Cybervize – Cybersecurity Beratung
All articles

NIS2 in the SME Sector: Obligation, Risk, and the Fatal Trap of Isolated Compliance Silos

Alexander Busse·November 11, 2025
NIS2 in the SME Sector: Obligation, Risk, and the Fatal Trap of Isolated Compliance Silos

Why EU Directive 2022/2555 is not just another Cybersecurity Law, but is becoming the *acid test for truly integrated corporate governance and digital resilience within the European SME (Small and Medium-sized Enterprise) sector.

1. NIS2 in One Sentence: More Management Responsibility, Less Alibi IT

Directive (EU) 2022/2555, or *NIS2, is the revised foundational rule for *network and information security in Europe. It no longer affects only traditional Critical Infrastructure (*KRITIS), but thousands of *medium-sized companies and their suppliers who previously never expected to be subject to cyber regulation. The implementation in national law is executed through national acts (e.g., the NIS2 Implementation Act in Germany), with the final application date approaching rapidly. Core Message from the EU and Supervisory Authorities:

Cybersecurity is no longer a "nice to have" or solely an IT department task; it is an organizational duty of the company management with real sanctions and fines for non-compliance.

Affected companies are classified as "essential entities" or "important entities." Compliance requires clear Managing Director accountability and systematic risk management.

2. Who is Affected: The Reach of NIS2 Regulation in the SME Sector (Clarified)

The new cyber regulation redraws the boundaries. Many businesses forming the backbone of the economy now fall directly into the NIS2 target line, often without realizing it.

Quantification: When am I (likely) affected?

A company is generally classified as "important" or "essential" if it operates in one of the sectors covered by NIS2 and exceeds the thresholds for a medium enterprise:

  • Number of Employees: $\ge 50$
  • Annual Turnover OR Annual Balance Sheet Total: $\ge 10$ million Euros

The most significant affected sectors in the SME area include:

  • Mechanical and Plant Engineering (selected manufacturers of critical components)
  • Parts of the Automotive and Supplier Industry
  • Energy-related Service Providers and distribution network operators
  • Waste Management, Logistics, and ICT Service Providers

Typical and Dangerous Underestimation in the SME Sector:

"We are not a DAX corporation; this surely doesn't apply to us. We don't meet the thresholds."

The reality is that it is often sufficient to be a crucial *partner in a critical supply chain, for example, as a central *component supplier for larger energy providers or OEMs.

Important Addition (The Indirect Obligation):

Even small and micro-enterprises (below the thresholds) must take indirect action! Direct NIS2 entities are obliged to ensure the security of their *entire supply chain. This means that as a supplier, your larger customers will *contractually compel you to comply with equivalent security standards. Immediately check your scope of application and your major customers' requirements!

3. NIS2 Requirements in Detail: Four Pillars of Digital Resilience

The Directive does not demand documentation for its own sake. The focus is on proving a systematic management system for information security, structured into four pillars:

3.1. Governance and Management Duties (A Matter for the Executives)

  • The management board must approve, supervise, and regularly educate themselves on security measures (Management Awareness).
  • Security must be part of strategy meetings and anchored in the budget.
  • Clear roles such as CISO (Chief Information Security Officer) or ISB (Information Security Officer) must be defined.

3.2. Technical and Organizational Measures (TOMs)

  • Establishment of a comprehensive Risk Management Policy for continuous risk analysis.
  • Business Continuity and Disaster Recovery with regular emergency drills.
  • Mandatory use of Multi-Factor Authentication (MFA) for critical access.
  • Building a culture of cyber hygiene and regular awareness training for all employees.

3.3. Incident Reporting Obligations (Incident Response)

  • Practically impossible to meet without practiced processes: An early warning must generally be issued within 24 hours of becoming aware of the incident.
  • A detailed notification is due no later than 72 hours afterwards.
  • The final report must be submitted after at most one month.
  • This necessitates a defined Incident Response Team and clear escalation paths.

3.4. Security Across the Entire Supply Chain

  • Identification of all critical suppliers and service providers (e.g., cloud providers, Managed Service Providers).
  • Embedding security requirements in contracts and conducting regular assessments.
  • Integration of suppliers into the entity's own emergency and information processes.

Up to this point, much is consistent with existing standards, but: NIS2 is a binding law, not a voluntary certificate.

4. How Companies React and the Danger of "Alibi IT"

In practice, the same initial reaction is often observed, which can lead to the devaluation of compliance efforts:

“We'll just buy a GRC tool, write a few policies, and then we'll be NIS2 compliant.”

