NIS2 (Network and Information Security Directive 2) came into EU law in October 2024. Unlike GDPR, which targets data protection, NIS2 targets operational resilience and cybersecurity . It expands coverage to over 160,000 entities across 18 sectors — and software companies are directly in scope. Who Is Covered? NIS2 applies to "essential" and "important" entities across sectors including: Digital infrastructure (cloud providers, DNS, CDNs, datacenters) Digital services (online marketplaces, search engines, social networks) ICT service management (managed service providers, SaaS) Public administration If your SaaS has 50+ employees or €10M+ annual turnover, you're likely an "important entity." Violations carry fines up to €7M or 1.4% of global turnover. The 10 Core Technical Requirements NIS2 Article 21 mandates ten specific security measures. Here's what they mean technically: 1. Risk Analysis and Information Security Policy You need a documented risk register.…