> ./exec Infosec.sh — GUIDE

NIS2 Compliance for SMEs: What You Really Need to Know in 2026

Franky — Security Reviewer FrankyCameroun · Security Reviewer 12-05-2026 6 min read INFOSEC reviewed by: Clara — Documentation Lead

Three years after the NIS2 Directive was adopted, and more than a year after the theoretical national transposition deadline, around 60% of affected German mid-market companies are still not compliant.[2] The BSI reported in mid-2025 that over 30.000 companies had been newly captured, the majority without a documented ISMS.[1]

This is no longer a compliance theatre exercise. Fines of up to 2% of group turnover are enforceable. Personal liability for management is enshrined in the NIS2UmsuCG draft.[3] Any organisation still hesitating in 2026 faces an operational risk, not merely an audit risk.

What NIS2 Is and What It Is Not

NIS2 replaces the NIS Directive of 2016. The key changes for mid-market companies:

  • Extended scope: 18 sectoral areas (up from 7), including B2B IT service providers, IT hardware manufacturers, logistics, and public administration
  • Size threshold: 50+ employees OR €10M turnover (EU definition of medium-sized enterprise)
  • Two-tier system: "essential" (higher obligations) vs "important"
  • 24-hour reporting obligation: initial incident notification to the BSI/CSIRT within 24 hours, full report within 72 hours
  • Supply chain responsibility: you are liable for cybersecurity gaps in your critical suppliers
  • Management liability: violations are personally attributed to management (Art. 20 para. 1)

What NIS2 is NOT: a mandatory ISO 27001 requirement. The standard is not prescribed, but it covers 70–80% of NIS2 requirements and is regarded as best-practice evidence in court.

Are You Affected? The 30-Second Test

Criterion Answer NIS2 Status
50+ employees OR €10M+ turnover Yes Proceed to sector check
Active in one of the 18 sectors (Annex I or II, EU Directive 2022/2555) Yes In scope
< 50 employees AND < €10M turnover Yes Probably not unless classified as "critical provider"
Municipal authority / public administration Yes Always in scope

If you are in scope: BSI registration is mandatory. If you are unsure: a free initial assessment takes 30 minutes (book an audit appointment).

The 10 Obligations, What You Must Concretely Do

Distilled from Art. 21 of the NIS2 Directive:

  • Risk analysis and security policy for information systems, documented, updated annually
  • Incident handling, detection, response, recovery, lessons learned
  • Business continuity, backups, disaster recovery, crisis management
  • Supply chain security, supplier audits, contracts with cybersecurity clauses
  • Security in procurement, development and maintenance, secure SDLC, vulnerability management
  • Strategies for assessing the effectiveness of the measures taken
  • Basic cyber hygiene and training, all employees, on a regular basis
  • Cryptography, where appropriate, in line with the state of the art
  • Human resources security, background checks for sensitive roles
  • Multi-factor authentication and secure communications

Plus the reporting obligations (Art. 23): 24-hour initial notification, 72-hour update, 1-month final report.

Why ISO 27001 Is Not Enough, Yet Remains the Best Starting Point

We often hear: "We have ISO 27001, doesn't that cover us?" The honest answer: no, but you are 70–80% of the way there.

What ISO 27001 covers:

  • ISMS structure, PDCA cycle
  • Risk management (ISO 27005)
  • Annex A controls (114 measures)
  • Audit trails, documentation

What NIS2 additionally requires:

  • 24-hour reporting to authorities (ISO reports internally)
  • Management liability made explicit
  • Supply chain security as a formal obligation
  • Sector-specific requirements (e.g. banks carry additional DORA obligations)

Recommendation: If you have ISO 27001 → gap analysis against NIS2 (3–5 days of effort). If you have nothing → build an ISMS to ISO 27001 AND layer NIS2-specific requirements on top (3–6 months).

12-Step Plan to NIS2 Compliance in 90 Days

Realistic for a 100-person organisation without an existing ISMS:

# Step Owner Days
1 Applicability analysis + BSI registration CISO / External consultant 2
2 Asset inventory (hardware, software, data, people, suppliers) IT + Consultant 5
3 Risk analysis (threats × vulnerabilities × asset value) CISO + Consultant 7
4 Security policies (10–15 documents) Documentation team 10
5 Technical measures (MFA, backup, encryption, monitoring) IT + DevOps 15
6 Incident reporting chain (24h-ready) + tabletop exercise CISO + Management 5
7 Supplier audit process + new contractual clauses Procurement + Legal 10
8 Business continuity plan + disaster recovery test IT + Executive management 8
9 Awareness training (all employees) HR + CISO 5
10 Internal audit against NIS2 + ISO 27001 Annex A Auditor (internal or external) 5
11 Corrective measures All 10
12 Documentation bundle for BSI enquiry CISO + Documentation 3

Total: 85 person-days. With a 5-person full-time task force: 17 working days = 90 calendar days realistically.

