NIS2 Compliance and B2B Communication Infrastructure: Is Your Messaging Stack Audit-Ready?

TL;DR:

  • NIS2 compliance means implementing the 10 technical and organizational measures defined in Article 21 of EU Directive 2022/2555 – covering supply chain security, incident reporting, MFA, encryption, and business continuity.
  • Who it covers: Essential Entities (≥250 employees or >€50M turnover) and Important Entities (≥50 employees or >€10M turnover) across 18 EU critical sectors. An estimated 160,000+ organizations EU-wide.
  • The supply chain angle: Under Art. 21(2)(d), your email, SMS, or push notification platform is an ICT service provider – and must be audited as part of your NIS2 supply chain assessment.
  • What auditors check at your vendor: ISO 27001/SOC2, DKIM/DMARC/SPF, encryption, EEA data residency, incident notification SLA (24h/72h), BCP/DRP documentation.
  • Penalties: Up to €10M or 2% of global turnover (Essential); €7M or 1.4% (Important). Board members face personal liability.
  • Timeline: Most EU member states have now transposed NIS2 or are in late-stage transposition. If you operate in the EU, the regulation is already in effect or imminent.

Most NIS2 guides focus on what your organization must do. Few address what your vendors must prove to you. Yet Article 21(2)(d) makes clear: your supply chain is your compliance exposure – and an unsecured email or SMS platform will show up in your audit.

NIS2 (EU Directive 2022/2555) is the EU’s baseline cybersecurity framework, applying to medium and large organizations in 18 critical sectors. Under Article 21, every covered entity must assess the security posture of its ICT suppliers – including the platforms delivering transactional emails, SMS alerts, and push notifications. 

This guide covers which organizations are in scope, what Article 21 requires in practice, how to audit your communication vendor before your NIS2 review, and what MessageFlow guarantees as a NIS2-aligned ICT supplier.

What Is NIS2 and Who Does It Apply To?

Timeline and scope

NIS2 – Directive (EU) 2022/2555 – replaced the original NIS Directive of 2016 and entered into force across the EU in January 2023. Member states were required to transpose it into national law by October 17, 2024. Transposition is now at an advanced or completed stage across the major EU economies: Germany has transposed; France and the Netherlands are in advanced implementation; Poland transposed on April 3, 2026. For organizations operating across multiple EU markets, NIS2 is already live – even if your specific jurisdiction is still finalizing its national legislation.

Essential and Important Entities – thresholds and sectors

The directive creates two tiers of covered entities.

  • Essential Entities – energy, transport, banking, healthcare, digital infrastructure, public administration, space. Size threshold: typically ≥250 employees or annual turnover above €50M.
  • Important Entities – food, manufacturing, postal and courier services, waste management, digital services B2B, and chemicals. Threshold: typically ≥50 employees or annual turnover above €10M.

The European Commission estimates NIS2 covers over 160,000 organizations EU-wide – up from roughly 10,000 under NIS1.

One important nuance: even organizations that fall below these thresholds are not necessarily out of scope. If your customers are Essential or Important entities, they are contractually required to assess your security posture as part of their own NIS2 supply chain obligations. Market pressure will enforce compliance before the regulator does.

What Is NIS2 and Who Does It Apply To?

Board liability and the readiness gap

NIS2 changes not just processes – it changes who is accountable for them. Article 34 is unambiguous: Essential Entities face fines of up to €10 million or 2% of global annual turnover, whichever is higher. Important Entities: up to €7 million or 1.4%.

Crucially, NIS2 introduces personal liability for board members – executives can be held individually responsible for cybersecurity failures. According to analysis by Skadden, the ENISA Technical Implementation Guidance published in June 2025 clarifies how national regulators are expected to apply these obligations in practice.

The readiness gap is stark. Fewer than 30% of European businesses report high cyber resilience, according to Xopero Software’s Cybersecurity Trends 2026 report. Regulatory exposure and organizational preparedness are moving in opposite directions.

What NIS2 Article 21 Actually Requires – The 10 Technical Measures

Article 21 is the operational core of NIS2. It defines 10 mandatory technical and organizational measures that all covered entities must implement. 

The full list of measures under Article 21(2):

  1. Risk analysis and information system security policies – documented methodology for assessing threats to all ICT systems, including communication channels.
  2. Incident handling – detection, classification, and response procedures. Required timelines: initial report within 24 hours, detailed report within 72 hours of detection.
  3. Business continuity, backup management, and disaster recovery (BCP/DRP) – operational continuity plans covering communication channel outages.
  4. Supply chain security – formal assessment of the cybersecurity posture of every direct ICT supplier and service provider. 
  5. Security in network and information system acquisition, development, and maintenance – security standards for procuring and managing ICT systems.
  6. Policies for assessing the effectiveness of cybersecurity risk measures – internal audit and review mechanisms.
  7. Basic cyberhygiene practices and cybersecurity training – employee training, vulnerability management, and foundational security practices.
  8. Policies and procedures on the use of cryptography and encryption – documented encryption standards for data in transit and at rest.
  9. Human resources security, access control, and asset management – role-based access, onboarding/offboarding procedures, asset inventory.
  10. Multi-factor authentication (MFA) and secure communications – MFA across all systems with access to sensitive data; secure voice, video, and text communications, including emergency channels. 
What NIS2 Article 21 Actually Requires - The 10 Technical Measures

