CROSSBORDER CYBERSECURITY TOUR #2: Why NIS2 Is a Strategic Opportunity for SMEs

On Tuesday, I will be speaking at the CROSSBORDER CYBERSECURITY TOUR #2 at East Side Fab in Saarbrücken, Germany. The topic: how companies can transform regulatory hurdles into operational excellence. This question is not merely theoretical for me – it is something I work through every day with small and medium-sized enterprises. And my answer is clear: NIS2 is not a threat. NIS2 is an opportunity.

NIS2 – Why 70 Percent of SMEs Are Looking Through the Wrong Lens

Studies consistently show that around 70 percent of small and medium-sized businesses in Germany perceive the NIS2 Directive primarily as a bureaucratic burden. New documentation requirements, incident reporting obligations, executive-level accountability – all of it sounds like additional overhead that distracts from the core business. This perception is understandable, but it fundamentally misses the point.

Those who see NIS2 purely as a compliance exercise are asking the wrong question. The right question is not: "What do I need to do to satisfy the regulation?" The right question is: "What does NIS2 allow me to accomplish that I would not have tackled without external pressure?"

Regulatory Pressure as a Modernisation Driver

Companies that implement NIS2 seriously end up building structures that go far beyond the legal minimum. They systematically inventory their critical assets for the first time. They define clear responsibilities for handling security incidents. They review their supply chain for security standards. And they implement processes that allow them to act quickly and in a coordinated way when something goes wrong. These are not bureaucratic exercises – they are the operational foundation for a resilient business in 2026.

A concrete example from practice: a mid-sized manufacturing company with 150 employees that conducts a full IT asset inventory as part of its NIS2 preparation frequently discovers systems that have been running without patches for years, access rights of former employees that were never revoked, and backup systems that have been silently failing for months without anyone noticing. Without the regulatory push, these findings might only have come to light after an actual attack – at a far greater cost.

Why SMEs Have a Structural Advantage Here

Large corporations struggle with NIS2 implementation due to complex group structures, international jurisdictions, and legacy system landscapes that have grown over decades. SMEs have a structural advantage that many underestimate: shorter decision-making paths, manageable IT environments, and direct communication between management and IT.

Companies that leverage these strengths can implement NIS2 faster, more pragmatically, and more effectively than any large corporation. This requires, however, that senior management actively shapes the process rather than delegating it to the IT department. NIS2 affects the entire organisation – and the personal liability provisions for company leadership make this unambiguously clear.

From Compliance to Strategic Strength

Three perspectives that make the difference: First, think of security as a business process. The era in which IT security was a purely technical matter is over. NIS2 anchors security responsibility at the leadership level. An executive who does not know their critical business processes, has not assessed their risks, and has not defined emergency procedures is no longer running a modern company – they are running a potential victim.

Second, use incidents as a strategic learning tool. Companies that implement robust reporting processes develop a capability that goes beyond compliance: they become faster at recognising, escalating, and managing incidents. The reporting process is not box-ticking – it is an organisational early warning system that may determine the difference between a manageable incident and an existential threat.

Third, use NIS2 conformity as a market differentiator. An increasing number of large enterprises and public-sector clients are auditing their suppliers and service providers for security standards. An SME that is NIS2-compliant and can document this demonstrably has a concrete competitive advantage over competitors still in the orientation phase. Compliance becomes a market opportunity.

Conclusion: Hurdle or Lever – The Choice Is Ours

The CROSSBORDER CYBERSECURITY TOUR #2 is more than a speaking engagement for me. It is an exchange among practitioners who work daily with the real challenges and concrete opportunities of cybersecurity in the SME sector. It is precisely this exchange – this mutual learning curve drawn from experience and experimentation – that drives the industry forward.

My thesis remains: those who recognise NIS2 as an opportunity will be better positioned at the end of the process than they were before the regulation. Those who wait for requirements to be relaxed risk not only significant fines – they risk the structural vulnerability that a determined attacker will exploit sooner or later. Regulation does not enforce excellence. But it creates the occasion for it. And that, used correctly, is worth more than any voluntary optimisation programme.