Budget indication for SMEs: €30.000–€80.000 external consulting + internal allocation. Complete package "ISO 27001 + NIS2": €50.000–€120.000 depending on complexity (NextGen IT InfoSec Service).

The Most Common Pitfalls (and How to Avoid Them)

Pitfall 1: Misclassifying 'essential' vs 'important' Wrong classification means wrong obligations. "Essential" sectors face stricter audit requirements and higher fines. If in doubt: consult the BSI or an external advisor.

Pitfall 2: Underestimating supply chain security You are responsible for security gaps in your critical suppliers. Cloud providers, SaaS vendors, external developers, all must be vetted. At minimum: GDPR data processing agreement + security clause + annual evidence (e.g. SOC 2, ISO 27001).

Pitfall 3: Underestimating the 24-hour reporting obligation Filing a report with the BSI within 24 hours presupposes: 24/7 monitoring, a clear reporting chain, and a trained on-call function. Without a SOC or MDR service this is difficult for mid-market organisations, the BSI understands this, but expects at minimum documented processes and tabletop exercises.

Pitfall 4: Failing to involve management Art. 20 makes management explicitly accountable. Simply "delegating to IT" no longer works. At minimum: document annual management training + board sign-off on the security policy.

Pitfall 5: Waiting for national transposition The EU Directive is directly applicable in many respects. Delays in the German NIS2UmsuCG do not exempt organisations from their duty of care.

Tools and Frameworks We Recommend

Stack-agnostic, but concrete:

ISMS tool (documentation + risk analysis)

Open sourceErambaOpenComply
CommercialveriniceHyperproof

SIEM / Log aggregation

Open sourceWazuh + ELK Stack (NextGen Stack)
CommercialSplunkMicrosoft Sentinel

Vulnerability scanner

Open sourceOpenVASTrivy
CommercialTenableQualys

MFA

Privacy-friendlyAuthentik (self-hosted)Keycloak
EnterpriseOktaMicrosoft Entra ID

Backup + DR

Open sourceResticBorgbackup
CloudHetzner Storage Box + encrypted

What Next?

If you want to start today:

  • Download our NIS2 Gap Analysis Template (XLSX + PDF). It is free, requires no email, and starts as a direct download.
  • Carry out your own initial assessment. Plan 2 to 3 hours with the template.
  • Book a free 30-minute initial consultation. We review the gap analysis with you and give you a clear breakdown of the concrete next steps.

If you already have ISMS experience: skip step 2 and go straight to an NIS2-specific gap analysis with us (1–2 days of consulting effort).

Sources

[1] BSI. IT Security Situation Report 2025. Federal Office for Information Security. https://www.bsi.bund.de/DE/Service-Navi/Publikationen/Lagebericht/lagebericht_node.html

[2] European Parliament and Council. Directive (EU) 2022/2555 (NIS2). https://eur-lex.europa.eu/eli/dir/2022/2555/oj

[3] Federal Government. NIS-2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG), Draft Bill. Federal Ministry of the Interior.

[4] ENISA. NIS Directive 2, Implementation guide for SMEs. European Union Agency for Cybersecurity.

[5] BSI Minimum Standards. https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Standards-und-Zertifizierung/IT-Grundschutz/IT-Grundschutz-Standards/it-grundschutz-standards_node.html

> ./nis2_kit

NIS2 Gap Analysis Template (XLSX + PDF)

PDF guide, Excel workbook, and complete ZIP bundle for your first practical gap analysis.

PDF XLSX ZIP

FAQ

Who is affected by NIS2?
Mid-market companies with 50+ employees or €10M+ annual revenue operating in any of 18 sectoral areas (energy, transport, banking, healthcare, water, digital infrastructure, B2B IT service providers, food, chemicals, manufacturing, postal services, public administration, etc.). Smaller organisations are also in scope if classified as 'critical providers'. The BSI estimates approximately 30.000 companies in Germany.
What is the NIS2 deadline in Germany?
The EU NIS2 Directive entered into force on 17 January 2023, with national transposition due by 17 October 2024. The German NIS2UmsuCG is delayed, as of 2026, the core obligations are applicable, but transitional periods continue to apply. In practice: BSI registration has been mandatory since end of 2024; reporting and security obligations are being phased in progressively.
What penalties apply for non-compliance with NIS2?
Up to €10M or 2% of global annual turnover for 'essential entities' (critical sectors), up to €7M or 1.4% for 'important entities'. Personal liability of management is possible (§ 34 NIS2UmsuCG draft).
Does existing ISO 27001 certification cover NIS2 compliance?
No, but it is a strong starting point. ISO 27001 covers approximately 70–80% of NIS2 requirements. Gaps include: the 24-hour reporting obligation (NIS2 is stricter than ISO), supply chain security (explicit in NIS2, indirect in ISO), and management accountability (NIS2-specific).
Franky — Security Reviewer

FrankyCameroun

Security Reviewer

Application security, compliance (NIS2, DORA, ISO 27001), threat modeling.

Need help with Infosec?

Free initial consultation, fixed price after audit.

INIT_CONSULTATION() →