NIS2 Directive Explained: What EU Cybersecurity Rules Mean for Your Small Company (2025 Reality Check)

Here’s a question I’ve been asked a dozen times in the past six months: “Do we need to worry about NIS2?”

The answer depends entirely on your size, sector, and role in the supply chain.

For many small businesses: No, you’re not directly covered.

For medium-sized companies in critical sectors: Yes, and you should have started months ago.

For everyone else: You’re not covered yet, but your customers might push these requirements onto you through contracts.

Let me walk you through what NIS2 actually is, who it affects, what it requires, and—most importantly—what you should realistically do about it.

What Is NIS2 (In Plain English)

NIS2 is the EU Network and Information Security Directive (version 2), which came into force in January 2023. Member States had until October 17, 2024, to transpose it into national law.

What it does: Establishes mandatory cybersecurity requirements for medium and large companies operating in 18 critical sectors across the EU.

Why it exists: The first NIS Directive (2016) was too limited in scope and inconsistently enforced. NIS2 expands coverage, tightens requirements, and adds real penalties.

The shift: Cybersecurity used to be “best practice” or “nice to have.” NIS2 makes it a legal obligation with financial and personal liability for management.

As of mid-February 2025, only 9 of 27 Member States had fully transposed NIS2, but that doesn’t mean you can ignore it. The EU Commission opened infringement procedures against 23 Member States in November 2024 for missing the deadline, and enforcement is ramping up across 2025.

December 2025 update: Germany completed its NIS2 transposition on December 6, 2025, with the new BSI Act taking effect immediately—no transition period. This is significant because Germany is the EU’s largest economy, and their implementation affects an estimated 29,000 entities (up from ~4,500 under the old rules). German companies must register with the BSI (Federal Office for Information Security) within three months of the law taking effect. If you operate in Germany, compliance is now legally required.

Who NIS2 Actually Affects

The Size Threshold (This Is Where Most SMBs Relax)

NIS2 applies to medium and large companies:

• 50+ employees, OR
• €10M+ annual revenue, OR
• €10M+ balance sheet total

If you’re under these thresholds, you’re generally exempt from direct NIS2 obligations.

Important exception: Even if you’re small, if you’re a critical supplier to covered entities, they may require you to meet similar cybersecurity standards through contracts. This is supply chain pressure, not direct regulation—but the outcome is similar.

The 18 Covered Sectors

NIS2 covers entities operating in these sectors:

Essential Entities (higher criticality, stricter penalties):

1. Energy (electricity, oil, gas, hydrogen)
2. Transport (air, rail, water, road)
3. Banking and financial market infrastructure
4. Health (hospitals, labs, pharma manufacturers)
5. Drinking water
6. Wastewater
7. Digital infrastructure (internet exchange points, DNS providers, TLD registries, cloud providers, data centers, CDNs)
8. ICT service management (managed service providers, managed security providers)
9. Public administration
10. Space

Important Entities (important but less critical): 11. Postal and courier services 12. Waste management 13. Chemicals production and distribution 14. Food production, processing, and distribution 15. Manufacturing (medical devices, electronics, machinery, motor vehicles, etc.) 16. Digital providers (online marketplaces, search engines, social networks) 17. Research organizations

Detailed sector breakdowns are available from ENISA, but the practical question is: does your business fall into one of these categories, and are you above the size threshold?

Three Scenarios

Sarah (Non-Technical Founder, SaaS Startup, 12 people, €800K revenue):

• Not covered – under the size threshold
• But: If you sell to healthcare, finance, or government, they may require ISO 27001 or similar as a contract condition
• Action: Monitor customer requirements, build basic security hygiene now so you’re ready when needed

Daniel (CTO, Manufacturing Company, 80 employees, €15M revenue):

• Covered – manufacturing sector, above size threshold
• Category: Important entity (assuming not medical devices or critical defense manufacturing)
• Action: Must implement the 10 minimum measures, report incidents, ensure management accountability
• Deadline: Implementation should be complete by now (national transposition deadlines have passed)

Marcus (SMB Owner, Local Services, 8 people, €1.2M revenue):

• Not covered – under size threshold, not in a covered sector
• Action: Ignore NIS2 unless customers start asking about it

The 10 Minimum Cybersecurity Measures (Article 21)

If you’re covered by NIS2, you must implement these 10 measures. Article 21 of the NIS2 Directive lists them explicitly:

1. Risk Analysis and Information System Security Policies

What it means: Systematically identify, analyze, and document cybersecurity risks to your IT systems.

