top of page
Search

Is Your IT Company Required to Comply with NIS2 and the Law on Security of Network and Information Systems?

  • Writer: Gjorgji Isaevski
    Gjorgji Isaevski
  • Feb 26
  • 5 min read

If you provide digital services, work with banks, or operate within critical infrastructure, your company may be subject to legal obligations under the new Law on Security of Network and Information Systems.


This guide will help you understand:


  • Which companies fall under the law?

  • How does the regulation classify medium and large entities?

  • What obligations must you implement?

  • What are the consequences of non-compliance?


it

What Is NIS2 and Why Is It Important for IT Companies in North Macedonia?


NIS2 is a European directive on the security of network and information systems, adopted to strengthen cybersecurity across critical infrastructure throughout Europe.


The new legal framework in North Macedonia represents a national implementation of the NIS2 Directive and entered into force on 01 January 2026. The law establishes legal obligations for companies providing critical digital services and infrastructure, with the aim of:

  • Improving cybersecurity – by introducing standards, risk management, and preventive measures

  • Protecting critical infrastructure – including cloud providers, data centers, banks, energy, and other essential sectors

  • Reducing the risk of digital incidents – vulnerabilities, hacking, downtime

  • Imposing risk management and management accountability obligations – executives bear legal responsibility for implementing measures


It is important to understand that this is not only an IT issue, but also a management and legal obligation. Every CEO, CTO, or managing director of an IT company should determine whether their company falls within the scope of the law and what measures must be taken.


Which Companies Are Subject to the Law?

The Law applies to a broad range of entities, including private companies, if they operate in certain critical sectors or meet specific criteria.


Under Article 4(2), the provisions apply to medium and large entities providing services in the following critical areas, particularly relevant for the technology industry:


  • Banking and Financial Market: Banks and other financial institutions.

  • Digital infrastructure: A broad category including Internet exchange point providers, DNS service providers, The entity managing the national top-level domains (.mk and .mkd), Cloud computing service providers, Data center service providers, Content delivery network providers, Trust service providers, Public electronic communications network and service providers/operators.

  • ICT Service Management (B2B): Companies providing ICT services to other businesses.

  • Manufacturing: Production of computer, electronic and optical products, electrical equipment, machinery, motor vehicles, and other transport equipment.

  • Digital Service Providers: Online marketplaces, online search engines, and social networking platforms.

  • Research: Entities conducting applied research or experimental development for commercial purposes.


Additionally, the Law applies to all legal entities registered in the Republic if, among other conditions, they:

  • Are trust service providers

  • Manage the national top-level domain registry

  • Are the sole provider of an essential service

  • Provide services that significantly impact public security or create systemic risks


The next step is determining whether the company qualifies as a medium or large entity, as this determines the intensity of obligations.


How to Determine Whether the Law Applies to You – Explained Through Examples


To make this complex law clearer for the IT industry in North Macedonia, we will use two hypothetical examples:one medium entity in digital infrastructure and one large entity in the banking sector.


I. Example No. 1 – Medium Entity in Digital Infrastructure


  1. Company: “Informatic Sector LLC”

  2. Activity: Computer infrastructure, data processing, server services (cloud computing provider)

  3. Financial and HR data (hypothetical, last two financial years):

    • Average employees: 180 (below 250)

    • Annual revenue: €7,500,000 (below €10,000,000)

    • Average total assets: €8,000,000 (below €11,000,000)

  4. Why Is It a Medium Entity and Subject to the Law?

    • It meets the criteria for a medium-sized trader under the Company Law.

    • It operates in a critical sector (“Digital Infrastructure”).

    • As a medium entity in a critical sector, it falls under the Law.

    • It would likely be classified as an Important Entity.

  5. Obligations of an Important Entity

    The company must implement appropriate technical, operational, and organizational risk management measures, including:

    • Risk and information system security analysis

    • Incident handling and business continuity

    • Supply chain security

    • Basic cyber hygiene practices and cybersecurity training

    • Mandatory reporting of significant cybersecurity incidents within legal deadlines

    • Compliance documentation


II. Example No. 2 – Large Entity in the Banking Sector

  1. Company: “Banking Sector AD”

  2. Activity: Commercial banking

  3. Financial and HR data (hypothetical):

    • Average employees: 400 (above 250)

    • Annual revenue: €35,000,000

    • Average total assets: €40,000,000

  4. Why Is It a Large Entity and Subject to the Law?

    • It exceeds all medium-size thresholds and is classified as a large entity.

    • As a bank, it explicitly falls under the “Banking” critical sector.

    • It would be classified as an Essential Entity.

  5. Obligations of an Essential Entity

    In addition to risk management and incident reporting obligations, it must:

    • Appoint or engage a cybersecurity officer

    • Provide regular training for management and employees

    • Be subject to enhanced supervision, including on-site inspections and independent security audits

    • Follow strict systemic procedures and reporting obligations

Important vs. Essential Entity – Key Differences


Important Entity

Essential Entity

Medium companies

Large companies

Lower supervision intensity

Higher supervision intensity

Basic security obligations

Strict systemic obligations

Inspection controls

Deep regulatory monitoring

Both categories must implement cybersecurity measures, but essential entities are subject to stricter oversight.


Self-Check: Does the Law Apply to Your Company?


Ask yourself:


  • Do you have more than 50 employees?

  • Is your annual revenue between €2,000,000 and €10,000,000 or higher?

  • Do you provide cloud, SaaS, or IT infrastructure services?

  • Do you work with banks, public institutions, or critical sectors?

  • Do you have a formal risk management framework?


If you answered “yes” to several of these questions, a legal and compliance assessment is strongly recommended.


What Are the Risks of Non-Compliance?

  • Financial penalties and regulatory measures

  • Reputational damage

  • Personal liability of managers

  • Increased exposure to unmanaged cybersecurity incidents


Why Should IT Companies Act Immediately?


The law does not distinguish between startups and large companies. If you provide critical digital services and meet the criteria, you fall within the NIS2 framework.


Prevention and timely assessment are significantly safer than reacting after an inspection.


*

CONCLUSION

NIS2 and the new Law on Security of Network and Information Systems introduce:


  • New obligations for IT companies

  • New cybersecurity standards

  • Management and director liability


The first step is a legal analysis to determine your status: Important or Essential Entity. Timely assessment reduces the risk of penalties, regulatory oversight, and reputational damage.


Contact us if you wish to conduct a risk assessment and determine your company’s compliance status.


**

Frequently Asked Questions (FAQ)


Does a startup with fewer than 50 employees fall under the law?

Generally no, unless it provides critical services or is explicitly designated as an important entity.

Does an outsourcing IT company fall within a critical sector?

Yes, if it provides infrastructure or cloud services to critical sectors.

Does the law apply to companies working with foreign clients?

Yes. The location of clients does not exclude the application of the law.

Who performs supervision?

The competent national authority designated by law.

How quickly should we comply?

As soon as possible, before inspection procedures begin, to avoid sanctions.


***

Note: This text has been prepared solely for informational purposes and cannot be considered legal advice or guidance for specific actions. Legal matters are complex, and each case has its own unique circumstances that must be assessed individually. For this reason, it is recommended to consult a qualified attorney who can provide tailored legal solutions to your specific situation.

© 2024 by Law office Isaevski

bottom of page