For an overview of NIS-2 scope, the ten Article 21 requirements, fines, and management liability, see our piece NIS-2 Compliance: What Mid-Size Companies Must Do in 2026. This article is the technical companion: which concrete tools, architectures, and configurations work in 2026 for a NIS-2-compliant IT environment in a European mid-market company, and which design choices save audit pain later.
We focus on the five technical building blocks that recur in every NIS-2 rollout: multi-factor authentication, network segmentation, central logging, an appropriate SIEM, and automated patch management. The selection is deliberately pragmatic. Anyone who wants a mature stack can build on this without falling into tool sprawl.
MFA Architecture: Hardware Token Plus IDP
MFA is the single most effective control against phishing and credential stuffing. If you still rely on SMS OTP in 2026, prioritise replacing it. SIM-swap attacks and SS7 weaknesses have eroded that method’s value.
A pragmatic target stack in the mid-market consists of three layers. First, a central identity provider that speaks OIDC and SAML 2.0. Keycloak (open source) and Microsoft Entra ID (formerly Azure AD) are the most common choices. If GDPR and sovereignty considerations call for a European vendor, Authentik is a modern open-source alternative with an active community and commercial support from authentik Security. Second, FIDO2 hardware tokens (YubiKey, Token2, Nitrokey) for privileged accounts and all employees with access to production systems. Third, TOTP apps (Microsoft Authenticator, Aegis, FreeOTP) as a fallback for standard users.
The rollout follows a clear priority order. Administrative accounts and service accounts with access to domain controllers, Kubernetes clusters, cloud consoles, backup systems, and CI/CD pipelines get FIDO2 first. Standard workstations follow in the second wave. External contractors are handled via time-boxed just-in-time accounts, most pragmatically via PIM in Entra or an open-source alternative such as Teleport.
What we keep seeing in projects: MFA gets rolled out, but bypass paths stay open. Legacy protocols like IMAP, SMTP-AUTH, or POP3 must be disabled for all accounts. Conditional Access in Entra ID or policy rules in Keycloak close those gaps, provided they are maintained consistently.
Network Segmentation: VLANs, Microsegmentation, Zero Trust
Network segmentation is the second line of defence if MFA is bypassed. It limits lateral movement and is implicitly addressed in NIS-2 Article 21 through the requirements on access control and damage containment.
In a classic office setup, we rely on VLAN-based separation with MikroTik, Ubiquiti, or Fortinet hardware. The baseline pattern: a management VLAN for switches and routers, a server VLAN for internal services, a client VLAN for employee endpoints, a guest VLAN for visitors, and a printer VLAN for peripherals. Inter-VLAN routing only through explicitly defined firewall rules, never via default-allow.
For cloud and container environments, VLAN separation is not enough. Microsegmentation and identity-aware networking take over. In Kubernetes clusters we deploy Cilium or Calico with default-deny network policies per namespace. For hybrid setups with remote employees, Tailscale with ACLs is a pragmatic zero-trust bridge that avoids a complex SD-WAN investment.
The NIS-2-relevant point: segmentation must be documented and verifiable. A network diagram in a Confluence wiki, a current asset inventory, and firewall configurations under version control are audit material. Anyone living infrastructure as code has a structural head start; for more, see Infrastructure as Code with Terraform and Pulumi.
Logging Stack: What, Where, and for How Long
Centralised logging is the operational foundation for the 24-hour reporting obligation. Without correlatable logs, root-cause analysis after an incident is a stab in the dark.
The minimum log set for NIS-2 covers six sources: authentication events (logins, failed logins, MFA bypass attempts, privilege changes); system audit logs on servers and endpoints (auditd on Linux, Windows Security Event Log); network flows (NetFlow, Suricata alerts, firewall logs); application logs of business-critical systems; cloud audit logs (CloudTrail, Azure Activity Log, Google Cloud audit logs); and container and Kubernetes audit logs.
The open-source stack of choice in 2026 is Grafana Loki for aggregation, Promtail or Vector as the shipper, and Grafana for visualisation. Anyone with Elastic experience runs OpenSearch and Filebeat just as solidly. For endpoint and server monitoring, Wazuh is attractive because it bundles logging, file integrity monitoring, and endpoint detection in one stack.
Retention periods derive from regulatory requirements. For NIS-2, six months is a realistic floor, twelve months is best practice, and security-relevant authentication and audit logs should be kept for 24 months because many incidents are detected only months later. Cold storage in S3 Glacier or a German object-storage provider such as IONOS or Hetzner Object Storage keeps the bill reasonable.
