NIS2 — the EU directive on network and information security (2022/2555) — has been due for transposition across the EU since October 2024. Germany has prepared the NIS2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG) across several drafts; with the current state of legislation in 2026 the implementation phase is in full swing. In advisory sessions at DATAZONE we still see: most SMBs still underestimate whether they are in scope at all — and how specific the obligations are.
This article sums up what is on paper: covered companies, the eleven minimum measures from Article 21, reporting obligations, liability. We deliberately avoid invented fine amounts — final sanctions follow from the act passed by the Bundestag, not from consulting slides.
What is NIS2 anyway?
NIS2 is the successor to the 2016 NIS directive. The key structural changes:
- Expanded scope: significantly more sectors than the old NIS, including waste management, food, research, postal/courier, providers of digital services and manufacturers of certain products (electronics, medical devices)
- Two-tier classification: “essential” and “important” entities — both with obligations, supervised at slightly different intensities
- Risk-based approach: more concrete minimum measures in Article 21
- Tighter reporting deadlines: 24/72-hour early warnings, full report after one month
- Personal liability of management for cyber risk management
Important: NIS2 itself is a directive, not a directly applicable law. What matters for companies in Germany is the national implementation act (NIS2UmsuCG) — current status and wording should always be verified against the latest Bundestag/Bundesrat documents.
Who is in scope?
The most important question first — and it is more complicated than it looks. NIS2 combines sector membership with company size:
Thresholds (simplified)
| Category | Employees | Annual revenue or balance sheet |
|---|---|---|
| Essential entities | ≥ 250 | > 50 mil. EUR revenue or > 43 mil. EUR balance sheet |
| Important entities | ≥ 50 | > 10 mil. EUR revenue or > 10 mil. EUR balance sheet |
Critical rule: with a “small company” classification (under 50 employees AND under 10 mil. EUR revenue), you are out of scope in many sectors — but not all. For certain sectors (qualified trust services, DNS providers, TLD registries, critical parts of public administration etc.) NIS2 applies regardless of size.
Sectors in scope — excerpt
From the directive annexes (Annex I “Sectors of high criticality”, Annex II “Other critical sectors”):
- Energy (electricity, gas, heat, hydrogen, oil)
- Transport (air, rail, water, road)
- Banking and financial market infrastructure
- Healthcare (including manufacturers of medical devices)
- Drinking water, wastewater
- Digital infrastructure (cloud, data centre, CDN, DNS, TLD)
- ICT service management (managed service providers, managed security service providers)
- Public administration
- Space
- Postal and courier services
- Waste management
- Chemical substances (production, manufacture, distribution)
- Food (production, processing, distribution)
- Manufacturing (medical devices, electronics, machinery, motor vehicles)
- Providers of digital services (online marketplaces, search engines, social networks)
- Research
A classic SMB with e.g. 80 employees and 15 mil. EUR revenue in mechanical engineering is therefore an “important entity” under NIS2. A digital service provider with only 30 employees but 12 mil. EUR revenue likewise. An ICT service provider with 60 employees and 8 mil. EUR revenue may sit below the “important entity” revenue threshold but still has sector-specific checks to do.
Practical tip: a blanket “we are too small for NIS2” is not defensible. The check must be done sector- and size-based and should be documented in writing.
The eleven minimum measures from Article 21
Article 21 of the directive lists ten areas; the national German implementation groups these with an additional point into eleven minimum measures. They are the core of the NIS2 obligations:
| # | Area |
|---|---|
| 1 | Risk analysis policies and information system security |
| 2 | Incident handling (incident response) |
| 3 | Business continuity, backup management, crisis management |
| 4 | Supply chain security (including supplier relationships) |
| 5 | Security in acquisition, development and maintenance of IT systems, vulnerability management |
| 6 | Assessing the effectiveness of risk management measures |
| 7 | Basic cyber hygiene practices and training |
| 8 | Cryptography and encryption |
| 9 | HR security, access control concepts, asset management |
| 10 | Multi-factor authentication, identity management, secured communication |
| 11 | Emergency communication (secure communication during a crisis) |
The most important thing about this list is not the individual point but: all eleven areas must be demonstrably implemented. A written policy is not enough — effectiveness must be evidenced (audit logs, exercise records, training records, technical configuration).
What this means for IT in practice
For most of our SMB customers the eleven items break down to the following building blocks:
- Backup strategy per 3-2-1 rule, including immutable backups
- Disaster recovery plan with documented RTO/RPO targets and at least one yearly recovery exercise
- Patch management with vulnerability scans and defined reaction windows
- Multi-factor authentication for admin access, VPN, external services
- Network segmentation — separation of office, server, OT/production, guest WiFi (VLAN setup)
- Encryption in transit (TLS) and at rest (dataset encryption for TrueNAS)
- Centralised logging and monitoring with alerts for security-relevant events
- Asset inventory: every server, every laptop, every network device with ownership and lifecycle state
- Supplier security assessment: contractual and technical — what can the external IT provider do, how is that monitored?
- Staff training with documented attendance — phishing, password hygiene, social engineering
- Incident response plan: who does what when, with documented escalation paths
Much of this is good practice — what is new is not the “what”, it is the mandatorily evidenced “how”.
