6 min read<\/p>\n
NIS2 implementation into German law is in the final stretch. Supervisory authorities are preparing the first audits. Many mid-sized companies have documented their organizational obligations: roles defined, reporting lines described, policies adopted. However, the technical minimum requirements outlined in Article 21 of the directive are often only met on paper. This is precisely where audits will focus\u2014and where mid-sized businesses have the largest gaps.<\/strong><\/p>\n Key Takeaways<\/p>\n What exactly are the technical NIS2 minimum requirements?<\/strong> Article 21 of the NIS2 Directive obliges affected entities to implement specific risk management measures. These include multi-factor authentication, backup and crisis management, vulnerability handling, access control, and encryption. Germany’s transposition of these requirements via the BSIG embeds them into national law. Unlike organizational obligations, these are technically measurable and therefore verifiable during audits.<\/p>\n Related:<\/span>NIS2 Audit: How the Vendor List Falls Apart in Two Hours<\/a> \/<\/span> Adaptive MFA as a Zero-Trust Enabler for SMEs<\/a><\/p>\n NIS2 does not prescribe specific products. The directive defines security objectives and leaves the implementation path to each company. This may sound flexible, but it shifts the burden of proof: if a company cannot demonstrate that a measure is in place, the regulator will consider it unimplemented.<\/p>\n The scope of affected entities has significantly expanded under Germany\u2019s implementation. Estimates from circles around the BSI and BMI suggest a five-digit number of obligated organizations, many of them in the traditional mid-sized sector. A considerable portion of these companies previously operated without formal security oversight.<\/p>\n Organizational obligations can be met with a policy document and a resolution. Technical requirements, however, demand functioning systems. This is why gaps almost always exist on the technical side.<\/p>\n The following five issues most frequently appear as findings in NIS2 readiness assessments. None are technically complex. In practice, all five fail due to prioritization\u2014not complexity.<\/p>\n MFA is typically enabled in most companies for the central identity system. The gaps lie at the edges: remote maintenance access, third-party service provider admin accounts, legacy VPN gateways. An audit doesn\u2019t check whether MFA exists, but whether it\u2019s applied consistently. A single unprotected admin account constitutes a finding. Those planning to move toward phishing-resistant methods can explore the rationale in our article on adaptive MFA as a Zero Trust enabler<\/a>.<\/p>\n Almost every company backs up data. Far fewer have ever tested data restoration under real-world conditions. NIS2 asks about crisis management, not just backup existence. A backup with an unknown recovery time isn\u2019t considered reliable evidence in an audit. Conducting and documenting one recovery test per year closes this gap.<\/p>\n Patches are applied, but rarely according to a documented procedure with deadlines. NIS2 requires a traceable approach to vulnerabilities: identification, assessment, scheduling, and follow-up. A patch status report alone does not constitute a process. Regulators want to see how a known critical vulnerability was managed from detection to remediation.<\/p>\n Log data is generated across many systems but rarely aggregated in one place. Without a centralized log repository, incidents cannot be detected or reconstructed after the fact. NIS2 requires the ability to detect and report security incidents. Without a detection layer, meeting the legal reporting deadlines becomes practically impossible. Our article on detection engineering without vendor lock-in<\/a> outlines open-source paths to achieve this.<\/p>\n Security controls only apply to known systems. Many mid-sized companies lack a complete inventory of their servers, services, and cloud accounts. Assets not listed in the inventory won\u2019t be patched, monitored, or secured. Audits routinely begin with a request for the asset list. An incomplete inventory leads to findings across all other areas.<\/p>\n These five gaps cannot\u2014and need not\u2014be closed simultaneously. Prioritizing by risk and effort yields better results than attempting parallel full-scale implementation.<\/p>\n Start with authentication. Extending MFA consistently to all administrative and remote access points immediately reduces compromise risk and can be achieved within weeks. In parallel, conduct a documented recovery test: it takes one day and provides the strongest single piece of evidence for your crisis management capabilities.