NIS2 explained in detail for small and medium-sized enterprises

Cybersecurity is no longer a specialized topic for IT departments—it has become a core factor in economic stability and supply chain security. With the European NIS2 Directive, which should have been transposed into national law by October 2024, the EU is significantly tightening the framework. Germany missed the deadline, but with the government draft of July 2025 (status: the first reading in the Bundestag took place on September 11, 2025), it is clear that around 29,500 institutions will soon fall within the scope of the directive, many of them medium-sized companies that have not previously had to deal with information security and business continuity to this extent. The figure of around 29,500 institutions is based on a forecast by the BMI in the draft bill (as of June 2025). It includes both particularly important and important institutions in accordance with Art. 2 and Annexes I & II of the NIS2 Directive and § 2 of the Act Implementing the NIS2 Directive (NIS2UmsuCG-E).

For managing directors in small and medium-sized enterprises, this means that they are at the center of developments. This is because NIS2 clearly shifts responsibility to the top management level. As a result, information security can no longer be dismissed as purely an “IT issue,” but is now also a regulatory part of overall corporate responsibility – similar to accounting, occupational safety, or data protection.

The political framework in Germany

The current government draft distinguishes between three categories of companies: critical infrastructures (KRITIS), particularly important facilities, and important facilities.

• Critical infrastructures are companies in the energy, health, water, or transport sectors that have been the focus of regulation for years.
• Particularly important facilities include larger industrial companies, banks, and manufacturers of security-related products.
• Important facilities extend to small and medium-sized enterprises, including IT service providers, data centers, mechanical engineering companies, and parts of the retail sector.

What all categories have in common is that in the future they will have to meet minimum requirements for information security, risk management, and emergency preparedness. There are differences in terms of supervision: particularly important institutions are subject to continuous supervision in accordance with Section 31 NIS2UmsuCG-E, including audits, orders, and fine proceedings. Important institutions, on the other hand, are only supervised by the BSI in specific cases. Fines can be up to ten million euros or two percent of global turnover.

This creates new pressure to secure structures not only technically but also organizationally. According to the government draft, a very short transition period of only six months after promulgation (expected in the first quarter of 2026) is planned. After this short transition phase, the German law would apply in full.

FAQ on NIS2

• NIS2 SMEs – who is affected? In Germany, approximately 29,500 entities are covered: from critical infrastructures to small and medium-sized enterprises.
• How do I know if my company is affected?: The BSI provides an online self-assessment tool. However, the final impact assessment and legal evaluation must be carried out by the company itself, ideally with external expertise.
• What obligations do companies have? Risk management, information security, BCMS, reporting obligations, and securing supply chains.
• How high are the fines? Up to ten million euros or 2.0 percent of turnover for particularly important institutions, up to seven million euros or 1.4 percent for important institutions.
• What distinguishes NIS2 from the GDPR? The GDPR protects personal data. NIS2 addresses information security as a whole, regardless of whether personal data is involved.
• What role does management play? Company management bears overall responsibility. In the event of violations, it can be held liable internally.
• Which standards help in practice? VdS 10000, VdS 10010, ISO 27001, ISO 22301, and BSI IT-Grundschutz (BSI 200-1, 200-2, 200-3 & BSI 200-4).

Information security as a basis

NIS2 requires companies to organize their information security in a structured manner. In practice, it has become established to refer to ISO 27001. This internationally recognized standard describes an information security management system (ISMS) that companies can use to identify risks, implement protective measures, and continuously improve.

For the automotive industry, TISAX®/VDA ISA is an industry-specific testing model based on ISO 27001. This shows that standardization not only ensures security, but also trust along supply chains. Companies that implement ISO 27001 or TISAX® benefit from this regardless of NIS2: they increase their resilience and demonstrate their professionalism to customers and partners.

Risk management as strategic radar

Risk management is one of the core responsibilities of managing directors under valid national NIS2 legislation. Companies must systematically record, assess, and manage risks. Established procedures already exist, such as those based on ISO 31000, ISO 27005, or, in the financial sector, MaRisk. The German Federal Office for Information Security (BSI) has published BSI Standard 200-3, which deals exclusively with risk management.

Art. 21 (2) (c) is particularly relevant for NIS2, as it defines structured risk management as a core requirement. Section 30 (1) No. 3 NIS2UmsuCG-E obliges companies to introduce and document procedures for risk analysis and risk treatment – tailored to the respective criticality of the facility. Meaningful integration is achieved via the ISMS, especially if it is structured in accordance with ISO 27001.

Experience shows that risk management only becomes effective when it goes beyond IT. Supply chains, external service providers, and organizational weaknesses are just as important to monitor as classic cyberattacks. In this sense, risk management is a strategic management tool, not just a compliance obligation.

