Complara is a compliance tracking platform built for startups. It gives you plain-English checklists for frameworks like SOC 2, GDPR, ISO 27001, HIPAA, DORA, NIS2, and vendor security — with evidence management, team collaboration, and readiness reports in one place.

Which compliance frameworks are supported?

SOC 2, GDPR, ISO 27001, HIPAA, DORA, NIS2, EU AI Act, and Vendor Security. Each framework includes a complete checklist with actionable items and guidance. All future frameworks are included on the Pro plan.

How much does Complara cost?

Complara starts with a free 10-day trial. The Pro plan is $10/month with unlimited checklist items, evidence uploads, team invites, and CSV readiness reports. No per-seat fees.

Founders, CTOs, and engineering teams at startups that need to prove compliance to enterprise customers, investors, or regulators — without hiring a consultancy or spending months on spreadsheets.

Can I use Complara for multiple frameworks at once?

Yes. You can track as many frameworks as you need simultaneously. Many startups combine SOC 2 + GDPR, or SOC 2 + ISO 27001, since the controls overlap significantly.

How is Complara different from enterprise GRC tools?

Enterprise GRC platforms cost $10,000+/year, take weeks to configure, and are designed for large compliance teams. Complara is purpose-built for startups: you can set up your first checklist in under 10 minutes, and the interface is simple enough for engineers, not just auditors.

NIS2 Directive Compliance Guide for Startups

Complara Team·2026-04-13·7 min read

The NIS2 Directive (Directive 2022/2555) is the EU’s updated framework for cybersecurity across essential and important sectors. It replaced the original NIS Directive and significantly expanded its scope. Member states were required to transpose it into national law by 17 October 2024, though implementation timelines vary by country.

If your startup operates in the EU or provides digital services to EU organizations in covered sectors, NIS2 likely applies to you.

What Is NIS2?

NIS2 (Network and Information Security Directive 2) sets minimum cybersecurity requirements for organizations across critical and important sectors in the EU. It aims to achieve a high common level of cybersecurity by harmonizing rules, improving incident reporting, and strengthening enforcement.

Key differences from the original NIS Directive:

Much broader scope: Covers 18 sectors (up from 7)
Size-based criteria: Generally applies to medium-sized and large entities (50+ employees or €10M+ turnover), but some entities are included regardless of size
Stricter penalties: Up to €10 million or 2% of global annual turnover
Management accountability: Senior management can be held personally liable
Supply chain security: Explicit requirements to manage third-party risk

Who Does NIS2 Apply To?

NIS2 divides entities into two categories:

Essential entities (higher obligations)

Energy (electricity, oil, gas, hydrogen)
Transport (air, rail, water, road)
Banking and financial market infrastructure
Health (hospitals, labs, pharma, medical devices)
Drinking water and wastewater
Digital infrastructure (DNS, TLD registries, cloud providers, data centers, CDNs, trust services)
ICT service management (B2B) — managed service providers and managed security service providers
Public administration
Space

Important entities (lighter supervision)

Postal and courier services
Waste management
Chemical manufacturing and distribution
Food production and distribution
Manufacturing (medical devices, computers, electronics, machinery, motor vehicles)
Digital providers (online marketplaces, search engines, social networks)
Research organizations

For startups: If you provide cloud services, SaaS platforms, managed IT services, or digital infrastructure, you’re very likely in scope. DNS providers, cloud computing providers, and managed service providers are explicitly covered regardless of size in some member states.

NIS2 Compliance Requirements

1. Cybersecurity risk management measures

NIS2 requires “appropriate and proportionate” measures covering at minimum:

Risk analysis and information security policies
Incident handling procedures
Business continuity and crisis management (backups, disaster recovery)
Supply chain security — assessing the security of direct suppliers and service providers
Security in network and information systems acquisition, development, and maintenance (including vulnerability handling and disclosure)
Policies and procedures for assessing cybersecurity risk-management effectiveness
Cybersecurity hygiene practices and training
Cryptography and encryption policies
Human resources security, access control policies, and asset management
Multi-factor authentication and secured communication systems

2. Incident reporting

Significant incidents must be reported to the national CSIRT or competent authority:

Early warning: Within 24 hours of becoming aware of a significant incident
Incident notification: Within 72 hours, including initial assessment of severity and impact
Final report: Within one month, including root cause analysis and mitigation measures

3. Management accountability

Senior management must approve cybersecurity risk management measures and oversee their implementation. They must also undergo cybersecurity training. Management bodies can be held personally liable for non-compliance — this is a significant escalation from the original NIS Directive.

4. Registration

Entities in scope must register with their national competent authority, providing: company name, sector, address, contact details, and the member states where services are provided.

NIS2 Compliance Checklist for Startups

Determine if you’re in scope: Check your sector, size, and whether your member state’s transposition expands the default criteria
Classify as essential or important: This determines your supervision regime and penalty exposure
Conduct a cybersecurity risk assessment: Identify threats, vulnerabilities, and impacts to your network and information systems
Implement the 10 minimum measures: Cover every item in Article 21 (listed above)
Build an incident response process: Meet the 24-hour/72-hour/1-month reporting timelines
Assess supply chain security: Evaluate the cybersecurity practices of your critical vendors
Train management: Ensure leadership understands their accountability and has completed cybersecurity training
Register with your national authority: Complete entity registration once your member state’s process is available
Document everything: Maintain evidence of all measures, assessments, and incident responses

Use Complara’s NIS2 checklist to track each requirement and keep evidence organized for supervisory reviews.

Frequently Asked Questions

Does NIS2 apply to small startups?

Generally, NIS2 applies to medium-sized entities (50+ employees or €10M+ turnover). However, some categories are in scope regardless of size: DNS providers, TLD registries, cloud computing service providers, data center providers, trust service providers, and publicly available electronic communications providers. Check your member state’s transposition for specifics.

How does NIS2 relate to DORA?

DORA is sector-specific legislation for financial services and takes precedence over NIS2 for entities in its scope. If you’re subject to DORA, its ICT risk management and incident reporting requirements supersede NIS2’s. If you serve both financial and non-financial sectors, you may need to comply with both.

What are the penalties for non-compliance?

For essential entities: up to €10 million or 2% of global annual turnover. For important entities: up to €7 million or 1.4% of global annual turnover. Member states may impose additional sanctions including suspension of certifications and temporary management bans.