TL;DR
NIS2 is enforceable across the EU and extends to every network connection supporting critical services, including SIM-based IoT connectivity. Most providers treat SIM cards as a telecom line item, not a security concern. This article breaks down the four NIS2 requirements that directly affect IoT connectivity and what to look for in a provider that supports compliance rather than complicating it.
Your IoT devices are connected. But are they compliant?
The EU's NIS2 directive became enforceable in October 2024. By early 2026, Germany, the Netherlands, and several other member states have enacted national legislation. Others, including Norway and Sweden, are still working through transposition. The European Commission sent formal warnings to 19 member states in May 2025 for failing to transpose the directive on time. Fines for non-compliant organizations reach up to 10 million euros or 2% of global annual revenue.
If your company operates in energy, transport, water, manufacturing, or digital infrastructure, NIS2 applies to you. And it does not stop at your IT systems. It extends to every network connection that supports critical services, including the SIM-based connectivity running your IoT and OT devices.
This is where the gap appears.
SIM connectivity is part of your attack surface
Most organizations treat their SIM cards as a telecom line item. They order SIMs, insert them, and move on. But under NIS2, every network connection that touches critical infrastructure must be secured, monitored, and documented.
Think about what your IoT SIMs are doing right now. They connect sensors in substations, monitoring equipment at water treatment plants, access control systems in buildings, and charging stations on public roads. Each of those connections is a potential entry point. And if you have no visibility into what those devices are communicating with, you have a compliance problem.
NIS2 is specific about this. Article 21 requires organizations to implement risk management measures across their network and information systems. That includes access control, incident detection, and supply chain security for every connection, including cellular.
Learn how IXT SecureNet keeps IoT traffic off the public internet.
Which NIS2 requirements affect IoT connectivity?
Here is where it gets practical. These are the requirements that matter most for anyone running SIM-connected devices in regulated sectors.
1. Risk management across all network systems
NIS2 requires a risk-based approach to every system that supports critical operations. If your IoT devices send data over the public internet with no segmentation, no private networking, and no traffic controls, that is a documented risk. Your connectivity provider should offer private APN, encrypted tunnels, or direct cloud connectivity as standard options, not premium add-ons.
2. Access control and reduced implicit trust
Traditional SIM connectivity is based on implicit trust. A device gets a SIM, connects to the network, and has access. NIS2 asks a harder question: who authorized that device to connect, and what is it allowed to reach? If your connectivity setup gives every device the same level of access, your architecture works against compliance.
This is where Zero Trust principles become relevant. Rather than granting broad network access by default, a Zero Trust approach verifies every connection and limits what each device is allowed to reach. No implicit trust. No open network paths.
What is Zero Trust for IoT? Read our introductory guide.
3. Supply chain security
This is the one that surprises people. NIS2 requires organizations to vet and monitor their suppliers, including SIM providers. Your connectivity partner is part of your supply chain. Their security posture, their data handling practices, and their infrastructure choices all affect your compliance. If your provider routes IoT traffic over public internet by default or offers no visibility into network events, that becomes your problem during an audit.
According to the European Commission, NIS2 covers 18 critical sectors and applies to both large and medium-sized organizations within those sectors. The directive places specific emphasis on supply chain security, requiring entities to assess and manage risks from their direct suppliers and service providers.
4. Incident detection and reporting
Under NIS2, organizations must report significant incidents within 24 hours and provide detailed follow-up within 72 hours. For IoT environments, this means you need real-time data on device status, network events, and traffic patterns. If your connectivity management platform delivers usage data with a 24 to 48 hour delay, you are already behind the reporting timeline before you start investigating.
See how IXT CMP delivers real-time device visibility.
The question most providers do not answer
Here is what we see in the market: most IoT SIM providers talk about coverage, pricing, and data plans. Few talk about what happens to your traffic between the device and your cloud. Even fewer address how their architecture supports your compliance requirements.
The question worth asking your current provider: does your IoT connectivity architecture help or hinder our NIS2 compliance posture?
If the answer involves routing data over public internet, limited visibility into device communications, and delayed usage data, there is a gap between what NIS2 expects and what your infrastructure delivers.
What NIS2-aligned IoT connectivity looks like
A connectivity setup aligned with NIS2 does not require you to rearchitect everything. But it does require a few things.
Private networking that keeps IoT traffic off the public internet. This removes the most obvious attack vector and simplifies your risk assessment.
Real-time visibility into what your devices are doing. Not yesterday's data. Now. If a device starts communicating with an unexpected endpoint, you want to know immediately, not two days later.
Documented security controls that map to NIS2 obligations. Your connectivity provider should be able to show how their infrastructure supports access control, incident detection, and supply chain security requirements.
A clear path from today's setup to a Zero Trust architecture. NIS2 does not mention Zero Trust by name, but its requirements, no implicit trust, verified access, limited blast radius, describe exactly what Zero Trust delivers.
The timing matters
NIS2 enforcement is not a future concern. It is happening now. Companies that treat SIM connectivity as a compliance afterthought will spend more time and resources fixing gaps under pressure than those who address it proactively.
If you run IoT devices in regulated sectors across Europe, this is a good time to review how your connectivity setup maps to NIS2 requirements. Start with the four areas above. Ask your provider the hard questions. And if the answers do not satisfy you, it is worth exploring alternatives built for this reality.
About IXT
IXT is a Full MVNO built for IoT. We deliver secure, global connectivity through a single SIM that works across 600+ networks in 190+ countries. Our SecureNet platform keeps IoT traffic off the public internet with private APNs, encrypted VPN tunnels, and direct cloud integrations. Our Connectivity Management Platform provides real-time visibility into every connected device. Built for European compliance requirements, designed for operations that need connectivity they do not have to worry about.
Ready to see how it works? Book a demo.
FAQ section
Does NIS2 apply to IoT SIM connectivity?
Yes. NIS2 requires organizations to implement security measures across all network and information systems that support critical services. In OT and IoT environments, SIM-based cellular connectivity is part of that attack surface. The directive also requires organizations to vet and monitor their suppliers, which includes SIM and connectivity providers.
What NIS2 requirements are most relevant for IoT deployments?
Four NIS2 requirements directly affect IoT connectivity: risk management across all network systems (Article 21), access control with reduced implicit trust, supply chain security including supplier vetting, and incident detection with 24-hour initial reporting and 72-hour follow-up reporting timelines.
How does private networking support NIS2 compliance?
Private networking, such as private APNs and encrypted VPN tunnels, keeps IoT traffic off the public internet. This reduces the attack surface, simplifies risk assessments, and supports NIS2 requirements for network segmentation and controlled data routing. It also creates documented security controls for audit readiness.
What is the penalty for NIS2 non-compliance?
Essential entities face fines of up to 10 million euros or 2% of total annual global revenue, whichever is higher. Important entities face fines of up to 7 million euros or 1.4% of annual revenue. Senior management is held personally liable for cybersecurity measures under NIS2.
Which countries have implemented NIS2 into national law?
As of early 2026, around half of EU member states have transposed NIS2, including Germany, Belgium, Italy, Croatia, Denmark, Finland, and others. The European Commission sent formal warnings to 19 member states in May 2025 for delays. Norway is at an early stage of transposition. Enforcement timelines vary by country, but compliance pressure is increasing across Europe.
