Shadow IT in SMEs

SaaS Visibility

What NIS2 Means for SaaS Visibility

The Network and Information Security Directive 2 (NIS2) is one of the most significant cybersecurity regulations introduced in the European Union in recent years. It expands the scope of the original directive and requires a much broader range of organizations to implement structured cybersecurity risk management practices.

One of the most important shifts introduced by NIS2 is accountability.

Under the directive, management bodies can be held personally responsible for cybersecurity governance and risk oversight. This means executives are no longer only responsible for strategy and operations, they are also expected to understand:

which systems the organization relies on
which vendors handle company data
how risks are identified, monitored, and managed

In theory, this sounds straightforward.

But in practice, many organizations encounter a fundamental challenge long before they implement any controls: visibility.

Modern companies rely heavily on cloud software and SaaS platforms. At the same time, employees can adopt these tools independently — often without formal IT involvement or centralized approval.

This creates a critical gap.

Regulations like NIS2 assume that organizations have a clear overview of their systems and vendors. But in reality, many companies are operating in environments where parts of their software ecosystem are simply not visible.

As a result, software visibility — especially SaaS visibility — has become a foundational step in regulatory readiness.

The Visibility Gap Behind NIS2 Compliance

When organizations begin preparing for NIS2 or reviewing their GDPR responsibilities, they often start with a basic question: "Do we actually know which systems we are using?"

For many, the answer is less clear than expected. What begins as a compliance exercise often turns into a discovery process. Teams realize that software has been adopted across the organization over time by different departments, for different purposes, and without centralized tracking.

A marketing team may use tools that IT has never reviewed.
Finance may rely on SaaS platforms that are not part of official procurement.
HR may still have active accounts in systems tied to former employees.

This is not necessarily the result of poor governance. It is the natural outcome of how modern SaaS works:

tools are easy to access
onboarding is instant
experimentation is encouraged

But this decentralized adoption creates a gap between: what organizations believe they are managing and what is actually being used, and that gap has a name.

A marketing manager signs up for a new analytics platform. She is in a hurry, so she uses her private card. It takes less than a minute to create the account and connect company CRM data.

An HR manager tries a free recruitment tool recommended by a colleague. It works great. Months later, she leaves the company — but the account remains active, still storing applicant data covered under GDPR.

A finance team experiments with a SaaS budgeting tool to speed up reporting.

Each decision makes sense. Each tool solves a real problem. But over time, something changes. Nobody in the company has a complete picture anymore. This situation is extremely common in modern organizations. Cloud software is so easy to adopt that employees can introduce new applications without any formal approval or IT involvement.
This phenomenon is known as Shadow IT.

Instead of appearing in official software inventories, these tools operate quietly in the background — still accessing company data, still storing information, and still a potential liability under frameworks such as GDPR or NIS2. Research shows that a large share of SaaS services used within companies are introduced outside formal IT processes, creating significant visibility gaps across organizations.

For small and medium-sized businesses, this raises a difficult question:

How can we manage security, cost control, and regulatory obligations if we cannot fully see our software environment?

Understanding Shadow IT is the first step.

What is Shadow IT - And why does it matter?

Shadow IT refers to software or digital services used within an organization without the knowledge or approval of IT or leadership. Today, it most commonly appears in the form of SaaS applications. Employees adopt these tools because they solve problems quickly:

project collaboration
analytics dashboards
design tools
finance automation
HR platforms

From an employee perspective, the decision is logical. They want to work faster. However, when software adoption happens outside oversight, companies lose visibility into their digital environment, and that visibility gap is exactly what makes compliance with frameworks like NIS2 and GDPR more difficult.

evaluate security risks
control software costs
manage access permissions
assess third-party vendors
or demonstrate compliance

In other words:
Shadow IT is not just an IT issue.

It is a visibility problem — and a compliance risk.

A Practical SaaS Visibility Process

Once organizations realize Shadow IT may exist, the next step is SaaS discovery.

SaaS discovery means identifying which applications are actually used across the organization — regardless of whether they were officially approved. Because SaaS adoption happens continuously, this process usually evolves into an ongoing SaaS management practice.

A structured SaaS discovery process typically involves several stages.

Audit — Inventory All SaaS Applications

The first step is identifying which SaaS tools employees are using.

Because SaaS applications can be adopted quickly, manual tracking often becomes unreliable. Many organizations therefore use automated discovery tools that detect applications across the environment.

The goal of this stage is to build a complete SaaS inventory.

Monitor — Detect New Tools Continuously

SaaS adoption never stops.

Employees regularly test new tools to improve workflows, which means the SaaS environment constantly evolves.

