Many small and medium-sized businesses have looked at NIS2 and thought that it only applies to a few, large players. Energy, health, transport, finance — critical infrastructure companies with hundreds of employees and billions in revenue.
That's right. On paper.
But that's not where it stops.
The same businesses rely on suppliers. And the suppliers, in turn, have their own suppliers. When the demands for security, control, and documentation are tightened for those directly involved, the same demands begin to appear further down the chain. Not necessarily as legal requirements—but as questions from customers who are themselves subject to NIS2 and need to document that the entire supply chain meets the standard.
In Denmark, fewer than 2,000 companies have registered as NIS2-liable — far fewer than the 3,000 authorities had expected. Many simply don't know they are covered. And even more don't know that the requirements will affect them indirectly — through their customers.
That's the part that is interesting to Norwegian SMEs.
When the customer asks
The initial questions often concern security. Do you have access control in place? Do you have logging? How do you handle incidents? Many answer well to this – they have worked with security, perhaps towards ISO 27001 or equivalent, and have put a lot in place.
But then comes the next round.
What kind of data do you actually process? Why do you have it? Who has access—in practice, not on paper? How long is it stored? Which subcontractors are involved?
And then it becomes quiet.
Not because the company hasn't done anything. But because work has been done on security — and less on what actually happens with the data over time. The systems are controlled, but not necessarily the usage. It's a gap that many only discover later. the day the customer asks the questions.
Two issues that are connected
NIS2 is about robustness — management systems, preparedness, incident management, supply chains. GDPR is about personal data — purpose, storage period, access, rights.
They are not the same. But they overlap more than most people think.
You can have good control over IT security and still have weak control over personal data. You can have technical measures in place and still lack Overview of purpose, storage period, and actual use. The agreement describes one thing — Reality is evolving in a different direction. Access is gradually expanded, often without anyone making a conscious decision.
NIS2 explicitly states that the directive does not override GDPR. The two regulations exist side by side. And for a business that wants to respond well when a customer asks, it is the whole counts — not just the one track.
Supply chain as a compliance test
What makes NIS2 particularly relevant for SMBs is its focus on supply chains. Businesses subject to NIS2 are required to assess the risks in their supplier relationships. This means they will ask questions downwards and expect documented answer.
Not as a formality. As a qualification requirement.
We have already seen this in the GDPR context. Procurement departments require data processing agreements, subcontractor lists, documentation on access control and incident management. Those who cannot deliver are rejected.
NIS2 strengthens this dynamic. The requirements become broader—not just personal data, but the entire robustness of the business. And they go deeper—not just contract text, but actual practice.
Grant Thornton points out that many companies have not yet registered as NIS2-obligated, and the expectation is that supervisory authorities will enforce the regulations consistently. There is reason to believe that the same will apply in Norway when the regulations are fully implemented.
What an SMB truly needs
Not all of it. But enough to be able to answer.
This means you should be able to explain what you deliver, what systems you use, what data is involved, who has access, what vendors you use, how you handle incidents — and how do you know that what you're saying actually matches what's happening.
Not everyone needs to know everything. But everyone needs to could probably — in its own area. The person handling customer data in the CRM does not need to understand the entire NIS2 directive. However, they need to know what they have access to, why, and what to do if something goes wrong.
It's not really that different from good cooking. You don't have to be a chef to season the food correctly. But you need to have the spices where the food is made — not hidden in a cupboard that no one opens.
The question is not whether you are NIS2-obligated
It's about you being ready for the day the customer asks.
For many, that test doesn't come from the authorities. It comes from a customer who is under pressure themselves—and who needs to know the supply chain is holding up.
It's not a threat. It's an opportunity. Businesses that can document control—over security and privacy—are stronger in tender processes, in customer relationships, and when facing unexpected events.
You don't have to do everything at once. But you do need to have started.
Inspired by: Grant Thornton — «Are you familiar with NIS2? Many companies aren't» (March 2026)
