NIS2 Checklist for SMEs: 10 Measures You Must Implement Now

NIS2 Checklist for SMEs: 10 Measures You Must Implement Now

2026-06-15T18:14:38+02:0029.05.2026|EN_Cloud, IT security|0 Comments

What should you know about NIS2? Does it affect your company?
NIS2 is the EU directive on network and information security, which has been transposed into German national law since December 2025 through the NIS2 Implementation Act (NIS2UmsuCG). It obliges companies with 50 or more employees in 18 regulated sectors to implement specific IT security measures – including personal liability of management in case of violations.

Many SMEs still underestimate the scope of the directive. Many companies are asking themselves: are we even affected by NIS2? In this article, you will find a practical NIS2 checklist that allows you to assess within minutes whether your company is affected and which measures you should implement right away. We would be happy to support you on your journey towards NIS2 compliance.

Am I affected by NIS2 as an SME?

Before you go through the list, we recommend that you first determine whether your organization is subject to NIS2. NIS2 generally applies to organizations that meet all three of the following criteria. However, caution is advised: even if your organization does not directly meet the criteria below, it may still be subject to NIS2 indirectly through its supply chain.

Criterion Threshold
Employees 50 or more
Annual turnover or balance sheet €10 million or more
Sector One of 18 regulated sectors – see full list below

 

 

Which 18 sectors are affected by NIS2?

NIS2 differentiates between two groups: 11 sectors of high criticality (Annex 1) and 7 additional critical sectors (Annex 2).

Annex 1 — Sectors of High Criticality

# Sector Examples
1 Energy Electricity, district heating, natural gas, oil, hydrogen
2 Transport Aviation, rail, maritime, road transport
3 Banking Credit institutions
4 Financial market infrastructure Trading venues, central counterparties
5 Healthcare Hospitals, laboratories, pharmaceuticals
6 Drinking water Water suppliers
7 Wastewater Wastewater treatment
8 Digital infrastructure Cloud providers, data centres, DNS
9 ICT services (B2B) Managed service providers, IT service providers
10 Public administration Government authorities at federal and state level
11 Space Satellite operators, space infrastructure

Annex 2 — Additional Critical Sectors

# Sector Examples
12 Postal and courier services Parcel delivery, mail services
13 Waste management Disposal companies, recycling
14 Chemicals Chemical industry, hazardous materials
15 Food Production, processing, wholesale
16 Manufacturing Mechanical engineering, medical technology, automotive
17 Digital services Online marketplaces, search engines, social networks
18 Research Research institutions, universities

Source: NIS2UmsuCG, Anlage 1 und 2 – BSI NIS-2 regulierte Unternehmen (in force since 6 December 2025)

Important: An estimated 80% of affected companies are still unaware that they fall under NIS2. By the BSI registration deadline on 6 March 2026, only 38.5% of affected companies had registered. Companies that have not yet acted are already in violation of applicable law.

Not sure whether your sector is affected? The German Federal Office for Information Security (BSI) offers a free assessment tool – get clarity within 5 minutes.

Indirect impact: When NIS2 affects you via the supply chain

 

Even if your business does not belong to one of the 18 sectors or does not meet the thresholds, you may still be indirectly affected by NIS2.

As supply chains become increasingly digitalised, cyber risks grow significantly. The German BSI Act requires companies that fall under NIS2 to ensure the security of their entire supply chain.

In practical terms, this means: if your customer is subject to NIS2, they are legally obliged to pass on security requirements to you as a supplier or service provider.

NIS2: Sicherheitsrisiken in der Lieferkette durch vernetzte Unternehmen und gemeinsame Schwachstellen.

What NIS2 requires from affected companies regarding their supply chain

  • Contractual agreements (SLAs) with suppliers covering risk management, incident response, and patch management

  • Ensuring suppliers implement security by design and security by default

  • Requiring suppliers to consider BSI recommendations for their own supply chains

*Source: BSI – Secure Supply Chain

What this means for SMEs

A single compromised supplier can disrupt IT systems, cause data breaches, and interrupt business operations. The more complex the supply chain, the larger the attack surface. NIS2-regulated customers are aware of this – and will take action.

