I need to talk about something that almost nobody in the American small business world is paying attention to. And by the time most people notice, it's going to be expensive.

NIS2 enforcement went active this month. If that sentence means nothing to you, keep reading. It should.

NIS2 is the European Union's updated cybersecurity directive. It's been in the works since 2022, member states have been transposing it into national law, and as of April 2026, EU regulators are now actively supervising and enforcing. This isn't a draft. It's not a proposal. It's not "coming soon." Regulators in Germany, France, the Netherlands, and others are now conducting audits, issuing notices, and they have the authority to levy fines up to 10 million euros or 2% of global annual turnover -- whichever is higher.

I run a company that manages IT and cybersecurity for over 100 businesses. Most of them are in Ohio. Most of them are between 20 and 200 employees. And I can tell you right now -- NIS2 enforcement for small business is something almost none of them had on their radar until I brought it up.

Why Should an Ohio Business Care About EU Regulation?

Here's the part that catches people off guard. NIS2 doesn't just apply to companies headquartered in the EU. It applies to the entire supply chain.

If you sell parts to a manufacturer who ships to Germany, you're in the supply chain. If you provide software or services to a company that has EU customers, you're in the supply chain. If your SaaS vendor processes data for EU entities and you're one of their customers, congratulations -- you're now part of someone else's compliance obligation.

I had a client last month, a mid-size manufacturer in central Ohio, who got a questionnaire from one of their European distribution partners. It was 47 pages of cybersecurity requirements. Incident response plans. Access control documentation. Evidence of supply chain risk assessments. They had none of it. They called me in a panic.

That's going to become a very common phone call over the next 12 months.

The 72-Hour Rule That Changes Everything

One of the headline requirements under NIS2 is mandatory incident reporting within 72 hours. Not 72 hours to figure out what happened. Not 72 hours to draft a press release. Seventy-two hours to notify the relevant authorities that you've had a significant cybersecurity incident.

For most small businesses I work with, that timeline is terrifying. Not because 72 hours is unreasonable -- it actually is -- but because most of them don't even have the visibility to know they've been breached within 72 days, let alone 72 hours.

I've walked into environments where ransomware had been sitting dormant on the network for weeks before anyone noticed. I've seen credential theft that went undetected for months because nobody was actually watching the logs. If you can't detect an incident, you can't report it. And if your EU partner can't report it because you didn't tell them, that's their regulatory problem -- and your relationship problem.

The businesses that survive this shift are the ones that already have real-time monitoring, actual incident response procedures, and someone watching the screens at 2 AM when the alerts fire. Not the ones running antivirus and hoping for the best.

Personal Liability for Management

This is the one that gets executives' attention. Under NIS2, management bodies -- boards, C-suite, senior leadership -- can be held personally liable for failure to comply with cybersecurity risk management obligations. Personally. Liable.

That's not a theoretical risk. EU regulators have been very clear that they intend to hold leadership accountable, not just the organization. If your company is in the supply chain of an EU-regulated entity, and your lack of cybersecurity posture contributes to an incident, the downstream consequences don't stop at your company's borders.

I've spent 15 years watching business owners treat cybersecurity as an IT problem. Something they delegate to their tech guy and never think about again. NIS2 makes it explicitly a leadership problem. The regulation requires that management approve cybersecurity risk management measures, oversee their implementation, and -- here's the kicker -- undergo cybersecurity training themselves.

Not their IT team. Them. The people signing the checks and making the decisions.

I actually love this provision. Not because I enjoy watching executives squirm, but because it's been true all along. Cybersecurity has always been a business decision, not a technical one. NIS2 just puts it in writing and attaches a fine.

Supply Chain Security Is No Longer Optional

The supply chain provisions in NIS2 are what make this different from every other regulation I've seen. It's not enough to secure your own house. You have to assess and manage the cybersecurity risk of your suppliers, your service providers, and your critical vendors.

Think about what that means practically. If you're a supplier to a company that falls under NIS2, they're now obligated to evaluate your security posture. They're going to ask you for documentation. They're going to want to see your incident response plan, your access controls, your patch management process, your backup strategy. And if you can't produce it, they have two options: help you get compliant or find a different supplier.

I've already seen this start to happen. European companies are sending cybersecurity assessment questionnaires to their American vendors. Insurance companies are tightening their underwriting requirements. Large enterprises are adding NIS2 compliance clauses to their supplier contracts.

If you're a small business and you think you're too small to matter, I'd challenge that assumption. You're not too small to be in someone's supply chain. You're not too small to be a vector for an attack that hits someone bigger. And you're definitely not too small to lose a contract because you couldn't answer a 47-page cybersecurity questionnaire.

What You Should Be Doing About It

If you haven't heard about this from your IT services provider, I'll do their job for you. Here's what you need to be doing:

First, know your exposure. Map your customer and vendor relationships. Do any of them operate in the EU or serve EU customers? If yes, you're likely in scope for someone's supply chain risk assessment. Start there.

Second, get the basics documented. Incident response plan. Access control policy. Patch management process. Business continuity plan. Most small businesses have some version of these things but nothing written down. Written documentation is no longer optional -- it's what gets handed to auditors and partners.

Third, invest in actual detection. Not just prevention tools. Detection. You need to know when something bad is happening on your network within hours, not weeks. That means real monitoring, real log analysis, and someone actually responding to alerts. This is what we do every day at SkyNet MTS -- not because of NIS2, but because it's what actually works.

Fourth, train your leadership. NIS2 explicitly requires it, and even if you're not directly regulated, the companies asking you to prove your security posture are going to want to see that your leadership understands what they're approving.

The Bigger Picture

Here's what I think is really happening. The EU is setting the global standard for cybersecurity regulation, just like they did with data privacy through GDPR. American businesses ignored GDPR for years, and then one day their marketing team couldn't run email campaigns in Europe without a privacy policy overhaul. NIS2 is the cybersecurity version of that wake-up call.

The American regulatory landscape is still fragmented. We've got state-level laws, industry-specific frameworks, and a patchwork of compliance requirements that let most small businesses fly under the radar. NIS2 doesn't care about your radar. It cares about the supply chain. And supply chains are global.

I see this stuff before most people do because I'm in the middle of it every day — managing networks, watching threat intelligence, and fielding calls from business owners who just got their first cybersecurity questionnaire from a European partner and don't know where to start. If your IT provider isn't bringing this to your attention, that should tell you something. The businesses that take this seriously now will be the ones winning contracts 18 months from now while their competitors are scrambling to catch up.

NIS2 enforcement is here. Your supply chain just became a liability. The question is whether you're going to treat it like one -- or wait until someone else makes that decision for you.