Implementing NIS2 in 5 Steps: A Practical Guide for SMEs
NIS2 may seem complex, but it can be broken down into five structured steps. This guide is aimed at IT managers and CISOs in SMEs who want to implement it pragmatically and budget-consciously.
TL;DR
NIS2 may seem complex, but it can be broken down into five structured steps: check if you are affected, conduct a gap analysis, prioritize measures, implement, and document. This guide is aimed at IT managers and CISOs in SMEs.
Step 1: Check if You Are Affected
Check two criteria:
- Sector: Does your company belong to one of the 18 regulated sectors?
- Size: More than 50 employees OR more than 10 million EUR in annual turnover?
If both criteria apply, you are affected. Tip: The BSI (Federal Office for Information Security) provides an online check to see if you are affected.
Step 2: Gap Analysis
Compare your current status with the NIS2 requirements:
- Do you have a risk management framework in place? (ISO 27001 covers a lot)
- Is your incident response plan up-to-date and tested?
- Is business continuity management documented?
- Has supply chain security been assessed?
- Are reporting processes defined for 24h/72h deadlines?
- Is the management involved in cybersecurity training?
Step 3: Prioritize Measures
Sort your gaps according to three criteria:
- Compliance obligation: reporting processes and risk management first
- Risk reduction: address the biggest risks first
- Quick wins: prioritize measures with low effort and high impact
Step 4: Implement
Typical measures for SMEs:
- Introduce multi-factor authentication for all accesses
- Segment networks between IT and OT
- Roll out EDR solutions on all endpoints
- Set up regular vulnerability scans
- Create and test an incident response plan
- Conduct security awareness training quarterly
- Assess supplier risks for top 20 suppliers
Step 5: Document and Prove
NIS2 requires verifiable documentation. This means:
- Document risk assessments in writing
- Make the implementation of measures traceable with timestamps
- Record training participation (especially management!)
- Document incident response tests
- Archive supplier assessments
Key Facts
5 Steps: Check if you are affected, gap analysis, prioritization, implementation, documentation
ISO 27001 covers approximately 70% of the NIS2 requirements
MFA and EDR are the most important quick wins
Management training is mandatory, not optional
BSI check for being affected is available online
Fact: Under NIS2, managers are personally liable for implementing cybersecurity requirements.
Fact: NIS2 provides for fines of up to 10 million EUR or 2 percent of global annual turnover.
Frequently Asked Questions
Does ISO 27001 suffice for NIS2 compliance?
No, but it is a very good basis. Additionally, you need to cover the specific reporting obligations (24h/72h), supply chain requirements, and explicit management liability.
How much does NIS2 implementation cost for an SME?
This depends heavily on the current status. Companies with an existing ISMS (ISO 27001) estimate 50,000-150,000 EUR. Without a basic framework, 200,000-500,000 EUR is realistic for the initial implementation.
Further Articles
The NIS2 Directive: What Companies Need to Know
Zero Trust: The 7 Most Common Mistakes
How does NIS2 differ from the GDPR?
The GDPR protects personal data, while NIS2 secures the cybersecurity of networks and information systems. NIS2 requires technical and organizational measures, reporting obligations within 24 hours, and regular risk assessments – with much shorter deadlines than the GDPR.
Related Articles
- NIS2 and Management Liability: Why Cybersecurity is Now a Management Issue
- Cybersecurity Trends 2026: The 7 Developments That Security Decision-Makers Need to Know
- NIS2 Checklist 2026: What Companies Need to Implement Now
More from the MBF Media Network
Header Image Source: Pexels / Leeloo The First
