NIS2 scope confuses most Danish SaaS leaders. The directive is long, the Danish transposition (Cybersikkerhedsloven, effective 2025) adds its own wrinkles, and the public commentary is written either for lawyers or for people selling fear. None of that helps when you're a CEO or CTO trying to answer one question: does this apply to me, yes or no?
The good news: for most 40-250 person B2B SaaS companies, the answer can be reached in under 15 minutes with the right questions in the right order. This guide is that order. Work through it top to bottom. By the end you'll have a defensible answer and know what to do in the next quarter.
Step 1: Does your sector appear in Annex I or Annex II?
NIS2 applies only to entities operating in the sectors listed in its two annexes. If your business doesn't fit any of them, skip ahead to Step 3 -- you may still get pulled in through the supply chain door.
Annex I sectors (essential entities, high criticality)
| Sector | Common for Nordic B2B SaaS? |
|---|---|
| Energy (electricity, oil, gas, district heating, hydrogen) | No, unless you operate infrastructure |
| Transport (air, rail, water, road) | No |
| Banking | No (regulated separately under DORA) |
| Financial market infrastructure | No (DORA applies) |
| Health (hospitals, labs, pharma, medical device manufacturers) | Yes, if you run clinical infrastructure or certain medtech |
| Drinking water | No |
| Waste water | No |
| Digital infrastructure (DNS, TLD, cloud providers, data centres, CDNs, trust services, electronic comms) | Yes, this captures many infrastructure-tier SaaS |
| ICT service management (managed service providers, managed security service providers) | Yes, this is where most B2B ICT firms land |
| Public administration | No, unless you are a public body |
| Space (ground infrastructure operators) | No |
Annex II sectors (important entities)
| Sector | Common for Nordic B2B SaaS? |
|---|---|
| Postal and courier services | No |
| Waste management | No |
| Manufacture, production, distribution of chemicals | No |
| Production, processing, distribution of food | No (unless you are an agtech/foodtech producer) |
| Manufacturing (medical devices, computers/electronics, machinery, motor vehicles, other transport equipment) | Sometimes, for hardware-adjacent SaaS |
| Digital providers (online marketplaces, online search engines, social networking platforms) | Yes, this is the classic SaaS bucket -- but narrower than most people assume. B2B SaaS products are usually NOT “digital providers” under this definition |
| Research (research organisations) | No, unless you are a research institution |
The important nuance:the “digital providers” category under Annex II is narrower than most SaaS founders think. It means online marketplaces, search engines, and social networks. A typical B2B SaaS product sold to businesses (CRM, HR tools, compliance software, analytics) does not automatically fall here.
The category that catches most B2B SaaS and ICT companies is under Annex I: digital infrastructure (if you run DNS, TLD, cloud, data centres, CDN, trust services, or electronic communications) or ICT service management (if you are a managed service provider or managed security service provider).
If no sector applies, jump to Step 3. If one does, continue to Step 2.
Step 2: Size threshold and entity classification
NIS2 only applies to medium-sized and large entities in scope sectors, with specific carve-outs where size doesn't matter. Match your company against the table below. The size definitions follow Commission Recommendation 2003/361/EC (the EU SME definition), referenced directly by NIS2.
| Size | Headcount | Turnover / balance sheet | Classification if in Annex I | Classification if in Annex II |
|---|---|---|---|---|
| Small / micro | < 50 FTE | Turnover ≤ EUR 10M OR balance sheet ≤ EUR 10M | Out of scope (with exceptions below) | Out of scope (with exceptions below) |
| Medium | 50 - 249 FTE | Turnover ≤ EUR 50M OR balance sheet ≤ EUR 43M | Important entity | Important entity |
| Large | 250+ FTE, OR both financials exceeded | Turnover > EUR 50M AND balance sheet > EUR 43M | Essential entity | Important entity |
The three outcomes in plain language
Not in scope.You are below the size threshold, you're not in a listed sector, or both. Your direct NIS2 obligations are zero. Read Step 3 anyway -- your customers may still impose NIS2-equivalent requirements on you.
Important entity. You are in scope. You need to implement the Article 21 risk-management measures, meet the incident reporting timelines, and register with the competent authority (in Denmark, that is Styrelsen for Samfundssikkerhed (SAMSIK), the national single point of contact since early 2025, or the relevant sectoral authority). Supervision is reactive: authorities act on complaints or incidents. Maximum fines: EUR 7M or 1.4% of global annual turnover, whichever is higher.
Essential entity. Same obligations as important, with proactive supervision. Authorities can audit you on their own initiative. Management body can be held personally liable. Maximum fines: EUR 10M or 2% of global annual turnover, whichever is higher.
Size-independent overrides
Size doesn't matter in a handful of cases. You are in scope regardless of headcount or revenue if you are:
- A provider of public electronic communications networks or services (a telco, in plain language)
- A trust service provider (issuing electronic signatures, seals, timestamps)
- A TLD name registry or DNS service provider
- The sole provider of a service critical to societal or economic activity in a Member State
- A qualified provider under eIDAS
- Specifically designated by your Member State because you are a critical supplier, or because disruption of your service would have significant cross-border impact
If one of these applies to you, you are in scope as an essential entity even if you have five employees.
Step 3: The supply chain question (the trap)
This is where most Danish SaaS leaders get a false sense of security. You run through steps 1 and 2, you're under 50 FTE or your sector isn't listed, and you conclude: not in scope, done, filing this away.
That conclusion is legally correct. Operationally, it may be wrong.
