- NIS2 has been in effect in Germany since December 2025 and applies to companies with 50+ employees or EUR 10 million+ in annual revenue across 18 critical sectors.
- Management is personally liable for implementing cybersecurity measures and must attend training sessions.
- Security incidents must be reported within 24 hours, followed by a full report within 72 hours.
- Article 21 defines 10 minimum measures, including risk management, incident response, business continuity, and supply chain security.
- Building an ISMS based on ISO 27001 covers approximately 80% of NIS2 requirements and is the most efficient path to compliance.
NIS2 Is Here — and SMEs Are in the Spotlight
On 16 January 2023, the European NIS2 Directive entered into force. Since December 2025, it has been transposed into German law through the NIS2 Implementation Act (NIS2UmsuCG). For mid-market companies, this fundamentally changes how cybersecurity must be organised and demonstrated.
What makes NIS2 different from the previous directive is that the circle of affected companies has expanded massively. Where previously only large operators of critical infrastructure were in scope, thousands of mid-market companies now fall under the regulation. BSI estimates suggest around 30,000 affected organisations in Germany alone.
If you are in the management or IT leadership of a mid-market company and wondering whether this applies to you and what you need to do — this article gives you the answers.
Am I Affected? The Thresholds in Detail
NIS2 works with two categories: essential entities and important entities. For SMEs, the second category is particularly relevant.
You fall under NIS2 if your company meets two conditions simultaneously:
Condition 1 — Size:
- At least 50 employees or
- At least EUR 10 million in annual revenue or
- At least EUR 10 million in annual balance sheet total
Condition 2 — Sector: Your company operates in one of the 18 regulated sectors.
The 18 Sectors at a Glance
Sectors of high criticality (Annex I):
| Sector | Examples |
|---|---|
| Energy | Electricity suppliers, gas grid operators, district heating |
| Transport | Freight companies, logistics, airports, ports |
| Banking | Credit institutions |
| Financial market infrastructure | Trading venues, central counterparties |
| Health | Hospitals, laboratories, pharma, medical devices |
| Drinking water | Water suppliers |
| Wastewater | Wastewater disposal |
| Digital infrastructure | Data centres, CDN, DNS, TLD registrars |
| ICT service providers (B2B) | Managed service providers, managed security providers |
| Public administration | Federal and state authorities |
| Space | Ground infrastructure operators |
Other critical sectors (Annex II):
| Sector | Examples |
|---|---|
| Post and courier | Parcel service providers |
| Waste management | Waste disposal companies |
| Chemicals | Chemical production and distribution |
| Food | Wholesale, processing, production |
| Manufacturing | Mechanical engineering, vehicle construction, electrical engineering, medical technology |
| Digital services | Online marketplaces, search engines, social networks |
| Research | Research institutions |
A Concrete Example
A mechanical engineering company with 120 employees and EUR 25 million in revenue: clearly affected. Manufacturing is a regulated sector, and the thresholds are exceeded. This company falls under NIS2 as an important entity.
But an IT service provider with 55 employees that provides managed services for other companies is also covered. ICT service providers in the B2B space are explicitly listed as a sector.
Important: In case of doubt, you must classify yourself. There is no letter from the BSI informing you. The registration obligation lies with the company itself.
What NIS2 Specifically Requires
NIS2 is not purely an IT topic. The directive requires an organisational security management system that combines technical and procedural measures. At its core, it covers four areas:
1. Cybersecurity Risk Management
You need a structured process to identify, assess, and treat cyber risks. A sound risk assessment is the central building block. This does not mean you must eliminate every risk — but you must be able to demonstrate that you are aware of them and handle them deliberately.
For a company with around 100 employees, this means: a risk analysis for the most important IT systems and business processes. Which systems are business-critical? What happens if the ERP goes down for two days? How likely is a ransomware attack, and what would the damage be?