<\/p>\n Next, build the asset inventory. It forms the foundation for vulnerability management and detection, which is why it should precede both. Only with a complete inventory does it make sense to establish a formal patching process and a centralized logging system. This sequence avoids wasting effort on systems not yet identified.<\/p>\n Document every action taken. Auditors assess evidence, not intentions. By rolling out MFA, documenting recovery tests, and maintaining an accurate inventory, you can close the most critical findings within weeks\u2014long before the first audit takes place.<\/p>\n Incomplete multifactor authentication. While MFA is usually active for the central identity system, it often lacks coverage on remote maintenance access, third-party admin accounts, and legacy VPN gateways. Audits require full coverage\u2014just one unprotected admin account counts as a finding.<\/p>\n No. NIS2 requires functional crisis management, not just the existence of a backup. A backup that has never been tested under real conditions does not qualify as reliable proof in an audit. Conducting and documenting one recovery test per year closes this gap.<\/p>\n Comprehensive multi-factor authentication on all administrator and remote accesses. It immediately reduces the risk of account takeover and can be implemented within a few weeks. In parallel, a documented recovery test is recommended, which provides the strongest evidence in crisis management with minimal effort.<\/p>\n Protective measures only work for known systems. Without a complete directory of servers, services, and cloud accounts, components remain unpatched and unmonitored. An audit typically starts with the asset list. An incomplete inventory leads to follow-up findings through vulnerability management and detection.<\/p>\n Tangible effectiveness. A policy or decision alone is not enough. The supervisory authority expects log data, test protocols, configuration evidence, or process documentation that show a measure is not only decided but also effectively operated.<\/p>\n Source of title image: Pexels \/ Andre (px:28321968)<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"NIS2 check for SMEs: five technical gaps that stand out in an audit and how to close them before the first review.","protected":false},"author":55,"featured_media":14848,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_yoast_wpseo_focuskw":"","_yoast_wpseo_title":"Where the SME Sector Still Lags Technically on NIS","_yoast_wpseo_metadesc":"NIS2 Compliance for SMEs: Discover 5","_yoast_wpseo_meta-robots-noindex":"","_yoast_wpseo_meta-robots-nofollow":"","_yoast_wpseo_meta-robots-adv":"","_yoast_wpseo_canonical":"","_yoast_wpseo_opengraph-title":"","_yoast_wpseo_opengraph-description":"","_yoast_wpseo_opengraph-image":"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/05\/nis2-technische-mindestanforderungen-mittelstand-2026-cover-hero.jpg","_yoast_wpseo_opengraph-image-id":0,"_yoast_wpseo_twitter-title":"","_yoast_wpseo_twitter-description":"","_yoast_wpseo_twitter-image":"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/05\/nis2-technische-mindestanforderungen-mittelstand-2026-cover-hero.jpg","_yoast_wpseo_twitter-image-id":0,"footnotes":""},"categories":[3],"tags":[],"class_list":["post-14862","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-aktuelles"],"wpml_language":"en","wpml_translation_of":14844,"_links":{"self":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/14862","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/users\/55"}],"replies":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/comments?post=14862"}],"version-history":[{"count":2,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/14862\/revisions"}],"predecessor-version":[{"id":15123,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/14862\/revisions\/15123"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/media\/14848"}],"wp:attachment":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/media?parent=14862"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/categories?post=14862"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/tags?post=14862"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}\n
What NIS2 Requires Technically<\/h2>\n
Five Gaps That Show Up in Audits<\/h2>\n
Multifactor authentication only partially implemented<\/h3>\n
Backups exist, but recovery remains untested<\/h3>\n
Vulnerability management without a defined process<\/h3>\n
No centralized logging, no detection capability<\/h3>\n
Incomplete asset inventory<\/h3>\n
What Can Be Implemented Before the Audit<\/h2>\n
Frequently Asked Questions<\/h2>\n
What is the most common technical NIS2 gap in mid-sized companies?<\/h3>\n
Is having a backup sufficient for NIS2 compliance?<\/h3>\n
Which measure should be implemented first?<\/h3>\n
Why is the asset inventory so important for a NIS2 audit?<\/h3>\n
What counts as evidence of a measure in an audit?<\/h3>\n
Editor’s Reading Recommendations<\/h3>\n
\n
More from the MBF Media Network<\/h3>\n
\n