---
title: "NIS2 for SaaS: minimum checklist for 2026"
description: "The NIS2 directive is in force · here's the smallest realistic software checklist any EU-serving SaaS must hit to avoid fines."
date: 2026-04-20
updated: 2026-04-20
author: "Dezső Mező"
tags: "NIS2, Compliance, Security, EU"
slug: nis2-for-saas-en
canonical: https://dfieldsolutions.com/blog/nis2-for-saas-en
---

# NIS2 for SaaS: minimum checklist for 2026

What NIS2 actually demands from a mid-size SaaS: incident reporting, supply-chain, access control, and 3 basic rules we run ourselves.
The [NIS2 directive](https://digital-strategy.ec.europa.eu/en/policies/nis2-directive) took effect on 17 October 2024, and national laws have since mandated concrete obligations on 'important' and 'essential' organisations. If your SaaS serves EU customers, you're probably 'important'. Our [Cybersecurity service](/services/cybersecurity) covers exactly this readiness work · here's the minimum checklist.

## 1. Incident reporting: 24h, 72h, 1 month

NIS2 mandates: an early-warning within 24 hours, an incident assessment within 72 hours, and a final report within one month. This is runbook work, not 'when-it-happens' work. Write it today.

- An on-call who can say 'I'm reporting it' at the push of a button.
- A severity rubric: Sev1 → immediate, Sev2 → within 24h, Sev3 → post-mortem.
- Pre-written early-warning template for the national CSIRT portal.

## 2. Supply-chain risk

List critical vendors (AWS, Stripe, SendGrid, …), rank by business risk, and have a DPA + security attestation (SOC2, ISO27001) for every 'important' one.

## 3. Access control: MFA, rotation, zero-standing

- MFA for everyone, no exceptions. Tech users too.
- Production SSH: just-in-time, 30-minute TTL.
- API-key rotation: quarterly at minimum, automated.

## 4. Patching and vulnerability management

NIS2 says 'reasonable timeframe'. Practical reading: critical CVE in 48h, high in 7 days, medium in 30 days. Run this as an SLA, not a 'we'll look at it'.

## 5. Training: twice a year minimum

Mandatory security awareness training. Don't stop at click-through; include phishing simulations. You must be able to show the record at audit.

## We can help

Four of the five items above can be live in 2-3 weeks with your team. The fifth (patch SLA) is a 6-month project. Email us if you want hands-on help.

---

Source: https://dfieldsolutions.com/blog/nis2-for-saas-en
Author: Dezső Mező · Founder, DField Solutions
Site: https://dfieldsolutions.com