- NIS2 requires 10 minimum measures, but they don't all cost the same. Targeted prioritization by effort and impact saves budget without jeopardizing compliance.
- Quick wins such as enabling MFA, verifying backups, and documenting a password policy cost almost nothing and already cover important NIS2 requirements.
- The biggest budget drains are external consulting and specialized security tools. Both can be significantly reduced through in-house effort, open-source solutions, and strategic package bookings.
- A realistic 12-month plan distributes costs evenly and avoids the mistake of trying to do everything at once.
- Federal and state funding programs can cover 30-50% of external consulting costs. Applications must be submitted before project start.
The Mid-Market Reality: Obligation Without Means
NIS2 is in force, the requirements are clear, and the fines are significant. So much for theory. The reality in many mid-market companies looks different: there's no CISO, no dedicated security team, and no six-figure budget for information security. The IT manager has the topic "on the side," alongside day-to-day operations, digitalization, and the question of why the printer on the third floor has stopped working again.
That's not complaining — it's a description of reality. Around 30,000 companies in Germany fall under NIS2, and a large proportion are exactly these kinds of mid-market businesses: too large to be ignored, too small to set up an enterprise security program.
The good news: NIS2 compliance is achievable even on a limited budget. The bad news: it requires smart prioritization, realistic planning, and the willingness to handle many things yourself rather than hiring external consultants for everything. This article shows you how that works in practice.
The 10 Minimum Measures: What Actually Costs Money and What Doesn't
Article 21 of the NIS2 Directive defines ten minimum measures that every affected entity must implement. These measures are intentionally formulated in a technology-neutral way, which allows flexibility in implementation. Not all measures cost the same, and not all have the same maturity leverage. The following table ranks them by the ratio of effort to impact:
| Priority | Measure | Effort | Impact | Budget Impact |
|---|---|---|---|---|
| 1 | Incident handling | Medium | Very high | Low |
| 2 | Business continuity (backup, recovery) | Medium | Very high | Low to medium |
| 3 | Cyber hygiene and training | Low | High | Low |
| 4 | Risk analysis and security concepts | High | Very high | Low to medium |
| 5 | Access control and personnel security | Medium | High | Low |
| 6 | Cryptography and encryption | Low | Medium | Low |
| 7 | Supply chain security | Medium | High | Low |
| 8 | Security in acquisition, development, maintenance | Medium | Medium | Medium |
| 9 | Effectiveness assessment | Medium | High | Medium |
| 10 | MFA and secure communications | Low | High | Low to medium |
This order deliberately deviates from the numbering in Article 21. The prioritization is not based on the standard's system but on the question: what delivers the most security per euro and per working hour invested?
Quick Wins That Cost Almost Nothing
Before thinking about major investments, there are a number of measures you can implement with minimal budget. These quick wins already cover a significant portion of NIS2 requirements while creating the foundation for further measures.
Enable MFA Everywhere (Cost: EUR 0-500)
Multi-factor authentication is the single measure with the best cost-effectiveness ratio in all of IT security. The vast majority of systems you already use support MFA without requiring additional licenses: Microsoft 365, Google Workspace, VPN connections, cloud services.
Implementation takes one to two days for configuration and one to two weeks for rollout to all employees. The only costs arise if you want to use hardware tokens instead of authenticator apps — which isn't strictly necessary for standard applications. Authenticator apps like Microsoft Authenticator or Google Authenticator are free.
Start with the most critical systems: email, VPN, cloud storage, admin accounts. Then gradually extend MFA to all business-critical applications.
Perform a Backup Check (Cost: EUR 0)
You probably have backups. But do you know if they work? A backup that has never been tested is not a backup — it's a hope. NIS2 requires not just that you have backups but that you can demonstrate your recovery processes work.
Plan an afternoon to answer the following questions:
- Are all business-critical systems being backed up?
- How old is the most recent backup?
- Are there offline backups or immutable backup copies?
- When was the last restore test performed?
- How long would a full restoration take?
Document the results. If the restore test shows everything works, you have solid evidence. If not, you know where you need to improve — and that too is a result.