A common trap: logging too much. Collecting every debug log produces a volume that is neither affordable nor searchable. A log-reduction layer (Cribl Stream or Vector with filter transforms) at the ingest point typically halves the data volume in our projects without forensic loss.
SIEM Selection in the Mid-Market
A SIEM correlates centrally aggregated logs into alerts and gives the incident-response pipeline structure. The NIS-2 requirement to detect and handle security incidents is hard to demonstrate without one.
Mid-market selection moves between four categories. First, open-source SIEMs such as Wazuh or a self-hosted Elastic stack with OpenSearch Security. Low licence cost, high operating overhead, good sovereignty. Second, cloud-native SIEMs from the hyperscalers, namely Microsoft Sentinel and Google Chronicle. Fast start, good integration into the respective ecosystem, but vendor lock-in and data flowing to the hyperscaler. Third, dedicated SIEM vendors such as CrowdStrike Falcon LogScale, Elastic Security, or Splunk. High-quality detection-content libraries, high licence cost. Fourth, managed detection and response services from German providers such as G Data Advanced Analytics or Cognosec. Outsourcing 24/7 operations compensates for missing in-house staff.
For a NIS-2-affected mid-market company with 200 to 500 employees and no dedicated SOC team, we recommend Wazuh as the platform base plus an MDR partner for off-hours coverage in most cases. The combination typically lands at 30,000 to 70,000 euros per year and offsets the missing 24/7 readiness. Anyone building an in-house security team gets to value faster with CrowdStrike or Microsoft Sentinel, but pays more.
Important in the evaluation: a SIEM without maintained detection rules is an expensive log aggregator. MITRE ATT&CK coverage, regular Sigma rule updates, and a documented tuning process are the real quality criteria. We touched on continuous security telemetry in DevSecOps vs. DevOps as well.
Automating Patch Management
NIS-2 requires demonstrable vulnerability management. In practice, this rarely fails on intent; it fails on execution. An automated patch process solves that.
For Linux servers, Ansible with the unattended-upgrades module plus a weekly reboot window is the standard. Critical CVEs are identified through an additional CVE-polling script and patched out of band. On the Windows side, Microsoft Intune or a classic WSUS setup with Microsoft Update for Business does the job. For the server tier, we recommend Microsoft Defender Vulnerability Management or an open-source option such as OpenVAS.
Container images stay current through two mechanisms. Renovate or Dependabot update base-image tags and application dependencies in pull requests. Trivy or Grype scan before push and block on critical findings. We worked through the setup in detail in Trivy and the NPM Supply Chain Attack.
For NIS-2 evidence, a central dashboard showing patch state per system, open CVEs, and last scan timestamp pays off. Grafana on Loki or Wazuh dashboards are sufficient; an enterprise tool is usually overspec.
Conclusion
A NIS-2-compliant technical stack in the European mid-market is not a question of exotic tools in 2026 but of consistent architecture. A stack of central IDP plus FIDO2, a segmented network, Loki- or Wazuh-based logging, Wazuh as the SIEM base, and automated patch management covers the operational obligations from Article 21 within a manageable budget. Anyone working through the mid-market roadmap from our NIS-2 overview article in parallel keeps the organisational and technical sides in sync.
EverBright IT supports European mid-market companies in building and hardening this stack, from tool selection through rollout planning to SIEM detection rule tuning. Learn more about our cloud and security advisory or get in touch directly.
Frequently Asked Questions
Which SIEM is most economical for mid-market companies in 2026?
For a NIS-2-affected mid-market company with 200 to 500 employees and no in-house SOC, we recommend Wazuh as the platform plus an MDR partner for 24/7 coverage. Microsoft Sentinel is the alternative for M365-centric environments, but it costs more and binds you to the Microsoft ecosystem.
Is TOTP MFA enough for NIS-2 or do we need FIDO2?
TOTP is enough for standard users. For administrative accounts, domain controller access, cloud consoles, and backup systems, current BSI guidance and state-of-practice require FIDO2 hardware tokens. SMS OTP has been considered insufficient for years and should be retired actively, because SIM-swap and SS7 attacks compromise the method.
How long must logs be retained for NIS-2?
NIS-2 itself does not name a hard deadline. In practice, six months minimum, twelve months best practice, and 24 months for security-relevant auth and audit logs are reasonable. Background: many incidents are discovered only months later. Cold storage in a German object store keeps the cost in check.
What does a NIS-2-compliant security stack cost in the mid-market?
For a company with 200 to 500 employees, operating costs break down across SIEM and MDR, endpoint protection and patch management, logging infrastructure, and FIDO2 hardware. Exact figures depend on the chosen stack, existing contracts, and current security maturity. An individual estimate after the gap analysis gives reliable numbers.