For any organization relying on external B2B communication platforms, two of these measures are particularly consequential: measures #4 and #10:

  • Article 21(2)(d) requires covered entities to formally assess every direct ICT supplier – not just internal systems. An email API, SMS gateway, or push notification service that has not been vetted creates a compliance gap that NIS2 auditors are specifically trained to identify. According to Allianz Commercial’s Cyber Security Resilience Report 2025, supply chain incidents accounted for 15% of large cyber claims (over €1M) by value in H1 2025, up from just 6% in 2024. The SolarWinds attack alone – a single supply chain exploit – compromised over 18,000 organizations worldwide, according to CISA.
  • NIS2 explicitly calls out secure voice, video, and text communications under measure #10. The ENISA Technical Implementation Guidance (June 2025) confirms that email and messaging infrastructure fall within scope. Unencrypted channels and messaging platforms without proper authentication infrastructure do not meet the requirement.

Why B2B Communication Platforms Fall Under NIS2 Supply Chain Rules

If your organization is an Essential or Important Entity, you must manage the cybersecurity risk of every direct ICT supplier and service provider you rely on. A B2B messaging platform – whether an email API, an SMS gateway, or a push notification service – is an ICT service provider by definition. It processes your data, handles your customers’ contact information, and sits in the critical path of your operational communications.

That means it will be on the auditor’s checklist. Here is what a NIS2 auditor will typically ask about your communication vendor:

  • Certifications – does the vendor hold ISO 27001 and/or SOC2? Are certifications current and scoped to cover the services you use?
  • Incident notification – can the vendor confirm a security incident to you within 24 hours? Your own 24h/72h reporting clock starts regardless of when your vendor notifies you.
  • Encryption – is data encrypted in transit and at rest?
  • Email authentication – does the platform support DKIM, DMARC, and SPF? 
  • MFA and access controls – is API access secured with multi-factor authentication and IP restrictions?
  • Data residency – is data processed exclusively on servers within the European Economic Area (EU plus Norway, Iceland, and Liechtenstein)?
  • BCP/DRP commitments – what delivery continuity SLA does the vendor guarantee? Are business continuity plans documented and tested?
  • Audit support – can the vendor respond to security questionnaires and provide documentation for your compliance records?
What a NIS2 auditor will typically ask about your communication vendor?

Supply chain security does not end at your firewall – it ends where your vendors’ security practices end.

For organizations in regulated EU sectors, that distinction carries a price tag: the average global data breach now costs approximately $5 million, according to Allianz Commercial’s Cyber Risk Trends 2025. A breach traced to an unvetted communication vendor is both a financial and a regulatory event.

Note: NIS2 does not name DMARC explicitly. It mandates risk management of communication channels. Industry experts recognize DKIM/DMARC/SPF as the accepted technical implementation of that requirement under Article 21.

NIS2 Compliance Checklist for B2B Communication Infrastructure

Use this table as the basis for your vendor conversation – and as an internal prompt if NIS2 supply chain assessment has not been prioritized yet. As of publication; consult legal counsel for jurisdiction-specific requirements.

What your organization must implement internallyWhat to require from your messaging vendor
☐ Document ICT risk management policy☐ ISO 27001 / SOC2 certification (current, correctly scoped)
☐ Establish 24h/72h incident reporting procedure☐ Vendor incident notification SLA compatible with your 24h/72h obligations
☐ MFA on all accounts accessing communication systems☐ MFA, IP restriction, and RBAC available on vendor platform
☐ Maintain ICT vendor register with risk assessments☐ EEA data residency confirmation
☐ Include security clauses in vendor contracts (NIS2/Art. 21 aligned)☐ DKIM/DMARC/SPF documentation (email channel)
☐ BCP/DRP covering communication channel outages☐ SLA for delivery continuity + BCP/DRP documentation
☐ Regular vendor security reviews☐ Ability to respond to security questionnaires and support audits
☐ Formal Data Processing Agreement (DPA/GDPR-aligned)

According to the European Commission’s NIS2 Impact Assessment, organizations newly brought into scope can expect to increase cybersecurity spending by up to 22% in the early years of compliance. For organizations that already operated under NIS1, the increase is approximately 12%. That is a real cost – but still significantly lower than the maximum fine of €10 million for Essential Entities.

A few practical points when assessing a communication vendor:

  • ISO 27001 scope matters – verify that the certification covers the specific services you use, not just part of the vendor’s operations.
  • Data in the EEA requires specifics – ask for country or region names, not general assurances.
  • Incident notification timing – your 24-hour reporting window runs from the moment of detection, not from when your vendor gets around to informing you. Clarify this in the contract.
  • DPA before the audit – a Data Processing Agreement should be signed and on file before your auditor asks for it.
  • SLA as a compliance signal – a vendor unable to guarantee delivery continuity is a gap in your Article 21(3) business continuity obligations.

