NIS2 and HR systems — when HR-tech vendors and their customers fall in scope

Scope basics

NIS2 distinguishes between essential and important entities. Entities of a type listed in Annex I that exceed the thresholds for medium-sized enterprises are essential; entities listed in Annex I or Annex II that do not qualify as essential are important. The size-cap rule excludes micro and small enterprises (fewer than 50 employees AND less than EUR 10 million in annual turnover or balance-sheet total), with a list of exceptions for entities whose disruption would create systemic risk regardless of size.

Where HR-tech lands

• HR-tech SaaS vendors typically fall under Annex II point 6 (digital providers) when above the size threshold — covered as important entities.
• Customers may be in scope through their own sector (banking, energy, public administration, manufacturing of critical products, postal, food, health, etc.) — in which case they must apply NIS2 supply-chain risk management to their HR-tech supplier.
• Out-of-scope customers can still receive supply-chain requirements contractually, because their in-scope partners must manage third-party risk.

Article 21 cybersecurity risk-management measures

NIS2 Article 21(2) requires at minimum: policies on risk analysis and information system security, incident handling, business continuity and crisis management, supply-chain security, security in acquisition, development and maintenance, policies to assess effectiveness, basic cyber-hygiene and training, cryptography policies, access control, multi-factor authentication and secured communications.

Incident reporting — the 24/72-hour clock

• Within 24 hours of becoming aware of a significant incident: early warning to the CSIRT or competent authority.
• Within 72 hours: incident notification with initial assessment, severity and impact.
• Within 1 month: final report covering root cause, mitigation and cross-border impact.

Overlap with the EU AI Act

Several EU AI Act obligations are satisfied by the same evidence used for NIS2. Run one control set and map it to both regimes.

• Risk management: AI Act Article 9 risk-management system for high-risk AI maps to NIS2 Article 21(2)(a).
• Cybersecurity of the AI system: AI Act Article 15 (accuracy, robustness, cybersecurity) maps to NIS2 Article 21(2)(e) and (i).
• Supply-chain security: NIS2 Article 21(2)(d) duties become the lever customers use to demand AI Act evidence from HR-tech vendors.
• Incident reporting: AI Act Article 73 serious-incident reporting for high-risk systems runs in parallel with NIS2 Article 23 incident reporting — separate authorities, separate clocks, often overlapping facts.

Sanctions

Under NIS2 Article 34, essential entities face administrative fines up to a maximum of at least EUR 10 million or, where higher, 2% of the total worldwide annual turnover. Important entities: up to a maximum of at least EUR 7 million or, where higher, 1.4% of turnover under NIS2. Member-State implementations may set higher caps.

What to ship first

• Confirm in-scope status (sector + size).
• Register with the national competent authority (deadline varies by Member State).
• Approve and date a written cybersecurity risk-management policy covering Art 21(2)(a)-(j).
• Add NIS2 supply-chain language to HR-tech contracts (Art 21(2)(d)) and request a subprocessors / sub-supplier list and security attestations.
• Run a tabletop incident-reporting drill against the 24/72-hour/1-month timeline.

Related EU guides

• AI inventory requirements
• EU AI Act for recruitment AI
• Deployer vs provider
• Fines under the EU AI Act

Sources

• Directive (EU) 2022/2555 (NIS2), Articles 2, 3, 21, 23, 34 — EUR-Lex: eur-lex.europa.eu/eli/dir/2022/2555/oj
• Regulation (EU) 2024/1689 (EU AI Act), Articles 9, 15, 73 — EUR-Lex: eur-lex.europa.eu/eli/reg/2024/1689/oj