2. Incident Reporting Obligations
The reporting deadlines under NIS2 are significantly stricter than anything that existed before:
| Deadline | What must be reported |
|---|---|
| 24 hours | Initial report to the BSI upon becoming aware of a significant security incident |
| 72 hours | Updated report with assessment, severity, and impact |
| 1 month | Final report with root cause analysis, measures taken, and cross-border impact |
A significant security incident exists when it causes or may cause serious operational disruption or financial losses, or when other persons or entities are significantly harmed.
In practice, this means: You need a functioning incident response plan. If an incident is discovered at 5 PM on a Friday, a report must go out within 24 hours. This only works if responsibilities, communication channels, and reporting templates are defined in advance.
3. Business Continuity Management (BCM)
NIS2 requires that you have plans in place to maintain or quickly restore business operations in the event of a cyberattack. This includes backup management, disaster recovery plans, and crisis management.
For the mechanical engineering company with 120 employees: What happens if the production control system is compromised? Are there offline backups? How long does recovery take? Is there a plan B for order processing if SAP is unavailable for three days?
4. Supply Chain Security
This is the point that surprises many mid-market companies. You must assess and manage the cybersecurity of your supply chain. This affects IT service providers, software vendors, and other suppliers on which your business processes depend.
Specifically: If you use an external IT service provider for your network, you must know their security level and contractually secure it. This also applies to cloud services, SaaS applications, and software suppliers.
The 10 Minimum Measures Under Article 21
Article 21 of the NIS2 Directive defines ten minimum measures that every affected entity must implement. These are deliberately formulated in a technology-neutral way so they remain applicable to different company sizes.
1. Risk Analysis and Security Concepts for Information Systems
Create a documented risk analysis for your critical information systems. Based on this, define security policies and review both regularly.
2. Incident Handling
Build an incident response process: detection, analysis, containment, eradication, and recovery. Define clear escalation paths and the roles within the incident response team.
3. Business Continuity and Crisis Management
Create contingency plans for the failure of critical systems. Test these plans at least annually. Ensure that backups exist, are regularly tested, and that restore processes are documented.
4. Supply Chain Security
Assess the cybersecurity of your suppliers and service providers. Include security requirements in contracts. Monitor compliance.
5. Security in Acquisition, Development, and Maintenance of IT Systems
Consider security requirements when procuring and developing IT systems. This also includes vulnerability and patch management.
6. Assessment of the Effectiveness of Measures
Regularly verify whether your security measures are actually effective. This can be done through internal audits, penetration tests, or security reviews.
7. Cyber Hygiene and Training
Training programmes for all employees and specific training for management. Basic cyber hygiene practices must be established: strong passwords, phishing recognition, secure handling of mobile devices.
8. Cryptography and Encryption
Implement encryption where appropriate. This applies to data in transit (TLS) and data at rest (disk encryption, encrypted backups). Define a cryptography policy.
9. Personnel Security and Access Control
Implement an access control concept based on the least privilege principle. Regulate access to critical systems through roles and permissions. Also consider personnel security during onboarding and offboarding.
10. Multi-Factor Authentication and Secure Communication
Implement multi-factor authentication for access to critical systems. Use secure, encrypted communication channels. In emergencies, rely on secured voice, video, and text communication.
Management Liability — It Gets Personal
Perhaps the most far-reaching aspect of NIS2 for SMEs: Management is personally liable for implementing cybersecurity measures. This is not a theoretical risk but an explicit provision of the directive.
Specifically, this means:
- Approval obligation: Management must formally approve risk management measures and oversee their implementation.
- Training obligation: Executives must personally attend cybersecurity training. Delegating to the IT department is not sufficient.
- Personal liability: In the event of violations, executives can be held personally liable. This liability cannot be excluded through insurance or contractual arrangements.
For the CEO of a mechanical engineering company with 120 employees, this means: Cybersecurity is a management responsibility. It is no longer enough to delegate this topic to the IT manager and not concern yourself further. Management must understand what risks exist, what measures are being taken, and whether these are adequate.
Fines for Violations
Sanctions are tiered by entity type:
| Category | Maximum Fine |
|---|---|
| Essential entities | EUR 10 million or 2% of global annual revenue |
| Important entities | EUR 7 million or 1.4% of global annual revenue |
For most mid-market companies, these maximum amounts are theoretical. But fines in the five- or six-figure range can be painful for a company with EUR 25 million in revenue. Add to that the reputational damage when a security incident becomes public.