This is the foundation for exactly the "Potemkin Compliance" (window dressing for audits) that NIS2 is actually intended to prevent. Structures emerge where security only exists on paper but where no change occurs in daily operations:

  • Checklist compliance instead of lived security.
  • IT security controls run in isolation from business processes.
  • The executive level lives under the deceptive feeling of being compliant until the first serious incident reveals the lack of integration.

5. The Real Trap: The Isolated GRC Silo

This is where the central risk lies. Many companies solve the new regulation by additionally introducing a classic GRC or "NIS2 tool," thereby creating the very problem they sought to avoid: a new silo.

Consequence of the Silo StrategyDescription and ImpactData RedundancySecurity teams maintain data (risks, controls) *twice: in the *ITSM tool (ticketing system), in Excel, and in the new GRC system. The focus shifts from "reducing risk" to "feeding the system."Lost Effectiveness ControlThe worlds of real operations (tickets, monitoring alerts, change management) are only manually linked to compliance documentation, e.g., via quarterly reports.Lack of RoutineIn a real emergency, practiced procedures are missing between IT, Human Resources (HR), business departments, and management. The processes are described but not integrated.

In short: NIS2 thus becomes a *specialized database for regulation, instead of the *driver for integrated corporate governance for cyber risks.

6. How to Do It Better: NIS2 as an Integration Project for True Resilience

From our perspective, NIS2 is only successfully implemented when it is understood as an enterprise-wide integration project and brings about the following three changes within the company:

6.1. A Shared Risk Picture and Clear Accountability

The management understands which business processes are critical. IT, Risk, and HR work with a common language for risks and incidents. The roles of the Risk Owners and the CISO are lived in daily life.

6.2. End-to-End Information Flow Instead of Isolated Solutions

NIS2 compliance must not run parallel to existing systems (such as *ITSM, DMS, HR tools); it must be *actively connected:

  • Incidents from the ticketing system flow automatically into the NIS2 assessment.
  • Training records from the HR learning platform become directly visible as fulfillment of the awareness control.
  • Vulnerability scans and patches are reflected in the risk assessment in real time.

An integrating platform should be the bridge here, not another isolated tower.

6.3. From Project to Routine

The implementation of NIS2 must not end as a one-off *compliance project. Key factors are *cyclical risk management (at least annually), *regular emergency drills, and clear *Key Performance Indicators (KPIs) that are understood and used by management.

7. Conclusion: NIS2 is Not a Burden, But an Opportunity to Break Down Silos

The NIS2 Directive is undeniably an obligation that brings effort, clear responsibility, and a significant fine risk. However, for the *SME sector, it represents a rare and necessary *opportunity for modernization:

  • The visibility of cyber risks at the top management level increases.
  • Collaboration between IT, business departments, and internal auditing is reorganized.
  • Above all: it is the perfect occasion to dismantle existing silos instead of creating new, expensive parallel worlds.

Those who reduce NIS2 to an isolated GRC tool build an *expensive compliance silo. Those who understand NIS2 as an *integration project and establish their organization holistically make their company demonstrably more resilient and gain a decisive competitive advantage in the market. This is exactly the approach we pursue with the *Cybervize platform: establishing cybersecurity and compliance not as a parallel world, but as an *inseparable part of daily value creation.

❓Frequently Asked Questions (FAQs) on NIS2 Implementation in the SME Sector (Fines and Deadlines Clarified)

Q: When must my company start with NIS2 implementation?

A: Time is extremely short. The NIS2 Directive should have been transposed into national law by *October 17, 2024, and its *application is mandatory across the EU from *October 18, 2024. Given that national NIS2 Implementation Acts (like Germany's NIS2UmsuCG) are expected to be delayed (entering into force in 2025/2026), a critical gap arises. Affected companies should start the initial gap analysis and the definition of responsibilities (CISO/ISB) **immediately. *No official transition period is provided to fulfill the requirements after the national law takes effect.

Q: Is an ISO 27001 certification sufficient for NIS2 compliance?

A: No. An ISO 27001 certification is an excellent foundation for risk management. However, it does not fully cover the legal obligations of NIS2 (e.g., regulatory reporting within 24/72 hours, specific management liability). You will need supplementation through a dedicated NIS2 compliance program.

Q: What fines are imminent for NIS2 violations?

A: Non-compliance entails severe *fines, similar to the sanctions under the GDPR. Depending on the company's classification as "important" or "essential," the amount is up to *10 million Euros or 2% of the worldwide annual turnover (whichever is higher). Liability explicitly rests with the management.

Back to all articles