Practically:

• Conduct annual risk assessments
• Document which systems are critical
• Identify threats (ransomware, data breaches, insider threats)
• Assess likelihood and impact
• Create a written risk management policy

Not: A 200-page document. A practical risk register showing what could go wrong, how likely, how bad, and what you’re doing about it.

2. Incident Handling

What it means: Have documented processes for detecting, responding to, and recovering from cybersecurity incidents.

Practically:

• Define what constitutes an “incident” (ransomware, data breach, DDoS, system compromise)
• Document who to contact (internal team, external support, authorities)
• Test incident response procedures annually
• Report significant incidents to national authorities within 24 hours

The 24-hour reporting requirement is strict: Detection → 24 hours to notify → 72 hours for initial assessment → 1 month for final report.

3. Business Continuity (Backup, Contingency, Crisis Management)

What it means: Ensure you can continue operating (or quickly recover) after a major incident.

Practically:

• Regular, tested backups (see: Why Your Backups Will Fail)
• Disaster recovery plan documented and tested
• Alternative systems/processes if primary systems fail
• Crisis management procedures (who decides what during an emergency)

Key: “Tested” is mandatory. Untested backups don’t count.

Quick check: Take the free Backup Health Check to assess your 3-2-1 compliance and protection against ransomware and silent failures (3 minutes).

4. Supply Chain Security

What it means: Assess and manage cybersecurity risks from your suppliers and service providers.

Practically:

• List your critical suppliers (cloud providers, SaaS vendors, outsourced IT, payment processors)
• Assess their cybersecurity practices (Do they have ISO 27001? SOC 2? Basic hygiene?)
• Document security requirements in contracts
• Monitor for breaches affecting suppliers

This is where small companies feel NIS2 indirectly: Large companies push requirements down the supply chain through contracts.

Assessment tool: Check your vendor dependency risk - evaluates risks from developers, agencies, and service providers (10 questions, 5 minutes).

5. Security in Acquisition, Development, and Maintenance

What it means: Build security into systems from the start, not bolt it on later. Handle vulnerabilities responsibly.

Practically:

• Security requirements in procurement (don’t buy insecure software/hardware)
• Secure software development practices (if you build software)
• Patch management process (apply security updates promptly)
• Vulnerability disclosure policy (how people report security issues to you)

6. Policies to Assess Effectiveness of Measures

What it means: Regularly check if your security measures actually work.

Practically:

• Annual security audits or assessments
• Penetration testing (external experts attempt to breach your systems)
• Review logs and monitoring data
• Measure compliance with internal policies
• Update measures based on findings

7. Basic Cyber Hygiene and Training

What it means: Everyone in the organization understands basic security practices.

Practically:

• Annual cybersecurity training for all staff
• Phishing awareness training
• Password policies (complexity, MFA requirements)
• Clean desk policies
• Secure configuration of laptops/workstations
• Regular patching and updates

Not rocket science: This is blocking and tackling—password managers, MFA, don’t click suspicious links, lock your laptop.

8. Cryptography and Encryption Policies

What it means: Use encryption where appropriate to protect data.

Practically:

• Encrypt sensitive data at rest (databases, file storage)
• Encrypt data in transit (HTTPS, VPNs, encrypted email for sensitive data)
• Manage encryption keys securely
• Document when and how encryption is used

Where it matters: Customer data, financial data, health data, authentication credentials.

9. Human Resources Security, Access Control, Asset Management

What it means: Control who has access to what, manage employee lifecycle, track your assets.