The Relationship Between NIS2 and ISO 27001
Good news for everyone wondering how to implement NIS2 in a structured way: An ISMS based on ISO 27001 covers approximately 80% of NIS2 requirements. Both pursue the same risk-based approach and overlap in key areas.
| NIS2 Requirement | ISO 27001 Equivalent |
|---|---|
| Risk analysis | Chapter 6 (Planning), Annex A.8 |
| Incident response | Annex A.5.24–A.5.28 |
| Business continuity | Annex A.5.29–A.5.30 |
| Supply chain security | Annex A.5.19–A.5.23 |
| Access control | Annex A.5.15–A.5.18, Annex A.8 |
| Encryption | Annex A.8.24 |
| Training | Annex A.6.3 |
| Vulnerability management | Annex A.8.8 |
The advantage of an ISMS as a foundation: You have a management system that not only covers current NIS2 requirements but is also flexible enough to respond to future changes. And if your customers or clients eventually require ISO 27001 certification, you will have already completed half the work.
Step by Step: Implementing NIS2 in a Company with ~100 Employees
Enough theory. Here is a realistic plan for a mid-market company starting from scratch that wants to achieve NIS2 compliance.
Phase 1: Assessment and Foundations (Months 1–2)
Complete the applicability analysis: Formally check whether your company falls under NIS2. Document the sector, employee count, and revenue. Register with the BSI via the designated platform.
Assign responsibilities: Appoint an Information Security Officer (ISO). In a company with 100 employees, this can be a part-time role, but someone must be formally designated. Management must formally assume its approval role.
Create an asset inventory: List all IT systems, applications, databases, and network components. You can only protect what you know. For a company of this size, expect 50 to 150 relevant assets.
Take stock of existing measures: What do you already have? Firewall, antivirus, backup concept, access control? Many companies have more than they think — it just is not documented.
Phase 2: Risk Analysis and Core Processes (Months 3–4)
Conduct a risk analysis: For each critical asset, assess: What threats exist? How likely is an incident? What would the damage be? Prioritise the risks and define treatment measures.
A pragmatic approach for 100 employees: Focus on the 20 to 30 business-critical systems. The ERP, production control, email, file server, VPN access, Active Directory. Not every printer needs its own risk analysis. Tools like ISMS Lite provide risk assessment with a 5x5 matrix and automatic residual risk calculation, so you can focus on the substantive evaluation.
Build an incident response process: Define what constitutes a security incident, who is informed, who decides, and how the BSI report is submitted within 24 hours. Create a reporting template and test the process once.
Create security policies: Start with the most important documents: information security policy, password policy, mobile device policy, backup policy. These do not need to be a hundred pages long — pragmatic and actionable is better than academic and comprehensive.
Phase 3: Implement Technical Measures (Months 5–7)
Introduce multi-factor authentication: Start with the most critical access points: VPN, admin accounts, external email access, cloud services. Then roll out gradually to all employees.
Ensure encryption: TLS for all internal and external web services, disk encryption for laptops, encrypted backups. Check whether your email traffic is encrypted.
Review backup concept: Do offline backups exist that cannot be encrypted in a ransomware attack? How often are backups tested? When was the last full restore performed?
Review network segmentation: Separation of production and office networks, segmentation of critical systems, restriction of lateral movement. It does not need to be perfect, but the most significant gaps should be closed.
Set up vulnerability management: Regular updates and patches for all systems. A process to promptly assess and remediate critical vulnerabilities. For a company with 100 employees, pragmatic patch management with clear responsibilities is often sufficient.
Phase 4: Supply Chain and Training (Months 8–9)
Conduct supplier assessments: Identify your critical IT service providers and software vendors. Send a security questionnaire. Review existing contracts for security clauses and supplement them as needed.
For a typical company with 100 employees, there are usually 5 to 10 critical IT suppliers: the managed service provider, the ERP vendor, the cloud provider, the telecommunications provider, and perhaps a few SaaS services. Start with those.