Continuous monitoring helps organizations detect new services as they appear, preventing Shadow IT from growing unnoticed.

Analyze — Understand Usage and Data Access

Once tools are identified, organizations need to understand:

who uses each application
what level of data access the application has'

This stage often reveals surprising insights.

Companies frequently discover:

duplicate tools across departments
unused subscriptions still renewing
accounts belonging to former employees
services with extensive access to company data

Review — Assess Compliance and Risk

Each discovered service should be reviewed to understand:

whether it processes personal data (PII)
whether the vendor meets security requirements
whether the tool is business critical
whether access permissions are appropriate

This step is particularly important for GDPR and NIS2 readiness, where organizations must demonstrate control over systems handling data.

Optimize — Reduce Waste and Improve Governance

Finally, organizations can streamline their SaaS environment by:

removing redundant tools
consolidating platforms
eliminating unused licenses
improving vendor governance

This stage often delivers both cost savings and improved security oversight.

Unmanaged Shadow IT Is a Ticking Time Bomb

When you lack visibility into your SaaS environment, risks accumulate — often without anyone realizing it.

The overarching problem is simple:

Organizations may not know what data is stored, where it is stored, or what access external services have to internal systems. Without a structured review process, risky services can slip through unnoticed. Several types of risks commonly emerge.

Security Risks

Unknown SaaS tools may access sensitive company data without proper evaluation.

Security risks include:

applications gaining broad access to company workspaces via OAuth or API permissions
personal data being stored in tools that have not been vetted for GDPR compliance
services with weak authentication or security controls

unknown vendors processing company or customer information

Without visibility, security teams cannot properly assess or mitigate these risks.

Compliance Risks

Shadow IT can also make regulatory compliance extremely difficult.

Modern frameworks such as GDPR and NIS2 require organizations to understand:

which systems process personal data
where that data is stored
which services are business critical
who has access to those systems

In practice, not knowing what services your organization is actually using makes compliance impossible.

Financial Risks

Shadow IT often leads to uncontrolled SaaS spending.

Over time, companies commonly discover:

multiple tools solving the same problem
subscriptions purchased independently by different teams
unused licenses continuing to renew

This is why organizations increasingly adopt SaaS management practices — structured processes for discovering, monitoring, and optimizing software usage across the company.

Why SMEs need lightweight tools to detect Shadow SaaS

SaaS visibility is necessary for security, cost control, and compliance readiness. However, manually tracking software across departments is extremely difficult. This is why SMEs increasingly rely on lightweight tools that help detect Shadow SaaS.

A well-designed SaaS discovery platform can help organizations:

Automatically detect new SaaS tools

Monitor and optimize SaaS usage

Identify waste, overlap, and unused licenses

By improving visibility, organizations can not only strengthen compliance readiness, but also manage their SaaS environment more effectively overall.

How Substly Helps Organizations Discover Shadow IT

Once organizations recognize the importance of SaaS visibility, the next step is implementing tools that provide it. Substly is a SaaS management platform designed to help companies discover and manage their SaaS environment.

With Substly, organizations can:

Discover Shadow IT across their organization

Monitor SaaS usage and licenses

Identify redundant or unused software

Improve visibility for NIS2 and GDPR readiness

Manage SaaS access more effectively

By providing transparency into SaaS environments, SaaS management platforms help companies move from reactive IT management to proactive governance.

Take Control of Your SaaS Environment

Shadow IT is not unusual.

In fact, it is often a natural result of teams exploring new tools to improve productivity.

The goal is not to stop innovation.

The goal is to make the software environment visible, manageable, and secure.

Understanding your SaaS environment helps your organization:

Strengthen security

Reduce software waste

Improve regulatory readiness

Maintain better control over data and access

Substly helps organizations discover Shadow IT, monitor SaaS usage, and gain clarity across their digital environment.

What is Shadow IT?

Why is Shadow IT a problem for compliance?

Frameworks such as GDPR and NIS2 require organizations to understand which systems process data, who has access to them, and which vendors handle sensitive information. If unknown SaaS tools are in use, organizations cannot accurately demonstrate compliance.

What is SaaS discovery?

SaaS discovery is the process of identifying all cloud software used across an organization — including tools that were not officially approved.

What is SaaS management?

SaaS management refers to the ongoing process of discovering, monitoring, analyzing, and optimizing SaaS applications across an organization to improve security, compliance, and cost efficiency.

How can SMEs detect Shadow IT?

SMEs can detect Shadow IT by analyzing expense reports, identity provider logs, SaaS integrations, and network activity — or by using automated SaaS discovery platforms that continuously monitor the environment.

Shadow IT in SMEs: