NIS-2 compliance now affects roughly 30,000 companies in Germany alone, many of them for the first time. If your organization has 50 or more employees, or more than 10 million euros in revenue, and operates in one of the listed sectors, the EU directive imposes new cybersecurity obligations. For mid-size companies (the German “Mittelstand”), NIS-2 is no longer an optional maturity exercise. It is a legal requirement, with penalties of up to 10 million euros or 2 percent of global annual turnover.
This article clarifies who is in scope, what the ten minimum requirements of Article 21 actually mean in practice, and how a pragmatic implementation roadmap looks for a typical mid-size company.
Who Falls Under NIS-2?
The directive distinguishes between “essential” and “important” entities. Essential entities are large organizations in highly critical sectors such as energy, water, healthcare, finance, digital infrastructure, and transport. Important entities are medium-sized organizations in those sectors plus additional ones, including postal and courier services, waste management, food production, manufacturing of machinery, and chemicals.
The size thresholds kick in at 50 employees or 10 million euros in annual turnover. Smaller organizations are only in scope if explicitly designated by the competent authority, typically because they qualify as critical suppliers. So if your company supplies an essential entity, you can fall under NIS-2 indirectly through contracts.
In Germany, the NIS-2 Implementation and Cybersecurity Strengthening Act transposes the directive into national law. The Federal Office for Information Security (BSI) is the central supervisory authority and provides an online scope assessment tool. That assessment should be the first step of any compliance initiative.
The Ten Minimum Requirements of Article 21
Article 21 of the NIS-2 directive lists ten technical and organizational measures that every in-scope organization must implement. They follow a risk-based approach and cover the full lifecycle of information systems.
The ten measures include: policies for risk analysis and information system security, incident handling, business continuity (including backups, crisis management, and recovery), supply chain security, security in acquisition and development of systems, policies to assess the effectiveness of measures, basic cyber hygiene and training, cryptography and encryption policies, personnel security and access control, and use of multi-factor authentication.
The list reads abstract, but maps cleanly onto common frameworks. Organizations running ISO 27001 already cover much of it. The German BSI Grundschutz catalogue and NIST CSF mappings are also compatible. Note that NIS-2 does not require certification, but it does require demonstrable, effective implementation. Supervisory authorities can order audits at any time.
Incident Reporting: 24, 72, and 30
The reporting obligations are operationally the most painful element of the directive. For a significant security incident, a three-stage notification chain to the BSI applies.
Within 24 hours of becoming aware of the incident, an early warning notification must be filed. It is brief and contains an assessment of whether the incident is likely the result of unlawful action and whether it has cross-border impact. Within 72 hours, a more detailed notification follows, including initial assessment, severity, impact, and indicators of compromise where applicable. Within one month after the initial notification, a final report is due, documenting root causes, mitigation steps, and any cross-border consequences.
In practice, this rarely fails on the technical side. It fails on process. Without a clearly defined escalation scheme, on-call coverage, and templates for regulatory notifications, the 24-hour deadline gets missed. A solid incident response playbook, of the kind typically anchored in a DevSecOps setup, is a prerequisite, not a nice-to-have.
Supply Chain Security as a Practical Problem
Requirement four under Article 21 is the most awkward for mid-size organizations: supply chain security. This covers not just hardware procurement and cloud services, but also SaaS tools, external developers, open source libraries, and managed service providers.
In concrete terms, it means at least three measures. First, a supplier inventory with risk classification, maintained continuously. Second, security requirements anchored in contracts: audit rights, incident notification clauses, and concrete technical requirements such as encrypted data transmission. Third, Software Bills of Materials (SBOMs) for the software you deploy, so you can quickly address incidents like the Trivy supply chain attack in the npm ecosystem.
A simple example illustrates the scale. A typical mid-size company with 200 employees often has 60 to 100 SaaS subscriptions, plus cloud providers, hosting, a dozen external service providers, and hundreds of open source packages in its own applications. A full risk assessment of every item is not feasible, so prioritization is essential: classify by data sensitivity, business criticality, and how easily a service could be replaced.
A Pragmatic Roadmap for SMEs
Across cloud and security engagements over the past months, a five-phase model has proven workable for mid-size companies, with full implementation in 12 to 18 months. Companies that also run other governance programs, such as AI governance for agentic AI, can bundle structures sensibly and avoid duplicate work across regulatory tracks.
Phase 1 (weeks 1 to 4): Run the BSI scope assessment, perform a gap analysis against Article 21, appoint a NIS-2 lead with C-level backing. Note that under NIS-2, executive management is personally liable. That is a meaningful change.
Phase 2 (months 2 to 4): Build an asset inventory, create a supplier register, document the incident response process, and define the escalation chain including the 24-hour notification path. This is also the right moment to evaluate cyber risk insurance.
Phase 3 (months 4 to 8): Roll out technical measures. At minimum: MFA on all privileged accounts, separated administrative accounts, centralized logging, a backup strategy with tested restore procedures, and patch management with defined SLAs.
Phase 4 (months 8 to 12): Train the entire workforce, run regular phishing simulations, conduct tabletop exercises for incident response, build out an ISMS if none exists. Note that training for executive management is explicitly required by NIS-2.
Phase 5 (ongoing): Effectiveness measurement, annual internal audit, continuous improvement. Organizations targeting ISO 27001 can use this phase as preparation for an external certification audit.
Conclusion
NIS-2 is no longer optional, and it is not just a legal department concern. Executive management is personally liable, supervisory audits can be ordered at any time, and the 24-hour notification deadline does not tolerate improvisation. Companies that have not started should plan to begin no later than the second quarter of 2026 with a scope assessment and an honest gap analysis.
We support mid-size clients with NIS-2 implementation, from initial assessment through to a working ISMS. If you need clarity on your status or a pragmatic roadmap, get in touch or take a look at our cloud and security services.
Frequently Asked Questions
Is my company in scope of NIS-2?
If your organization has 50 or more employees or generates more than 10 million euros in annual revenue, and operates in one of the NIS-2 sectors, you fall under the directive. The BSI provides an online scope assessment. Smaller companies can also be in scope as designated critical suppliers, even below the size thresholds.
What does NIS-2 compliance cost in a mid-size company?
Costs vary widely by maturity. A typical mid-size company without an existing ISMS should budget 80,000 to 250,000 euros for initial implementation across 12 to 18 months. Recurring costs for tools, training, and external audits typically range from 30,000 to 80,000 euros per year, depending on technical complexity.
What penalties apply for NIS-2 violations?
For essential entities, fines can reach 10 million euros or 2 percent of global annual turnover, whichever is higher. For important entities, the cap is 7 million euros or 1.4 percent. Personal liability for executive management adds significant weight: leaders can be held accountable individually if oversight duties are demonstrably neglected.
How long does NIS-2 implementation take?
Realistic timelines are 12 to 18 months for a mid-size company without an existing ISMS. Scope assessment and gap analysis take roughly four to six weeks. Building a minimum viable security program takes eight to twelve months. After that comes the effectiveness phase, with internal audits and continuous adjustment until the ISMS is mature.
