NIS2 compliance for SMBs: what you actually need to do now

NIS2 is already law in Germany. Learn whether it applies to your SMB, which security measures matter most, and how to achieve compliance without an IT team.

200+ companies already trust deeploi

Key Takeaways

  • NIS2 has been binding law in Germany since December 6, 2025 with no transition period — yet only 16% of in-scope businesses are confident they've complied, and roughly 29,500 companies now fall under its requirements.

  • The two criteria that determine whether you're in scope are simple: 50+ employees or €10M+ annual turnover, operating in one of 18 covered sectors — a self-check that takes under two minutes.

  • The six NIS2 measures that matter most for SMBs without IT staff are risk management, MFA and access control, patch management, incident reporting, supply chain security, and backup and recovery — and most companies already have the tools, they just lack consistent enforcement.

  • NIS2 introduces personal liability for founders and managing directors — security decisions must be formally approved, documented, and overseen at leadership level, making it impossible to simply delegate the responsibility away.

  • For SMBs without a dedicated IT team, automation is the realistic path to compliance: platforms like deeploi enforce device encryption, patch management, access control, and offboarding automatically — turning compliance from a manual checklist into a byproduct of daily IT operations.

NIS2 became binding law in Germany on December 6, 2025. There was no transition period. Every requirement, from risk management to incident reporting to management liability, applied from day one (NISD2.eu). Roughly 29,500 companies in Germany now fall under these expanded cybersecurity obligations, up from around 4,500 previously regulated entities (Global Policy Watch). And yet, only 16% of businesses required to comply are confident they've actually done so (CyberSmart).

If you're a founder, HR manager, or office manager who's suddenly responsible for IT at a growing company, this article is your practical checklist. We won't walk you through the full legal text. Instead, we'll help you figure out whether NIS2 applies to you, which measures actually matter for your situation, and how to start making progress this quarter.

Does NIS2 actually apply to your company?

Before you do anything else, answer this question. NIS2 doesn't apply to every business. It targets companies that meet two criteria simultaneously: a size threshold and a sector threshold.

The size threshold is straightforward. Your company is in scope if it has 50 or more employees, or generates €10 million or more in annual turnover. Meet either condition, and you pass the size test.

The sector threshold is where it gets specific. NIS2 covers 18 sectors split across two annexes. Annex I ("highly critical") includes energy, transport, banking, healthcare, water supply, and digital infrastructure. Annex II ("other critical") covers postal services, waste management, food production, manufacturing, and digital providers like cloud services and online marketplaces.

Here's a quick self-assessment you can run in under two minutes:

  1. Does your company have 50+ employees or €10M+ annual turnover?
  2. Does your business operate in one of the 18 covered sectors?
  3. If yes to both: you're in scope.

One important caveat: some sectors bypass the size threshold entirely. If your company provides DNS services, trust services, or manages top-level domain registries, NIS2 applies regardless of headcount or revenue. When in doubt, consult the BSI's official guidance or a qualified legal advisor to confirm your status. For broader context on IT compliance frameworks, it helps to understand how NIS2 sits alongside other regulations your business may already follow.

What does NIS2 require you to do, concretely?

Article 21 of NIS2 lists eleven categories of security measures. Not all of them carry equal weight for an SMB without a dedicated security team. Here are the six that matter most for your situation, with a plain-language explanation of each.

Risk management and information security basics

NIS2 requires you to identify, analyse, and manage cybersecurity risks systematically. In practice, this means conducting a risk assessment of your IT environment, documenting the results, and reviewing them regularly. You don't need to build a formal ISMS (information security management system) from scratch, but you do need a written record of what risks you've identified and how you're addressing them. If you're exploring how to prepare your IT for ISO 27001, you'll find that much of that groundwork overlaps with NIS2 requirements.

Access control and multi-factor authentication

Every user account in your company needs appropriate access restrictions. NIS2 expects you to enforce the principle of least privilege (meaning people only get access to what they need for their role) and implement multi-factor authentication, often called MFA, on critical systems. Among SMBs with 26 to 100 employees, only 34% have implemented MFA, even though enabling it blocks over 99.9% of account compromise attacks (CIT Solutions). This is one of the highest-impact, lowest-effort controls you can deploy.

Patch management

Keeping software up to date isn't optional under NIS2. You're required to have a process for identifying and applying security patches promptly. For most SMBs, the challenge isn't knowing that patches matter; it's consistently enforcing updates across every device, especially when employees work remotely. A solid IT security strategy treats automated patching as a non-negotiable baseline.