Practically:

• Access control: Least privilege (users only access what they need), role-based permissions, MFA for administrative access
• HR security: Background checks for sensitive roles, onboarding/offboarding procedures (revoke access when people leave)
• Asset management: Inventory of all IT assets (servers, laptops, software licenses, SaaS subscriptions)

10. Multi-Factor Authentication (MFA)

What it means: Require MFA for access to critical systems.

Practically:

• MFA for email accounts
• MFA for admin access to servers, databases, cloud platforms
• MFA for remote access (VPNs)
• Consider continuous authentication for high-risk scenarios

This is low-hanging fruit: Most modern systems support MFA. Turn it on.

What Compliance Actually Looks Like

Let me translate the 10 measures into a realistic implementation roadmap:

Phase 1: Foundation (Months 1-3)

Goal: Basic hygiene and quick wins.

Tasks:

• Enable MFA everywhere (email, cloud platforms, admin access)
• Implement basic access control (who can access what)
• Start regular backups and test restoration once
• Create asset inventory (what systems, software, and services you use)
• Basic staff training (phishing, passwords, lock laptops)
• Appoint someone responsible for cybersecurity (even if it’s a secondary duty)

Cost: €2,000-5,000 for small external support, or internal time if you have capable IT staff.

Phase 2: Documentation and Processes (Months 4-6)

Goal: Document policies and procedures.

Tasks:

• Risk assessment and register
• Incident response plan
• Business continuity and disaster recovery plan
• Access control policies
• Supplier security assessment
• Vulnerability management process

Cost: €5,000-15,000 if you hire external consultants to help document, or significant internal time.

Shortcut: If you already have ISO 27001, you’ve done most of this. ENISA’s NIS2 guidance explicitly maps NIS2 to ISO 27001 controls.

Phase 3: Technical Implementation (Months 7-9)

Goal: Implement technical controls and testing.

Tasks:

• Encryption at rest and in transit
• Logging and monitoring systems
• Automated backup verification
• Penetration testing (external)
• Patch management automation
• Security awareness training platform

Cost: €10,000-30,000 depending on scale and whether you use existing tools or buy new ones.

Phase 4: Testing and Refinement (Months 10-12)

Goal: Verify everything works and document evidence.

Tasks:

• Disaster recovery test (actually restore from backup)
• Incident response tabletop exercise
• Review and update risk register
• Supply chain security reviews
• Management training on cybersecurity oversight
• Gap analysis against ENISA guidance

Cost: €3,000-8,000 for external testing and review.

Total realistic cost for medium company: €20,000-60,000 over 12 months, depending on starting point and whether you use internal staff vs. external consultants.

The hidden cost: Internal time. Even with external help, someone from your team needs to coordinate, provide information, and implement changes.

Management Accountability (This Is New)

NIS2 explicitly requires management to oversee cybersecurity.

Article 20 states: Management bodies must oversee, approve, and be trained on cybersecurity measures and risks.

What this means practically:

• Board/senior management must receive regular cybersecurity briefings (quarterly is typical)
• Cybersecurity risk must be a standing agenda item, not something discussed only after incidents
• Management approves the cybersecurity budget, policies, and risk acceptance decisions
• Management receives training on cybersecurity risks relevant to the business

Personal liability: In case of breaches due to non-compliance, management can face liability, including temporary bans from management roles.

Germany-specific (December 2025): The German BSI Act makes this explicit—management board members are personally liable for cybersecurity oversight. Greenberg Traurig notes that “cybersecurity is now a board-level issue” in Germany, with no ability to delegate accountability away from management.

This is the big shift: You can’t delegate cybersecurity entirely to IT anymore. Management owns it.

Penalties (They’re Real)

Essential Entities:

• Up to €10 million or 2% of global annual revenue (whichever is higher)

Important Entities:

• Up to €7 million or 1.4% of global revenue

For context: A manufacturing company with €50M revenue faces potential fines up to €1M (important entity) or up to €10M if classified as essential.

Beyond fines:

• Reputational damage from public disclosure of non-compliance
• Customers may terminate contracts
• Personal liability for management
• Temporary ban from management positions for serious violations

The penalties are designed to hurt enough that ignoring NIS2 is more expensive than compliance.