NIS2 Article 21 requires entities in scope to manage supply chain security. In practice this means your enterprise customers who ARE in scope -- banks (via DORA), large healthcare providers, utilities, large public administration, telecoms, big manufacturers -- are now contractually required to assess and manage cybersecurity risk across their suppliers. You are a supplier. Therefore they will send you NIS2-equivalent control questionnaires, audit clauses, and incident notification obligations whether or not NIS2 names you directly.
Answering “we're not in scope of NIS2” does not satisfy their supply chain risk obligation. They still have to evaluate you. If you can't answer their questionnaire credibly, they will either walk away, demote you to a lower tier, or write their own controls into your contract and charge you for the cost of assurance.
Practical rule of thumb: if more than 20% of your revenue comes from regulated or NIS2-in-scope customers, treat yourself as operationally in scope even if legally out. Build the controls. Document them. Have answers ready. The cost of doing this proactively is a fraction of losing a key account mid-renewal because your security review failed.
Step 4: If you are in scope -- the 5 things to do this quarter
If you've concluded you're an important or essential entity, here is what matters in the next 90 days. Not everything, but the five that disproportionately reduce your risk and demonstrate good faith to regulators.
Assign a NIS2 accountable executive. One named person, with authority and budget, signing off on the programme. Not the DPO by default (different law, different mandate). Not the CTO by default either, unless the CTO has clear security ownership. Often this lands with a Head of Security, COO, or in smaller companies the CEO directly. The point is: one throat to choke. Regulators and customers both want a name.
Inventory your cybersecurity risk-management measures against Article 21's 10 headings. Those headings are: risk analysis and information system security policies; incident handling; business continuity and crisis management; supply chain security; security in acquisition, development, and maintenance; policies to assess effectiveness; basic cyber hygiene and training; cryptography; human resources, access control, asset management; and multi-factor authentication and secured communications. Map what you already have against each heading. Gaps become your roadmap.
Implement incident detection and a 24-hour early warning process. NIS2 requires an early warning to the competent authority within 24 hours of becoming aware of a significant incident, a full incident notification within 72 hours, and a final report within one month. You need detection, classification, a decision path, and a documented comms flow. This is not optional. Write it down, run a tabletop exercise against it, keep the artefact.
Document supplier and vendor cybersecurity assessments.Pull together the list of your critical third parties (cloud, identity, payments, key SaaS). Document your risk assessment of each one: what assurance do you have (SOC 2, ISO 27001, pen test reports), what contract clauses, what incident notification terms. This is the supply chain leg of Article 21 and it's the piece most companies don't have written down.
Book the management body cybersecurity training.Article 20 obliges members of the management body (board, executive team) to follow training. It's not enough for the CISO to know what's going on -- the people signing off on strategy and budget must have enough literacy to approve the risk decisions. Book a half-day session with a qualified trainer, record attendance, keep the certificate. This is cheap, easy, and the single most obvious thing an auditor will ask for.
Step 5: If you are out of scope but contractually pulled in
You're below the threshold or outside the listed sectors, but enterprise customers are pushing NIS2-style questionnaires at you. Three actions give you 80% of the benefit without running a full NIS2 programme.
Answer customer NIS2 questionnaires proactively with a standard response pack. Build a single, pre-approved response document that covers the common questions: Article 21 measures, incident reporting process, supplier management, training. Version-control it. Every time a customer asks, send the current version plus a short cover note. You cut response time from weeks to hours and you control the narrative.
Align your existing ISO 27001 or SOC 2 framework to NIS2 Article 21 headings.If you have an ISMS, most of Article 21 is already covered -- just not mapped. Build a crosswalk: each Article 21 heading maps to one or more ISO 27001 Annex A controls or SOC 2 Trust Services Criteria. Store it as a single document. When a customer asks “are you NIS2 compliant,” you hand them the crosswalk plus your ISO or SOC 2 report. Zero duplicate work.
Watch the upgrade path.NIS2 scope reassesses whenever your company size changes. If you cross 50 FTE or EUR 10M turnover, re-run Step 2. Growing companies stumble here because they're focused on hiring and shipping, not legal reassessment. Put a calendar reminder for the start of each fiscal year to re-check.
Reality check -- what this doesn't tell you
This decision tree is a starting point, not a legal opinion. It covers the 80% case. Edge cases exist and they matter:
- Critical supplier designation by a Member State authority can drag you in regardless of size or sector
- Cross-border operations complicate which Member State's competent authority has jurisdiction
- Government contracting may bring sector-specific requirements that layer on top of NIS2
- Sector-specific overlays (DORA for financial services, CER for physical resilience) can interact in non-obvious ways
- Group structures with parent entities in or out of the EU create entity-level scoping questions
If the initial answer is borderline, or your company has any of these complicating factors, don't guess. Book a 30-minute scoping call with someone who does this work regularly. A wrong answer here is either expensive (you build a compliance programme you didn't need) or existential (you fail a customer audit or get a regulatory notice because you thought you were out).
Where to go from here
Read the full NIS2 article on the site.If you want the broader context -- how NIS2 fits with DORA, what Denmark's Cybersikkerhedsloven adds on top, and how the supervisory regime actually works in practice -- the long-form article goes deeper than this guide allows.
See the services page.I run scoping calls, Article 21 gap assessments, and full NIS2 implementation programmes for growing Nordic companies. Fixed-scope engagements, no retainer nonsense. If you already know you're in scope and want to move, that's where to start.
Get in touch.If you've worked through this guide and the answer is still unclear, send me a note. Half an hour on a call usually settles it, and if it doesn't, at least you'll know exactly which specialists to involve.