Incident detection and 24-hour reporting

NIS2 introduces tiered incident reporting obligations. When a "significant" security incident occurs (one that causes serious operational disruption or affects other organisations), you must notify the BSI within 24 hours with an initial alert. A more detailed report follows within 72 hours, and a final report is due within one month. This means you need the ability to detect incidents in the first place, which requires monitoring and logging on your critical systems.

Supply chain security

You're responsible for evaluating the cybersecurity posture of your suppliers and service providers. Third-party and supply chain risk has doubled to 30% of all breaches according to recent data (StationX). In practice, this means reviewing vendor contracts for security commitments, ensuring data processing agreements are in place, and maintaining a register of critical suppliers.

Backup and recovery

NIS2 requires business continuity planning, including tested backup and disaster recovery processes. You need to know how quickly you can restore operations after an incident. For SMBs, this typically means automated backups of critical data, stored in a separate location, with a documented recovery procedure that someone has actually tested.

Why management accountability changes everything

Here's where NIS2 diverges sharply from most compliance frameworks. It makes leadership personally liable for cybersecurity failures. Founders and managing directors cannot delegate this accountability away. Non-compliance can trigger fines of up to €10 million, or for larger organisations classified as "very important," up to 2% of annual global turnover, with management personally on the hook (Reed Smith).

What does this mean in practice? Management must formally approve security measures, oversee their implementation, and complete regular cybersecurity training. Decisions about patch management schedules, backup strategies, and incident response plans belong in board minutes. If your company experiences a breach and the BSI finds that leadership didn't actively engage with security governance, that's a compliance failure on top of the security failure.

This personal liability clause is designed to prevent exactly the dynamic that's common in SMBs: security decisions getting deferred because "someone else" is handling IT. Under NIS2, someone specific must own this, and their name is on the company register. Understanding the broader cybersecurity landscape for small businesses will help you appreciate why regulators felt this step was necessary.

How do you enforce IT policies without a dedicated IT team?

Most SMBs in NIS2's scope don't have a CISO or even a dedicated IT administrator. The founder handles IT alongside everything else, or maybe the office manager who's good with technology ends up responsible. This is a common reality, and NIS2 doesn't make an exception for it.

Building a baseline: MFA, device encryption, access control, offboarding

The good news is that many SMBs already use some of the right tools. You probably have Google Workspace or Microsoft 365. Your laptops might already have encryption enabled. The problem isn't usually missing tools; it's inconsistent enforcement.

Consider these common gaps:

  • MFA is available in your email platform but hasn't been enforced for every user
  • Device encryption is turned on for some laptops but not all, and nobody checks
  • Former employees still have active accounts weeks after leaving
  • Software updates install when employees feel like clicking "remind me later"

Each of these gaps represents a NIS2 compliance failure. The directive doesn't ask whether you have the capability to enforce MFA; it asks whether MFA is consistently applied. Proper IT security essentials against modern threats start with closing exactly these enforcement gaps. And making sure IT security measures are consistently applied across your organisation is what separates a policy from a practice.

Using software to manage and enforce IT policies automatically

For a company with 50 to 200 employees and no IT department, the realistic path to NIS2 compliance runs through automation. Manually checking device encryption, tracking patch status, and monitoring access permissions across dozens of devices simply doesn't scale.

Managed IT platforms solve this by automating the technical controls that NIS2 demands. On the deeploi platform, for example, patch management runs in the background, device encryption is enforced through policy rather than hope, and when someone leaves the company their accounts, device access, and permissions are revoked automatically as part of the standard offboarding flow. That last piece maps directly to NIS2's access control requirements, and the automated onboarding and offboarding workflow generates the audit trail alongside it.

This matters because the German government estimates annual compliance costs for NIS2 will increase by roughly €2.3 billion across the national economy (Inside Privacy). For individual SMBs, the question isn't whether compliance costs something; it's whether you spend that budget on manual effort or on systems that enforce controls automatically.

Maintaining proper IT documentation is another piece of the puzzle. NIS2 expects you to prove what you've implemented, not just claim it. Automated platforms generate audit trails by default, which makes documentation a byproduct of operations rather than a separate project.

How to get started: a compliance checklist for this quarter

If you're reading this and realising your company might be in scope but hasn't started, you're not alone. As of March 2026, only around 11,500 out of an estimated 30,000 affected organisations had registered with the BSI on time (TogetherSecure). And 11% of in-scope organisations weren't even sure what NIS2 is (IT Security Guru).