Reporting obligations — the 24/72/30 cadence
In case of a significant incident a three-stage reporting cascade applies to the competent authority (in Germany: BSI):
| Deadline | Content |
|---|---|
| within 24 hours | Early warning — what is known, whether cross-border or unlawful, initial assessment |
| within 72 hours | Incident notification — fuller picture, severity, suspected root cause |
| within 1 month | Final report — detailed description, impact, threat indicators, measures taken/planned |
“Significant” is defined as: an incident that significantly impairs operations or causes financial loss, or affects other natural or legal persons through significant material or non-material damage.
Practical note: the 24-hour deadline is tight. Anyone without a prepared reporting template and a clear point of responsibility will routinely miss it. We recommend documenting the reporting format and the internal escalation chain ahead of time — not during an incident.
Personal liability of management
One of the most noticeable changes: management can be held personally liable for inadequate cybersecurity risk management. Concretely from the directive text (Art. 20 and 21):
- Management must approve and supervise cybersecurity risk management measures
- Management must complete regular training on cybersecurity
- For breaches of duty, national legislators can provide civil or administrative liability
- In severe cases, temporary suspension of management functions is foreseen
What this means in SMB terms: cybersecurity is no longer “IT will handle it”. It must be documented at management level as decided, funded with budget and demonstrably overseen. The managing director’s decision on backup strategy and patch management belongs in the minutes. That is substantive, not just compliance folklore.
On fines
We deliberately do not name specific fine ceilings here — the final wording follows from the national implementation act. Companies should pull the actual numbers from the Bundestag printed paper on NIS2UmsuCG or via their industry association. Only the structural direction is known:
- Essential entities: higher fine ceilings than important entities
- Calculation base: fixed maximum amounts or a share of global annual revenue, whichever is higher
- Distribution of liability between company and management is specified in national law
Anyone working with dubious numbers from marketing material risks getting the wrong impression — either too relaxed or unnecessarily alarmist.
What we recommend to SMBs
At DATAZONE we work with SMB customers in four steps:
1. Scoping analysis — written documentation: sector, thresholds, classification (essential/important/out of scope). Time: 1–2 days of consulting plus internal fact gathering.
2. Gap analysis against Art. 21 — walk through all eleven areas, capture existing measures, name gaps, prioritise by risk and effort. Outcome: action plan with timeline.
3. Technical implementation — backup, patch management, MFA, network segmentation, logging, encryption. This is classic IT security work — see our security checklist for SMBs.
4. Documentation, processes, exercises — incident response plan, pre-generated reporting template, management decisions in the minutes, annual recovery plan exercise.
Realistic timeframe for an SMB without an existing ISMS structure: 6–18 months to full implementation. Anyone just starting now will be under time pressure — supervisory authorities have only just begun the bulk of inspections.
Common misconceptions
“We have GDPR, so we are NIS2-compliant.” Wrong. GDPR governs data protection, NIS2 network and information security. There is overlap (encryption, reporting), but NIS2 has its own, independent obligations.
“We are ISO 27001 certified, that covers NIS2.” Partially correct. ISO 27001 covers a large share of the Art. 21 measures, but NIS2 has sector- and size-specific additional requirements plus the reporting obligations — these are not included in the ISO standard.
“We use cloud, so responsibility lies with the provider.” Wrong. NIS2 explicitly establishes responsibility of the entity for the supply chain. The cloud provider is part of the supply chain; its security level must be checked contractually and technically.
“Our MSP takes care of that.” Partially — but ultimate responsibility stays with the company. What the MSP delivers must be contractually clear, and its activity must be supervised.
DATAZONE recommendation
Start with the scoping analysis before talking about measures. Once classification is clear, obligations and effort can be sized realistically. In most cases what NIS2 demands technically is good practice anyway — backup strategy, MFA, patch management, segmentation, training. The effort lies more in structured documentation and demonstrating effectiveness.
We offer vendor-neutral NIS2 advisory with SMB focus — no 200-page compliance packages, instead concrete action plans for the next 12 months. More under contact.
Sources
- NIS2 Directive (EU) 2022/2555: EUR-Lex full text
- BSI information page on NIS-2: bsi.bund.de — NIS-2
- Bundestag — legislative status NIS2UmsuCG: check the current printed papers in the Bundestag
- Our security checklist for SMBs
- Our article on the 3-2-1 backup rule
- Our article on immutable backups against ransomware
More articles
Home Office IT: Securely Connecting Remote Employees
Secure home office for SMBs: VPN with OPNsense, MDM, RDP gateway, Vaultwarden, MFA with Yubikey. Configuration blueprint from laptop via VPN to terminal session.
Authentik: Single Sign-On for Self-Hosted Services
Authentik as self-hosted SSO and identity provider: OIDC, SAML2, LDAP, MFA. Example setup with Nextcloud, GitLab and Vaultwarden — plus comparison with Authelia.
Disaster Recovery Plan for SMBs: What to Do on Total Server Failure
Concrete 4-phase emergency plan for SMBs facing a total server failure: detect, contain, restore, learn. Checklists, roles, restore sequence and RTO/RPO.