Document a Password Policy (Cost: EUR 0)
Your company probably has informal rules for passwords. But NIS2 requires documented security policies. Writing a password policy costs nothing except two to three hours of work. It should cover:
- Minimum length (12 characters recommended, preferably 14 or more)
- Complexity requirements (or better: allow passphrases)
- Prohibition of password reuse
- Use of a password manager (recommended)
- MFA requirement (complementary to the password)
- Procedure for suspected compromised passwords
Distribute the policy to all employees and have them acknowledge receipt. This gives you documented evidence for two NIS2 areas at once: cyber hygiene and access control.
Define an Incident Response Process (Cost: EUR 0)
Setting up an incident response process sounds elaborate, but it doesn't have to be. For an SME, a pragmatic document of five to ten pages that answers the following questions is initially sufficient:
Who reports what to whom? Define clear reporting channels. Every employee must know who to contact when they suspect a security incident. That can be the IT manager, a dedicated email address, or a phone number. The main thing is that it's defined and known.
What constitutes a reportable incident? Not every spam email is an incident. Define thresholds: at what severity level is escalation triggered? What are examples of reportable incidents under NIS2?
What does escalation look like? Who decides whether the incident must be reported to the BSI? Who informs management? Who coordinates the response?
How are the NIS2 reporting deadlines met? 24 hours for the initial notification, 72 hours for the updated notification, one month for the final report. Who is responsible? Which template is used?
This document is the foundation you can build on as needed. It doesn't need to be perfect. It needs to exist, be known, and work in an emergency.
Start Employee Awareness (Cost: EUR 0-1,000)
NIS2 explicitly requires cyber hygiene training for all employees and specific training for management. The most affordable option: an internal training session delivered by the IT manager or CISO. One hour is enough to start if you cover the right topics:
- Phishing recognition (with current examples)
- Secure passwords and password managers
- Handling suspicious emails and links
- Reporting channels for security incidents
- Basic rules for mobile working
Document the training: date, content, attendance list. That's your evidence for the auditor. For management, a separate, shorter session emphasizing the strategic aspects is recommended: personal liability, reporting obligations, budget responsibility.
If you have some budget, e-learning platforms are a scalable alternative. Some providers offer SME packages starting at EUR 500 per year that include automated phishing simulations and online training.
What You Can Do Yourself vs. Where You Need Consultants
The decision about what you handle internally and where you bring in external help has the biggest impact on your budget. Generally speaking: you can usually implement operational measures yourself; for strategic and regulatory questions, targeted external support is worthwhile.
What You Can Do Yourself
Implement technical measures. Setting up MFA, reviewing the backup concept, enabling disk encryption, checking firewall rules, establishing a patch management process. This is classic IT work that your IT team can handle or learn.
Write policies. There are numerous templates for security policies available online that you can adapt to your organization. A password policy, a clean desk policy, rules for mobile working — these aren't rocket science. What matters is that the policies are realistic and actually followed, not that they're legally perfect.
Conduct training. You can deliver the first awareness training yourself. You know your organization, your systems, and the typical risks better than any external trainer. Use freely available resources from BSI, the Alliance for Cybersecurity, or ENISA as a foundation.
Create an asset inventory. A list of all IT systems, applications, and data repositories is the foundation for risk assessment. This can be a simple Excel spreadsheet. What matters: system name, owner, criticality, location, and key dependencies.
Conduct supplier assessments. Create a simple questionnaire for your key IT service providers and cloud vendors: Do they have an ISMS? Are they certified? How do they handle security incidents? What are the contractual provisions for data security? This costs you a few hours of work and an afternoon of phone calls.
Where External Help Is Worthwhile
Risk assessment methodology. The risk assessment is the heart of the ISMS, and the methodology must be consistent and traceable. A consultant experienced with NIS2 and ISO 27001 can set up a methodology for you in two to three days that you then apply yourself. This is more effective than spending weeks building a framework on your own.
Gap analysis against NIS2 requirements. An experienced consultant can identify where you stand and where the biggest gaps are in one to two days. This analysis saves you months of trial and error and gives you a reliable roadmap.
Internal audit. If you're conducting an internal audit for the first time, external support is sensible. The consultant brings audit experience and knows what auditors focus on. Simultaneously, through the collaboration, you train your own people so you can conduct the next internal audit yourself.