What Sarah, Daniel, and Marcus Should Do This Month

For Sarah (Small SaaS, Not Covered, But Customers May Ask)

Your situation: Not directly covered by NIS2, but customers in covered sectors may require proof of cybersecurity practices.

This month:

1. Check if any current or potential customers are NIS2-covered (healthcare, finance, government, manufacturing)
2. If yes, expect RFPs to ask: “Are you ISO 27001 certified?” or “What cybersecurity framework do you follow?”
3. Implement basic hygiene now:
   • Enable MFA everywhere
   • Regular, tested backups
   • Security awareness training for staff
   • Document your security practices (even informally)

Why now: It’s easier to build good practices into a 12-person company than retrofit them into a 50-person company later.

Quick assessment: Check your security audit readiness to see where you stand on GDPR compliance and basic security controls.

Action: Book a quick call to discuss a lightweight security framework that satisfies customer questions without enterprise overhead.

For Daniel (Medium Manufacturing, Covered by NIS2)

Your situation: You’re covered. Implementation should be underway or complete.

This month:

1. Gap analysis: Map current practices against the 10 minimum measures. Use ENISA’s technical guidance as a checklist.
2. Appoint responsibility: Designate someone (CTO, IT Manager, external consultant) as the cybersecurity responsible person.
3. Management briefing: Schedule quarterly cybersecurity updates for senior management/board.
4. Quick wins:
   • Enable MFA for all critical systems (if not done already)
   • Test backup restoration (schedule it this month)
   • Create asset inventory
   • Start supplier security assessment (list critical suppliers, document their security posture)
5. Incident reporting: Understand your national authority for incident reporting (varies by Member State).
6. Documentation: Begin documenting policies and procedures (or hire someone to help).

Realistic timeline: If you’re starting from zero, plan 12 months to full compliance. If you’re already following ISO 27001 or NIST CSF, you’re 6-9 months out.

Action: Need a fractional CTO to lead this? Let’s talk. I can conduct gap analysis, create documentation, implement technical controls, and serve as your designated cybersecurity owner for management reporting.

For Marcus (Small Local Business, Not Covered, No Plans to Be)

Your situation: NIS2 doesn’t apply. You’re fine.

This month:

1. Relax about NIS2. It’s not your problem unless you grow significantly or enter a covered sector.
2. But don’t ignore basic security:
   • Backups (test them occasionally)
   • MFA on email and bank accounts
   • Keep software updated
   • Train staff not to click phishing links

Why: Not for compliance—for business survival. Ransomware doesn’t check if you’re NIS2-covered before encrypting your files.

Action: Run the free website health check to catch obvious issues. That’s sufficient.

How a Fractional CTO Helps with NIS2 (Without the Enterprise Overhead)

For medium-sized companies newly covered by NIS2, the question is: Do we hire a full-time cybersecurity/compliance person?

Often, no. Here’s why a fractional CTO or infrastructure partner makes more sense:

What I do for NIS2 compliance:

1. Gap analysis – Review current practices, map to the 10 minimum measures, identify what’s missing.
2. Implementation roadmap – Prioritize actions, create realistic timeline, estimate costs.
3. Technical controls – Implement MFA, logging, monitoring, encryption, backup verification, patch management.
4. Documentation – Write policies, procedures, risk registers in plain language (not compliance theater).
5. Supplier assessment – Review critical suppliers, document security requirements, manage vendor risk.
6. Incident response – Create incident response plan, conduct tabletop exercises, establish reporting procedures.
7. Management reporting – Serve as the designated cybersecurity responsible person, provide quarterly briefings to management.
8. Testing – Coordinate penetration tests, disaster recovery tests, security audits.

Why fractional vs. full-time:

• Cost: €50,000-80,000/year for full-time cybersecurity manager vs. €15,000-30,000/year for fractional support (10-20 hours/month).
• Expertise: Fractional CTOs have implemented NIS2 compliance for multiple companies—you get pattern recognition, not learning on the job.
• Flexibility: Scale up during implementation, scale down to maintenance mode after compliance is achieved.

