now. Let our experts guide you through your first cybersecurity audit and beyond.
Comments are closed.