Legal classification. Are you actually subject to NIS2? Which category do you fall into? Which specific requirements apply to your sector? These questions have legal implications, and a specialized consultant or attorney can answer them more authoritatively than you can yourself.
How to Save on Consulting
Packages instead of daily rates. Many consultants offer NIS2 implementation packages that are cheaper than booking individual days. A typical SME package includes gap analysis, risk assessment, policy templates, and audit preparation for EUR 8,000 to 15,000 — significantly less than the same services individually at full daily rates.
Workshops instead of full support. Instead of having the consultant build the entire ISMS, you book targeted workshops: one day on risk assessment, half a day on incident response, one day on audit preparation. Between workshops, you continue working on your own. This reduces consultant days while maintaining quality.
Leverage industry associations. In some industries, trade associations or chambers of commerce offer joint NIS2 programs where several companies share consulting costs. Check with your industry association or local chamber of commerce.
Cost Planning Over 12 Months
A realistic budget plan distributes costs evenly across the year and avoids the mistake of trying to do everything at once. The following plan is designed for a company with 50 to 150 employees and a budget of EUR 15,000 to 25,000.
Quarter 1: Laying the Foundation (Budget: EUR 3,000-5,000)
| Measure | Effort | Costs |
|---|---|---|
| Gap analysis (external, 1-2 days) | 2 days | EUR 1,500-3,000 |
| Create asset inventory | 3-5 days (internal) | EUR 0 (personnel costs) |
| Enable MFA for all critical systems | 2-3 days (internal) | EUR 0-500 |
| Create and distribute password policy | 1 day (internal) | EUR 0 |
| Backup check and first restore test | 1 day (internal) | EUR 0 |
| Formally appoint CISO | 1 hour | EUR 0 |
By the end of Quarter 1, you know where you stand, have implemented the most important quick wins, and have appointed a CISO. These are solid foundations to build on.
Quarter 2: Risks and Processes (Budget: EUR 5,000-8,000)
| Measure | Effort | Costs |
|---|---|---|
| Set up risk assessment methodology with consultant | 2-3 days (external) | EUR 2,000-4,000 |
| Conduct risk assessment for critical assets | 5-8 days (internal) | EUR 0 (personnel costs) |
| Document incident response process | 2-3 days (internal) | EUR 0 |
| Create information security policy | 1-2 days (internal) | EUR 0 |
| Conduct first awareness training | 0.5 days (internal) | EUR 0 |
| Introduce ISMS tool (optional) | 2-3 days (internal) | EUR 2,000-4,000/year |
Quarter 2 is the most intellectually demanding phase because the risk assessment requires substantive work that can't simply be checked off a list. The investment in external support for the methodology pays off here because you can then continue and update the risk assessment yourself. An ISMS tool like ISMS Lite comes with a built-in risk assessment methodology with a 5x5 matrix and risk treatment plan and costs 500 Euro pro Jahr, which fits easily into even a limited NIS2 budget.
Quarter 3: Technical Hardening and Supply Chain (Budget: EUR 4,000-7,000)
| Measure | Effort | Costs |
|---|---|---|
| Define and implement patch management process | 3-5 days (internal) | EUR 0 |
| Implement encryption policy | 2-3 days (internal) | EUR 0-2,000 (potential licenses) |
| Conduct supplier assessments | 3-5 days (internal) | EUR 0 |
| Review/update contracts with IT service providers | 2-3 days (internal) | EUR 0-2,000 (potential legal fees) |
| Review and improve network segmentation | 3-5 days (internal) | EUR 0-3,000 (potential hardware) |
| Second awareness training | 0.5 days (internal) | EUR 0 |
In Quarter 3, the focus is on technical implementation and the supply chain. Many of these measures cost little or nothing but require time and expertise from your IT team.
Quarter 4: Review and Improve (Budget: EUR 3,000-5,000)
| Measure | Effort | Costs |
|---|---|---|
| Internal audit (externally supported) | 2-3 days (external) | EUR 2,000-4,000 |
| Conduct management review | 0.5 days (internal) | EUR 0 |
| Implement corrective actions from internal audit | 3-5 days (internal) | EUR 0 |
| Create business continuity plan | 2-3 days (internal) | EUR 0 |
| Test BC plan (tabletop exercise) | 0.5 days (internal) | EUR 0 |
| Finalize documentation | 2-3 days (internal) | EUR 0 |
By the end of Quarter 4, you have a functioning ISMS that covers the essential NIS2 requirements. It's not perfect, but it's demonstrable and systematic. That's exactly what the legislator expects.