Business continuity management: remaining capable of acting in an emergency

Prevention alone is not enough. NIS2 literally requires the ability to “manage incidents and maintain services” (Art. 21 (2) (e)), which, in short, makes it sensible and necessary to establish a business continuity management system (BCMS). The term “business continuity management” is not mentioned explicitly in the directive, but it arises from the obligation to maintain services in the sense of operational resilience. This means that companies must be prepared to continue operating in an emergency – for example, after a cyberattack, a power outage, or a supply chain disruption.

Standards such as ISO 22301 and BSI Standard 200-4 have become established in practice. They help to carry out business impact analyses, define recovery times, and test emergency plans. Companies that regularly conduct crisis exercises report a noticeable gain in clarity and resilience.

The new three-stage reporting requirement under Section 33 NIS2UmsuCG-E requires an early warning within 24 hours, a follow-up report after 72 hours, and a final report within one month.

Compliance in interaction – the governance mosaic

NIS2 does not stand alone, but complements a whole series of overlapping regimes:

• GDPR and BDSG: Protection of personal data. Many incidents are relevant to both data protection and NIS2 – which means double reporting obligations.
• KRITIS umbrella law (CER Directive): Physical resilience of critical infrastructures. In the future, operators will have to consider digital and physical resilience together.
• DORA and MaRisk: In the financial sector, these regimes supplement NIS2 with detailed requirements for ICT risk management, emergency concepts, and stress tests.
• AI Regulation (AI Act): High-risk AI systems require their own risk management and documentation. In practice, these systems must be integrated into the ISMS.
• Cyber Resilience Act: Requires hardware and software manufacturers to comply with security standards. Companies must check whether components in the supply chain meet these standards.
• Supply Chain Due Diligence Act (LkSG): Addresses human rights and the environment – and increasingly also digital transparency in supply chains. Section 30 (1) No. 8 NIS2UmsuCG-E explicitly mentions dependencies on third parties. Companies must review their supply chain with regard to cybersecurity and hedge risks posed by service providers.
• Market Abuse Regulation (MAR): Price-sensitive cyber incidents can trigger ad hoc disclosure requirements in addition to NIS2 reporting obligations.
• German Corporate Governance Code: Emphasizes the role of risk and compliance management – with NIS2, information security becomes part of this governance structure.

This creates a dense network that seems confusing to many managing directors. The key point is that these obligations do not overlap by chance, but are intertwined. Those who take an integrated approach to information security, data protection, BCMS, and supply chain management reduce duplication of work and strengthen trust in their own company.

UWG and warnings: Market and NIS2 in interaction

A common question among small and medium-sized businesses is: Can competitors issue warnings for NIS2 violations? Legally, this is discussed in the Law Against Unfair Competition (UWG). Section 3a UWG stipulates that a violation of laws governing market behavior may be unfair. In the case of the GDPR, this was affirmed in part, and warnings are possible there.

The case is different with NIS2. Most obligations relate to internal organization and are subject to supervision by the BSI. They are therefore more public law organizational obligations than market-related. Warnings from competitors are therefore currently unlikely.

However, there is one special case: if companies misleadingly advertise “NIS2 compliance” even though they do not meet the requirements, this may well be actionable – simply because it constitutes deception in competition (Section 5 UWG). In practice, it has become established that Technical and organizational security are a matter for the authorities, while communication on the market is measured against the UWG standard. Misleading advertising with NIS2 compliance without documented evidence of a structured ISMS and BCMS can be misleading according to Section 5 UWG, especially if this is done to customers or in tenders.

The debate in legal literature should be followed closely. Ultimately, clarification by the highest court is still pending.

Artificial intelligence in the NIS2 context

The regulation of artificial intelligence (AI) by the new AI Act shows how much the fields overlap. Companies that use AI systems must not only keep an eye on their functionality, but also on their security.

NIS2 requires that all systems relevant to operations be protected. So if AI is used in supply chain decisions, production processes, or data analysis, these risks also need to be included in risk management. Practice has shown that companies are best served by integrating the use of AI systems into their existing information security management system (ISMS). This allows technical, organizational, and regulatory risks to be considered together – regardless of whether they involve high-risk AI as defined by the AI Regulation or everyday AI applications such as chatbots. This prevents parallel structures and creates a consistent governance system.

Even everyday AI applications such as chatbots or decision support systems can fall under the protection obligations of NIS2 if they are relevant to the availability, integrity, or confidentiality of operational processes.

NIS2 in small and medium-sized enterprises: the role of management

A key feature of NIS2 is the explicit anchoring of responsibility at the highest management level. Managing directors and board members can no longer “delegate” cybersecurity to IT. The legislator makes it clear: Company management is personally responsible for information security, risk management, and business continuity.

Section 30 (3) NIS2UmsuCG-E explicitly obliges management and board members to monitor the implementation and effectiveness of information security measures. Personal responsibility is thus enshrined in law.

This line is already in line with existing company law. Section 43 GmbHG and Section 93 AktG require members of executive bodies to exercise the “due care of a prudent manager.” This gives rise to the principle of overall responsibility: management is responsible for all matters, including organization and security.

