Where the SME Sector Still Lags Technically on NIS
6 min read
NIS2 implementation into German law is in the final stretch. Supervisory authorities are preparing the first audits. Many mid-sized companies have documented their organizational obligations: roles defined, reporting lines described, policies adopted. However, the technical minimum requirements outlined in Article 21 of the directive are often only met on paper. This is precisely where audits will focus—and where mid-sized businesses have the largest gaps.
Key Takeaways
- Organization documented, technology exposed. Most mid-sized companies have clarified roles and reporting structures. Technical measures under NIS2 Article 21 remain a gap area.
- Five gaps stand out in audits. Multi-factor authentication, tested recovery procedures, vulnerability management, centralized logging, and a complete asset inventory.
- Evidence beats intent. A measure only counts in an audit if its effectiveness can be proven. A policy without log data is not evidence.
- Prioritize instead of full rollout. MFA and tested backups close the most critical gaps first and can be implemented without large-scale projects.
What exactly are the technical NIS2 minimum requirements? Article 21 of the NIS2 Directive obliges affected entities to implement specific risk management measures. These include multi-factor authentication, backup and crisis management, vulnerability handling, access control, and encryption. Germany’s transposition of these requirements via the BSIG embeds them into national law. Unlike organizational obligations, these are technically measurable and therefore verifiable during audits.
Related:NIS2 Audit: How the Vendor List Falls Apart in Two Hours / Adaptive MFA as a Zero-Trust Enabler for SMEs
What NIS2 Requires Technically
NIS2 does not prescribe specific products. The directive defines security objectives and leaves the implementation path to each company. This may sound flexible, but it shifts the burden of proof: if a company cannot demonstrate that a measure is in place, the regulator will consider it unimplemented.
The scope of affected entities has significantly expanded under Germany’s implementation. Estimates from circles around the BSI and BMI suggest a five-digit number of obligated organizations, many of them in the traditional mid-sized sector. A considerable portion of these companies previously operated without formal security oversight.
Organizational obligations can be met with a policy document and a resolution. Technical requirements, however, demand functioning systems. This is why gaps almost always exist on the technical side.
Five Gaps That Show Up in Audits
The following five issues most frequently appear as findings in NIS2 readiness assessments. None are technically complex. In practice, all five fail due to prioritization—not complexity.
Multifactor authentication only partially implemented
MFA is typically enabled in most companies for the central identity system. The gaps lie at the edges: remote maintenance access, third-party service provider admin accounts, legacy VPN gateways. An audit doesn’t check whether MFA exists, but whether it’s applied consistently. A single unprotected admin account constitutes a finding. Those planning to move toward phishing-resistant methods can explore the rationale in our article on adaptive MFA as a Zero Trust enabler.
Backups exist, but recovery remains untested
Almost every company backs up data. Far fewer have ever tested data restoration under real-world conditions. NIS2 asks about crisis management, not just backup existence. A backup with an unknown recovery time isn’t considered reliable evidence in an audit. Conducting and documenting one recovery test per year closes this gap.
Vulnerability management without a defined process
Patches are applied, but rarely according to a documented procedure with deadlines. NIS2 requires a traceable approach to vulnerabilities: identification, assessment, scheduling, and follow-up. A patch status report alone does not constitute a process. Regulators want to see how a known critical vulnerability was managed from detection to remediation.
No centralized logging, no detection capability
Log data is generated across many systems but rarely aggregated in one place. Without a centralized log repository, incidents cannot be detected or reconstructed after the fact. NIS2 requires the ability to detect and report security incidents. Without a detection layer, meeting the legal reporting deadlines becomes practically impossible. Our article on detection engineering without vendor lock-in outlines open-source paths to achieve this.
Incomplete asset inventory
Security controls only apply to known systems. Many mid-sized companies lack a complete inventory of their servers, services, and cloud accounts. Assets not listed in the inventory won’t be patched, monitored, or secured. Audits routinely begin with a request for the asset list. An incomplete inventory leads to findings across all other areas.
What Can Be Implemented Before the Audit
These five gaps cannot—and need not—be closed simultaneously. Prioritizing by risk and effort yields better results than attempting parallel full-scale implementation.
Start with authentication. Extending MFA consistently to all administrative and remote access points immediately reduces compromise risk and can be achieved within weeks. In parallel, conduct a documented recovery test: it takes one day and provides the strongest single piece of evidence for your crisis management capabilities.
Next, build the asset inventory. It forms the foundation for vulnerability management and detection, which is why it should precede both. Only with a complete inventory does it make sense to establish a formal patching process and a centralized logging system. This sequence avoids wasting effort on systems not yet identified.
Document every action taken. Auditors assess evidence, not intentions. By rolling out MFA, documenting recovery tests, and maintaining an accurate inventory, you can close the most critical findings within weeks—long before the first audit takes place.
Frequently Asked Questions
What is the most common technical NIS2 gap in mid-sized companies?
Incomplete multifactor authentication. While MFA is usually active for the central identity system, it often lacks coverage on remote maintenance access, third-party admin accounts, and legacy VPN gateways. Audits require full coverage—just one unprotected admin account counts as a finding.
Is having a backup sufficient for NIS2 compliance?
No. NIS2 requires functional crisis management, not just the existence of a backup. A backup that has never been tested under real conditions does not qualify as reliable proof in an audit. Conducting and documenting one recovery test per year closes this gap.
Which measure should be implemented first?
Comprehensive multi-factor authentication on all administrator and remote accesses. It immediately reduces the risk of account takeover and can be implemented within a few weeks. In parallel, a documented recovery test is recommended, which provides the strongest evidence in crisis management with minimal effort.
Why is the asset inventory so important for a NIS2 audit?
Protective measures only work for known systems. Without a complete directory of servers, services, and cloud accounts, components remain unpatched and unmonitored. An audit typically starts with the asset list. An incomplete inventory leads to follow-up findings through vulnerability management and detection.
What counts as evidence of a measure in an audit?
Tangible effectiveness. A policy or decision alone is not enough. The supervisory authority expects log data, test protocols, configuration evidence, or process documentation that show a measure is not only decided but also effectively operated.
Editor’s Reading Recommendations
More from the MBF Media Network
Source of title image: Pexels / Andre (px:28321968)