Total Overview: 12-Month Budget
| Category | Minimum | Maximum |
|---|---|---|
| External consulting (gap analysis, risk, audit) | EUR 5,500 | EUR 11,000 |
| Tools and software | EUR 2,000 | EUR 4,000 |
| Technical measures | EUR 0 | EUR 7,000 |
| Training (external, optional) | EUR 0 | EUR 2,000 |
| Legal consulting (optional) | EUR 0 | EUR 2,000 |
| Total | EUR 7,500 | EUR 26,000 |
Internal personnel effort is additional: plan for 40 to 60 person-days distributed over the year, primarily falling on the CISO and the IT team.
Funding Opportunities You Should Know About
There are a number of funding programs that financially support SMEs in improving their IT security. The funding landscape varies regionally and changes regularly, but some programs are particularly relevant:
Federal Funding
BAFA: Support for entrepreneurial know-how. The Federal Office of Economics and Export Control funds consulting services for SMEs at up to 50% of consulting costs (maximum EUR 1,750 for companies that have existed for more than two years). The program also covers IT security consulting.
Digital Jetzt (BMWK). This investment funding program supports SMEs in digitalization, including IT security. It funds hardware and software investments as well as qualification measures. The funding amount is up to EUR 50,000 at a funding rate of 30-50%, depending on company size. Check regularly whether funding windows are open, as funds are limited.
State Funding
Most German federal states have their own funding programs for digitalization and IT security. Some examples:
- Bavaria: Digitalbonus (up to EUR 50,000, 50% funding rate)
- Baden-Württemberg: Digitalisierungsprämie (up to EUR 10,000)
- NRW: MID-Digitalisierung (up to EUR 15,000, 30-50% funding rate)
- Lower Saxony: Digitalbonus.Niedersachsen (up to EUR 10,000)
The specific programs, funding rates, and application deadlines change regularly. Check current terms on the websites of the respective state development banks or economic ministries.
Chambers of Commerce and Industry Associations
Some chambers of commerce offer free or discounted initial consultations on IT security. Industry associations sometimes provide templates, guides, and webinars that reduce consulting needs. The BSI's Alliance for Cybersecurity also offers free resources, guides, and events.
Important for All Funding
Application before project start. For nearly all funding programs: the application must be submitted and approved before you begin the funded project. If you book the consultant first and then submit the funding application, you'll come away empty-handed. Therefore, plan four to eight weeks of lead time for the application.
De minimis regulation. State aid for companies is limited to EUR 300,000 within three years (de minimis regulation). If you've already received other funding, this may limit eligibility.
Keep documentation. Funding bodies review the proper use of funds. Keep all invoices, contracts, and evidence carefully.
What You Absolutely Must Not Skip
With a limited budget, the temptation is great to cut measures that aren't immediately technically effective. This can be expensive, because NIS2 auditors pay particular attention to certain elements:
Documentation of the risk assessment. You can have the best IT security in the world, but if you haven't documented how you arrived at your measures — which risks you identified and how you assessed them — traceability is missing. An auditor wants to see the logic: risk identified, assessed, measure defined, implemented, reviewed.
Incident response capability. The 24-hour reporting deadline for significant security incidents is not an optional recommendation. If you discover a ransomware attack on Friday evening and haven't filed a report with the BSI by Saturday afternoon, you're in violation of the law. The incident response process must work — not just on paper.
Management involvement. NIS2 makes management personally responsible for cybersecurity. This also means: management must be demonstrably involved. A management review attended by senior management, a documented management decision on risk appetite, management training. These elements cost almost nothing but are essential for compliance.
Evidence of measures. It's not enough to introduce MFA. You must be able to prove that MFA is activated for all relevant systems. It's not enough to conduct a training session. You need attendance lists and content overviews. Documenting measures isn't bureaucracy — it's your shield during an audit.
