NIS2: What mid-sized businesses need to do right now

With the NIS2 directive, the European Union has fundamentally expanded the framework for cybersecurity requirements. What previously applied mainly to operators of critical infrastructure now affects a considerably larger circle of organisations — including many mid-sized businesses that have not previously considered themselves subject to regulation.

Who does NIS2 affect?

The directive distinguishes between two categories: essential entities and important entities. The determining factors are sector, company size, and societal significance.

Companies with 50 or more employees or at least €10 million in annual turnover that operate in one of the covered sectors will generally fall within scope. Affected sectors include energy, transport, healthcare, digital infrastructure, manufacturing, and ICT service providers.

Even if your organisation is not directly subject to NIS2, it may still be relevant: companies that supply or provide services to NIS2-obligated businesses should expect those security requirements to be passed down contractually.

What NIS2 requires in practice

The directive’s requirements fall into four core areas:

Risk management and governance

Organisations must establish appropriate risk management for cybersecurity. This means: systematic risk identification, documented security policies, and clear accountability at leadership level. Under NIS2, management bears personal responsibility for implementation — delegating this entirely to the IT department is not sufficient.

Technical and organisational security measures

Specific measures are expected in the following areas: access control and identity management, network security, encryption of sensitive data, structured vulnerability management, and supply chain security. The expectation is not perfection, but a demonstrable, systematic approach.

Incident reporting obligations

Significant security incidents must be reported within 24 hours — initially as an early warning, followed by a full notification within 72 hours. What constitutes a significant incident is defined in law and includes events that could affect the services, data, or systems of other companies or individuals.

Business continuity

Organisations must ensure they can continue to operate following a security incident. This includes backup concepts, recovery procedures, and crisis management plans. Regular testing of these plans is expected.

What happens if you do not comply?

NIS2 provides for substantial fines: for essential entities, up to €10 million or 2% of global annual turnover; for important entities, up to €7 million or 1.4% of turnover. In addition, national authorities have supervisory and audit powers, and management personnel may be held personally liable.

A pragmatic approach for mid-sized businesses

Many mid-sized companies face the challenge that they do not have the resources internally to run a comprehensive compliance programme. The critical first step is an honest stocktake: what is already in place? Where are the biggest gaps? Which measures offer the best return on effort?

Full NIS2 compliance cannot be achieved overnight. A structured roadmap that sets priorities and implements measures step by step is more effective in practice than trying to address everything simultaneously.

Our advisory approach begins with a gap analysis against NIS2 requirements, followed by clear prioritisation based on risk and practicality. We help you integrate security measures into your existing operations — without unnecessary bureaucracy, but with the documentation needed to demonstrate compliance.

If you would like to understand whether and to what extent your organisation is affected by NIS2, contact us to discuss.

Frequently Asked Questions

How do I determine whether my organisation falls under NIS2?

Two criteria matter: sector and size. If your organisation operates in one of the covered sectors and has at least 50 employees or €10 million in annual turnover, it is very likely in scope. The relevant national authority (in Germany, the BSI) provides guidance materials — but a formal determination should be legally validated, as the consequences of being incorrectly out-of-scope are significant.

What does personal management liability under NIS2 actually mean?

NIS2 requires management bodies to approve cybersecurity risk management measures, oversee their implementation, and complete cybersecurity training regularly. Management personnel can be held personally liable for violations. Delegating compliance entirely to IT without executive oversight and formal approval processes is not sufficient under the directive.

Do we need to report every security incident under NIS2?

No, only significant incidents — defined as those that have caused or could cause severe operational disruption, or that affect other organisations or individuals. Reports are submitted in two stages: an early warning within 24 hours and a full notification within 72 hours. A pre-defined incident classification and escalation process is a prerequisite for meeting these deadlines.

What supply chain security does NIS2 require?

NIS2 explicitly requires organisations to address supply chain security as part of their technical and organisational measures. This includes assessing risks from third-party providers, implementing contractual security requirements with critical suppliers, and monitoring the security posture of key dependencies. ISO 27001-style vendor risk management is a good starting point but typically needs to be formalised further.