Launch training programme: All employees need basic cyber hygiene training: recognising phishing, strong passwords, handling suspicious emails, reporting channels for incidents. Management needs a separate training session on NIS2 obligations and their responsibilities.
A realistic format: A 60-minute online training for all employees, quarterly refreshers or phishing simulations, and a half-day training for management.
Phase 5: Review and Continuous Improvement (Months 10–12)
Conduct an internal audit: Systematically verify whether all ten minimum measures have been implemented. Document gaps and create an action plan for remediation. In ISMS Lite, the implementation status of each NIS2 requirement can be documented with justification and linked measures, which significantly simplifies evidence management.
Test business continuity plans: Conduct a tabletop exercise. Simulate a ransomware attack on a Friday evening. Does the incident response process work? Does everyone know what to do? Can the backups actually be restored?
Complete documentation: Ensure that all measures, decisions, and processes are documented. In a BSI audit, you must be able to demonstrate what you are doing and why.
Schedule a management review: Management should evaluate the state of information security at least annually. What risks exist? What incidents occurred? Are the measures adequate? Where do improvements need to be made?
Timeline at a Glance
| Period | Focus | Outcome |
|---|---|---|
| Months 1–2 | Assessment | Applicability analysis, asset inventory, ISO appointed, BSI registration |
| Months 3–4 | Risk analysis & core processes | Risk assessment, incident response process, core policies |
| Months 5–7 | Technical implementation | MFA, encryption, backup optimisation, patch management |
| Months 8–9 | Supply chain & training | Supplier assessment, employee training, management training |
| Months 10–12 | Review & improvement | Internal audit, BC tests, documentation, management review |
This timeline is ambitious but achievable — provided someone actively drives the topic forward. Without dedicated resources and backing from management, it will not work.
The Most Common Mistakes in NIS2 Implementation
From practice, several typical pitfalls can be identified:
Starting too late. NIS2 is already in effect. Those who are only beginning now are under time pressure. The good news: A pragmatic approach with clear prioritisation can deliver substantial progress in just a few months. What matters most is that you can demonstrate you are actively working on implementation.
Treating it as a pure IT project. NIS2 is a management topic, not an IT project. If the IT manager is supposed to handle it alone, the organisational foundation is missing. Management must be actively involved — not just on paper.
Perfectionism instead of pragmatism. An ISMS does not need to be perfect to be effective. Better to have 80% of measures solidly implemented than 100% planned on paper with none of it reaching practice. Start lean, iterate fast.
Forgetting documentation. You can have the best firewall in the world — if you have not documented why you configured it that way, which risks it addresses, and who is responsible for maintenance, it will not help you in an audit.
Ignoring the supply chain. Many companies focus on internal measures and forget that NIS2 explicitly includes the supply chain. Especially mid-market companies that rely heavily on external IT service providers need to address this.
What Matters Most Right Now
If you are wondering what to start with tomorrow — here are the three most important first steps:
First: Clarify whether you are affected. Check the sector and size of your company against the NIS2 criteria. If you are affected, register with the BSI.
Second: Get management on board. Without backing from the top, implementation will not work. Use personal liability as an argument — experience shows it opens doors and budgets.
Third: Appoint an ISO and start the assessment. Someone must own the topic. And before you can plan measures, you need to know where you stand.
Further Reading
- NIS2 Initial Report to the BSI: Content, Deadlines, and Template
- NIS2 Reporting Deadlines at a Glance: 24h, 72h, 1 Month — What Is Due When
- NIS2 Fines: Who Is Liable and How High Are the Penalties?
- NIS2 vs. ISO 27001: Differences, Similarities, and How Both Fit Together
- Building an ISMS: The Complete Guide for Companies with 50 to 500 Employees
NIS2 is demanding, but it is not rocket science. With a structured approach, realistic expectations, and the right tools, mid-market companies can meet the requirements — and actually improve their cybersecurity along the way. Because that is ultimately the point of the whole exercise: not compliance for compliance's sake, but a genuine improvement in security for your company.