What you keep in-house: Day-to-day IT operations, help desk, application development. Cybersecurity strategy, compliance, and oversight are where fractional support shines.

Book a consultation if you’re covered by NIS2 and not sure where to start.

The Pattern: Infrastructure Hygiene Is No Longer Optional

NIS2 follows a familiar pattern:

GDPR (2018) made data privacy mandatory. NIS2 (2024-2025) makes cybersecurity mandatory.

What’s next? Likely:

• Expanded scope – threshold drops from 50 employees to smaller companies
• Stricter enforcement – as Member States finish transposition, penalties increase
• Supply chain mandates – covered entities push requirements to smaller suppliers

The takeaway: Infrastructure used to be “best effort.” Now it’s becoming compliance-driven.

This isn’t fearmongering—it’s the trend. Better to build good practices now than scramble when enforcement arrives at your doorstep.

Related: This compliance pressure extends beyond NIS2. See 8 Website Problems Your Developer Isn’t Mentioning for other infrastructure hygiene issues that silently accumulate until they become crises.

Start Here

You have three options:

Option A: You’re Not Covered (Relax, But Build Basic Hygiene)

1. Verify you’re actually not covered (check size + sector)
2. Implement basic security hygiene (MFA, backups, training)
3. Monitor if customers start asking about your security practices
4. If they do, revisit ISO 27001 or SOC 2 as customer assurance

Timeline: No deadline. Do it as bandwidth allows.

Option B: You’re Covered and Haven’t Started (Start Now)

1. Conduct gap analysis against the 10 minimum measures
2. Appoint someone responsible for leading this (internal or external)
3. Quick wins: MFA, backup testing, asset inventory
4. Build 12-month roadmap for full compliance
5. Schedule first management cybersecurity briefing

Timeline: 12 months to compliance. Start this month.

Option C: You’re Covered and Need Expert Help (Get Support)

1. Book a consultation – I’ll review your current state and explain what’s needed
2. I conduct gap analysis and provide implementation roadmap with costs
3. We implement technical controls, documentation, and testing over 6-12 months
4. You get quarterly management reports showing compliance status
5. Ongoing fractional support for maintenance and incident response

Timeline: Initial consultation this week, roadmap in 2 weeks, implementation over 6-12 months.

Key Takeaways

What NIS2 is:

• EU directive requiring mandatory cybersecurity measures for medium/large companies in critical sectors
• Member States transposing into national law (Germany went live December 6, 2025 with no transition period)
• 10 minimum technical and organizational measures required

Who’s affected:

• Medium/large companies (50+ employees OR €10M+ revenue) in 18 critical sectors
• Small companies may face indirect requirements through supply chain contracts

What’s required:

• 10 minimum measures (risk analysis, incident handling, backups, supply chain security, MFA, training, etc.)
• 24-hour incident reporting to national authorities
• Management oversight and accountability

Penalties:

• Essential entities: up to €10M or 2% of revenue
• Important entities: up to €7M or 1.4% of revenue
• Management liability including temporary bans from roles

How long it takes:

• ~12 months for full compliance from zero
• Faster if you already follow ISO 27001 or similar frameworks
• Cost: €20,000-60,000 depending on size and starting point

Remember: If you’re not covered, don’t panic. If you are covered, start now. If customers are asking about your security practices, build basic hygiene even if you’re not directly covered.

Sources & Further Reading:

• NIS2 Directive (EU Official)
• NIS2 Directive FAQ (EU Official)
• ENISA Technical Implementation Guidance (June 2025)
• NIS2 Directive Transposition Tracker (ECSO)
• NIS2 Article 21: Cybersecurity Risk Management Measures
• NIS2 Requirements: 10 Minimum Measures
• NIS2 Compliance Guide (DataGuard)
• ENISA Cybersecurity Roles and Skills for NIS2
• NIS2 Implementation for SMBs (Digital SME Alliance)
• NIS2 Technical Guidance (KPMG)
• Germany NIS2 Implementation: BSI Act December 2025 (Greenberg Traurig)
• Germany NIS2: What It Means for 2026 Compliance (Morrison Foerster)