Here are five prioritised steps you can take this quarter:

  1. Run the scope check. Confirm whether your company meets both the size and sector thresholds. If you're borderline, get a legal opinion in writing.
  2. Conduct a gap analysis against the six measures above. For each one, answer: do we have this in place? Is it documented? Is it consistently enforced? 72% of cybersecurity professionals in the EU say the current threat landscape is the most challenging in five years (ISC2), so gaps today represent real, growing risk.
  3. Register with the BSI if you haven't already. Late registration is still required, and failure to register is a separate offence with its own penalties. Don't let embarrassment about being late stop you from registering now.
  4. Implement or automate your technical controls. Start with the highest-impact items: enforce MFA across all accounts, enable device encryption, set up automated patching, and formalise your offboarding process.
  5. Document everything and assign a named responsible person. NIS2 requires management accountability, so designate who's responsible, record their approval of security measures, and keep those records accessible for any BSI inquiry.

Partial progress now is far better than a perfect plan that you'll implement "next quarter." Compliance is a demonstrated state, and every control you deploy today reduces both your risk and your regulatory exposure. Market pressure reinforces this: 42% of in-scope businesses have already been asked to prove NIS2 compliance by partners, 41% by investors, and 36% by customers (IT Security Guru).

FAQ

Is NIS2 the same as ISO 27001?

They're related but fundamentally different. NIS2 is a legal obligation; ISO 27001 is a voluntary certification standard. That said, organisations with ISO 27001 or equivalent cybersecurity programmes in place likely meet roughly 70 to 80% of NIS2's baseline IT security requirements (Reed Smith). The remaining 20 to 30% covers NIS2-specific obligations: BSI registration, tiered incident reporting timelines, and codified management accountability. If you already hold ISO 27001, a structured gap assessment will tell you exactly what's missing.

What happens if my company is in scope but not yet compliant?

Fines can reach €10 million, or 2% of annual global turnover for organisations classified as "very important." Beyond financial penalties, the BSI can issue binding orders requiring specific remediation steps. Most critically, managing directors face personal liability. The regulator's goal is to ensure leadership takes ownership, not just to collect fines.

Do I need to report every security incident within 24 hours?

Only "significant" incidents trigger the reporting obligation. These are incidents that cause serious operational disruption, affect other organisations, or could lead to considerable financial or reputational damage. When one occurs, you submit an initial notification to the BSI within 24 hours, a detailed update within 72 hours, and a final report within one month. Routine security events (a blocked phishing email, a failed login attempt) don't require formal reporting.

Can a managed IT provider handle NIS2 compliance for us?

Technical controls, yes. Accountability, no. A managed IT platform can automate patch management, enforce MFA, manage device encryption, and handle secure offboarding. These are the operational components of compliance. But the legal responsibility, the risk assessments, the documented approvals, and the management training obligations remain with your company's leadership. Think of it as outsourcing the engine while keeping your hands on the steering wheel.

How does NIS2 relate to GDPR?

GDPR protects personal data. NIS2 protects network and information systems more broadly. They overlap in areas like incident notification (GDPR has its own 72-hour breach reporting requirement) and access control. But NIS2 goes further by requiring supply chain security, business continuity planning, and management accountability for cybersecurity as a whole, not just data protection. Compliance with one doesn't automatically mean compliance with the other, though the controls you implement will often serve both.

Start with what you can control

NIS2 compliance is achievable for SMBs. It doesn't require a security team of ten or a six-figure consulting engagement. It requires clear priorities, consistent enforcement of a handful of core technical controls, and leadership that takes documented ownership of security decisions.

The gap between "aware of NIS2" and "compliant with NIS2" is mostly an enforcement gap. If you can answer yes to these questions, you're further along than most: are devices encrypted? Is MFA enforced? Are patches applied automatically? Are former employees' accounts revoked on their last day? Is someone named in writing as responsible?

If you're unsure where your current IT setup stands against NIS2's Article 21 measures, deeploi offers a free consultation to map your controls and identify what can be automated immediately. The best time to start was December 2025. The second-best time is today.

Founded
Customer Size
Headquarters
Industry
KEY RESULTS
CUSTOMER STORIES
This field is required
This field is required
This field is required
Choose
This field is required
This field is required
Thank you for your interest!

We’ll get back to you shortly.

Oops! Something went wrong while submitting the form.

Download the professional onboarding checklist for free

Heading 1

Heading 2

Heading 3

Heading 4

Heading 5
Heading 6

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur.

Block quote

Ordered list

  1. Item 1
  2. Item 2
  3. Item 3

Unordered list

  • Item A
  • Item B
  • Item C

Text link

Bold text

Emphasis

Superscript

Subscript

Get the checklist