The “Neubürger ruling” of the Munich I Regional Court (December 10, 2013, Ref. 5 HK O 1387/10) is of particular significance here. In this case, a former member of the Siemens board of directors was ordered to pay damages internally because compliance management was inadequately organized. The message: management and C-level executives are obliged to create structures that prevent violations of the law. If they neglect to do so, management is liable—not to third parties, but to their own company.

NIS2 reinforces this line by explicitly naming personal responsibility for cybersecurity. This makes it clear that information security is not just a matter of technology, but part of modern corporate governance.

5 things you should do now:

1. Clarify how you are affected.
2. Use the BSI self-assessment tool and have your classification legally reviewed. Many companies are affected without knowing it.
3. Establish an information security management system (ISMS).
4. Rely on ISO 27001 or VdS 10000, depending on your level of maturity. Without an ISMS, you are neither audit-ready nor sustainably protected.
5. Integrate risk management and business continuity.
6. Ensure that risks are recorded in a structured manner and emergency measures are documented, ideally in accordance with ISO 22301 or BSI 200-4.
7. Anchor responsibility at the management level.
8. Cybersecurity is a matter for top management. Create structures to reduce your personal liability, e.g., through governance documentation and effective monitoring.
9. Prepare for audits, reporting requirements, and documentation obligations.
10. Develop a reporting and notification concept that can respond within 24 hours. Many companies underestimate these requirements.

Practical guidelines

In order to bring order to the multitude of requirements, various standards have become established in practice:

• VdS 10000 is a practical introduction for medium-sized companies. It maps an ISMS that follows the structure of ISO 27001 but can be implemented in a more resource-efficient manner. For many medium-sized companies, it is the way to systematically build up basic compliance with NIS2.
• VdS 10010 extends this approach to include data protection. This addresses the overlaps between NIS2 and GDPR in a management system – an advantage that provides noticeable relief in practice.
• Finally, BSI IT-Grundschutz is particularly well established in the public sector and among KRITIS operators. It offers a comprehensive modular system that integrates technical, organizational, and personnel measures. Those who apply BSI IT-Grundschutz already cover many NIS2 requirements, albeit with greater methodological effort. The BSI Standard 200-4 (Business Continuity Management) is explicitly geared towards the NIS2 requirements for business continuity and can be used as a recognized method for implementation
• ISO 27001 and ISO 22301 remain the internationally recognized frameworks for information security (ISO 27001) and business continuity management (ISO 22301).

In practice, the following has become established: Medium-sized companies often start with VdS, international players go straight for the ISO standards, and the public sector uses BSI IT-Grundschutz. Together, these standards form the foundation on which NIS2 compliance can be built. When selecting standards, companies should check what level of maturity already exists internally. An entry via VdS 10000 can be transferred to an extended ISMS according to ISO 27001. The BSI recommends IT-Grundschutz as a methodologically sound implementation aid for KRITIS-relevant processes.

Conclusion

NIS2 is more than just a new law. It marks the transition from fragmented compliance to an integrated understanding of security and resilience. For managing directors of small and medium-sized enterprises, this means that information security, risk management, and business continuity belong on the agenda of company management.

The multitude of parallel requirements – GDPR, KRITIS umbrella law, DORA, MaRisk, AI Regulation, Cyber Resilience Act, Supply Chain Act – makes the landscape complex. But this is precisely where the opportunity lies: those who establish standards early on not only gain security, but also efficiency and trust.

Practical experience has shown that companies that act now are not only prepared for NIS2. They strengthen their resilience, build trust with customers and partners, and position themselves as future-oriented market participants. NIS2 is therefore less of a burden than an opportunity – a wake-up call that SMEs should take seriously.

The current draft of the NIS2UmsuCG still offers companies a window of opportunity to prepare. The systematic development of an ISMS, the introduction of a BCMS, and integrated risk management are now strategically wise – also in view of the new requirements of the Cyber Resilience Act or the AI Act.

Christopher Schroer

Experte für digitale Resilienz, Datenschutz und strategische IT-Governance Christopher Schroer ist geschäftsführender Gesellschafter der firstbyte digital consulting gmbh. Seit über 20 Jahren begleitet er mittelständische Unternehmen bei der Entwicklung robuster digitaler Strategien an der Schnittstelle von IT-Sicherheit, Datenschutz, Resilienz und Zukunftsforschung. Seine besondere Stärke: die Verknüpfung von technischem Know-how, regulatorischer Expertise und strategischem Gestaltungsvermögen. Er denkt IT-Governance konsequent ganzheitlich – von DSGVO bis KI-Ethik, von ISO 27001 bis NIS2 und TISAX®. Dabei stehen Umsetzbarkeit, Wirkung und unternehmerische Passung stets im Mittelpunkt. Sein Beratungsstil: wissenschaftlich fundiert, unternehmerisch gedacht, praxisorientiert vermittelt. Viele Kunden vertrauen ihm seit mehr als einem Jahrzehnt, gerade wenn es darum geht, Digitalisierung sicher, wertebasiert und zukunftsfähig zu gestalten.