How MessageFlow Supports NIS2 Compliance

When your auditor asks for your ICT vendor documentation, you need evidence – not promises. MessageFlow is a certified B2B communication platform built to meet the supply chain security requirements of Article 21(2)(d):

  • ISO 27001 and SOC2 – audited by independent certification bodies against internationally recognized standards.
  • End-to-end encryption – data encrypted in transit and at rest; processed exclusively on servers within the European Economic Area.
  • DKIM, DMARC, SPF and a proprietary anti-phishing shield 360° – email authentication standards aligned with NIS2 communication risk management requirements under Article 21.
  • 2FA and IP authorization – two-factor authentication and IP-based access restrictions on all API accounts.
  • BCP/DRP/BIA regularly tested – business continuity and disaster recovery plans verified through scheduled testing, not just documented on paper.
  • ~99% deliverability SLA – guaranteed availability for critical communication channels.
  • GDPR-compliant with formal DPA – Data Processing Agreement available for every customer, aligned with GDPR and NIS2 requirements.
  • Trust Center – full security documentation available at docs.messageflow.com for compliance teams and CISOs.
How MessageFlow Supports NIS2 Compliance

Next Steps: Preparing Your Organization for NIS2

Most organizations discover gaps in their NIS2 supply chain documentation when the auditor is already in the room. That is not the right moment to start requesting certifications from vendors.

Three steps to take now:

  1. Assess your entity status – determine whether your organization qualifies as Essential or Important based on sector and size criteria. If you operate across multiple EU member states, check the ECSO NIS2 transposition tracker for your jurisdiction’s status.
  2. Inventory your ICT suppliers – include all communication platforms (email, SMS, push, API). These will be scrutinized as part of your supply chain assessment under Article 21(2)(d).
  3. Request vendor security documentation – ISO 27001/SOC2 certificates, incident notification procedures, EEA data residency confirmation, DKIM/DMARC/SPF documentation, and a signed DPA. Do this before your audit, not during it.

Organizations that start early negotiate with vendors from a position of strength. Those that wait collect documentation under time pressure – and pay more for it, in every sense.

We provide the security documentation your compliance team and CISO need to satisfy NIS2 supply chain audit requirements. View MessageFlow Security & Compliance Page.

💡 We provide the security documentation your compliance team and CISO need to satisfy NIS2 supply chain audit requirements. View MessageFlow Security & Compliance Page.

As of publication; consult legal counsel for jurisdiction-specific requirements.

FAQ – NIS2 Compliance and Business Communication

NIS2 compliance means implementing the cybersecurity risk management measures required by EU Directive 2022/2555. It covers 10 technical and organizational domains defined in Article 21, including supply chain security, incident reporting (24h/72h), MFA, encryption, and business continuity. It applies to Essential and Important entities in 18 EU critical sectors.

NIS2 applies to medium and large organizations in 18 EU critical sectors including energy, banking, healthcare, transport, and digital infrastructure. Essential Entities typically have 250+ employees or €50M+ turnover; Important Entities have 50+ employees or €10M+ turnover. Organizations in a supplier relationship with covered entities may also face indirect compliance requirements through contractual obligations.

Article 21(2)(d) requires Essential and Important entities to formally assess the cybersecurity posture of every direct ICT supplier and service provider. This means documenting vendor certifications, incident response procedures, data residency, and encryption standards – and retaining that documentation for audit purposes.

Yes – indirectly. If your organization is an Essential or Important Entity, you must assess the security of any ICT service provider you rely on, including email, SMS, or push notification platforms under Article 21(2)(d). Your communication vendor must provide security certifications, incident notification procedures, and encryption documentation.

The US has no direct equivalent, but NIS2 shares principles with NIST CSF, CISA guidance, and sector-specific frameworks such as HIPAA (healthcare) and NERC CIP (energy). For US companies with EU operations or EU customers, NIS2 compliance applies directly to their European entities and supply chain relationships.

For Essential Entities: up to €10 million or 2% of global annual turnover, whichever is higher. For Important Entities: up to €7 million or 1.4% of global turnover. NIS2 also introduces personal liability for board members who fail to ensure adequate cybersecurity risk management within their organizations.

Marika Kachelska

LinkedIn Profile Marketing Operations Manager

Marika brings 10+ years of marketing experience to her role at Vercom S.A., where she oversees marketing operations across two CPaaS brands – EmailLabs and MessageFlow.

Her background spans SEO copywriting, content strategy, agency-side e-marketing, and B2B brand management. Today, she sits at the intersection of strategy and execution: coordinating cross-functional projects, managing campaigns from brief to delivery, and building the processes that keep marketing aligned with sales, product, and customer success. She has a particular knack for bringing structure to complex, multi-stakeholder environments.

See more posts by author

Let's stay in touch!

Sign up for our newsletter to receive product news, expert blog articles, and other business communications content straight to your inbox.

"(Required)" indicates required fields

Acceptance(Required)

We are committed to protecting your privacy. MessageFlow uses the information provided solely to contact users regarding relevant content, products, and services. You may unsubscribe from these communications at any time. For more information, please refer to our Privacy Policy.

RSS