Common Mistakes in Budget-Constrained NIS2 Implementation
Some mistakes appear time and again at companies trying to implement NIS2 on a limited budget:
Trying to do everything at once. The attempt to tackle all ten minimum measures simultaneously leads to overload and half-finished results. Better: clear prioritization with quarterly milestones. NIS2 requires proportionate measures, and a traceable implementation plan shows you're taking the topic seriously and approaching it systematically.
Only technology, no processes. You can invest EUR 20,000 in security tools, but if you have no incident response process, no risk assessment, and no policies, you're still not NIS2-compliant. NIS2 takes a management system approach, not a product catalog approach. Processes and documentation are at least as important as technical measures.
Too much consulting for the wrong thing. If you have a consultant spend five days writing a password policy, you've spent EUR 5,000 on something you could have done yourself in three hours. Use external consulting where you get real value: methodology, strategy, auditing. You can handle operational implementation yourself.
Not using funding. Money is sitting on the table that many companies don't claim. The application process is often simpler than expected, and funding rates of 30-50% significantly reduce consulting costs. The effort for a funding application is a few hours; the financial benefit can be several thousand euros.
No internal driver. NIS2 implementation doesn't work as a side project. Someone must own the topic, drive it forward, and keep all the threads together. If nobody has dedicated time for it, the project stalls after the initial enthusiasm. Even if it's only 20% of working time: a formally appointed CISO with a clear mandate is indispensable.
Open-Source and Affordable Alternatives
You don't need an expensive enterprise tool for every NIS2 requirement. For many areas, there are free or affordable alternatives that are perfectly adequate for SMEs:
Documentation and policies: A wiki (Confluence, BookStack, DokuWiki) or structured SharePoint is sufficient for a start. The main thing is that documents are versioned and accessible to the right people.
Risk management: A well-structured Excel spreadsheet can represent a risk assessment. It's not as elegant as a dedicated GRC tool, but it works and costs nothing. If you want more, there are open-source alternatives like Eramba Community Edition.
Vulnerability management: OpenVAS (now Greenbone Community Edition) is a free vulnerability scanner that's adequate for SMEs. It partially covers the area of "security in acquisition, development, and maintenance."
Monitoring and logging: Graylog, Wazuh, or the ELK Stack (Elasticsearch, Logstash, Kibana) are open-source SIEM solutions that can work for an SME with manageable infrastructure. The effort for setup and operations should not be underestimated, however.
Training resources: BSI, the Alliance for Cybersecurity, and ENISA provide free training materials, guides, and webinars that you can use for internal training.
After 12 Months: What Comes Next
After the first year, you have a functioning ISMS that covers the essential NIS2 requirements. That's a major step, but not an endpoint. Continuous improvement is not an empty phrase but a legal requirement: NIS2 expects you to continuously maintain your security level and adapt to changing threats.
In the second year, priorities shift:
Update the risk assessment. The threat landscape changes, your IT landscape evolves, new business processes emerge. The risk assessment must be updated at least annually.
Verify effectiveness. Now that all measures are implemented, you can systematically check whether they work. Penetration tests, phishing simulations, restore tests, permission reviews. These cost money but are the proof that your ISMS is alive.
Consider certification. If your ISMS is running stably and customers increasingly demand formal evidence, an ISO 27001 certification can be the logical next step. You've already done the bulk of the preparatory work, and the additional effort for certification is manageable.
Consolidate the budget. Ongoing costs for ISMS maintenance are significantly lower than the initial setup effort. Plan for EUR 5,000 to 10,000 per year for tools, training, and occasional external support, plus internal personnel effort for the CISO.
NIS2 compliance on a limited budget is not a contradiction. It requires clear priorities, pragmatic decisions, and the willingness to handle much of it yourself. The result is not just a checkbox behind a regulatory requirement but an organization that has actually improved its information security. And that is ultimately worth more than any budget.
Further Reading
- NIS2 for Mid-Market Companies: What You Need to Know and What to Do Now
- Introducing MFA in Your Organization: Technologies, Rollout, and Adoption
- Creating a Password Policy: Template and Practical Guide for SMEs
- Risk Assessment in the ISMS: Methods, Scales, and Practical Examples
- ISO 27001 Certification: Process, Costs, and Effort for SMEs