Practical tip: Ask your five largest customers whether they fall under NIS2. If they do, contractual cybersecurity requirements will soon be passed on to you. Being prepared now gives you a clear competitive advantage. We would be happy to assist you in achieving compliance.

NIS2 Checklist for SMEs: 10 Measures

The registration deadline with the German Federal Office for Information Security (BSI) was in March 2026. Companies that have not yet registered should do so immediately. Registration is completed via the BSI portal and requires information about company size, sector, and responsible security personnel.

Immediate action: Conduct a BSI applicability assessment and complete registration without delay.

NIS2 establishes the personal responsibility of senior management. Delegating responsibility solely to the IT department is no longer sufficient. Managing directors and board members are personally liable in the event of non-compliance.

Immediate action: Appoint and formally document an Information Security Officer (ISO) at management level.

MFA is one of the most effective and fastest measures against unauthorised access — even if passwords have been compromised. NIS2 explicitly requires MFA for all critical systems.

Immediate action: Enable MFA for email, VPN, cloud access, and ERP systems. This can typically be implemented within a few hours.

Known software vulnerabilities are the most common entry point for cyberattacks. NIS2 requires a structured approach to regularly updating all IT systems.

Immediate action: Define a fixed patch cycle (e.g. monthly) and document it in writing. Apply critical patches within 72 hours. Conduct regular penetration tests.

Data backups alone are no longer sufficient, as NIS2 requires documented recovery testing. Only those who regularly test their backups can respond quickly in an emergency.

Immediate action: Implement the 3-2-1 backup rule (3 copies, 2 different media, 1 offsite) and schedule quarterly recovery tests.

Excessive access rights represent an underestimated security risk. The principle of least privilege is a core component of NIS2 requirements.

Immediate action: Review all user accounts and access rights. Disable inactive accounts and reduce admin privileges to the minimum necessary.

NIS2 requires affected companies to report security incidents: significant incidents must be reported to the BSI within 24 hours, followed by a full report within 72 hours.

Immediate action: Establish a simple incident response plan: Who is informed and when? Who reports to the BSI? Who communicates externally?

NIS2 also extends to the supply chain. Customers and contracting parties will increasingly require proof of security measures from their suppliers.

Immediate action: Review contracts with IT service providers and critical suppliers for security requirements and update them if necessary.

Human error is the most common cause of security incidents. NIS2 requires verifiable training for both management and employees.

Immediate action: Plan at least one annual security awareness training and document participation. We recommend phishing simulations as a particularly effective training component.

Verbal agreements are no longer sufficient. NIS2 requires documented policies covering information security, password management, access rights, and emergency procedures.

Immediate action: Create a basic set of information security policies — this is also feasible for SMEs without ISO 27001 certification.

Overview: NIS2 Checklist at a Glance

# Measure Effort Priority
1 Complete BSI registration Low 🔴 Immediate
2 Appoint an Information Security Officer (ISO) Low 🔴 Immediate
3 Enable MFA Low 🔴 Immediate
4 Implement patch management Medium 🔴 Immediate
5 Backup & recovery testing Medium 🟠 This week
6 Review access rights Low 🟠 This week
7 Create an incident response plan Medium 🟠 This week
8 Review supply chain Medium 🟡 This month
9 Plan employee training Medium 🟡 This month
10 Document policies High 🟡 This month

What happens if you do not comply?

The consequences of non-compliance with NIS2 are severe:
  • Fines of up to €10 million or 2% of global annual turnover
  • Personal liability of management in case of proven violations
  • Exclusion from supply chains if customers require compliance proof
  • Reputational damage in case of publicly known security incidents
According to the BSI, around 29,500 companies in Germany have been affected since December 2025.

How long does NIS2 implementation take?

From our consulting experience with SMEs, full NIS2 implementation typically takes 3 to 6 months:
  • Weeks 1-2: Assessment and initial analysis
  • Weeks 3-6: Implement quick wins (MFA, backups, patch management)
  • Weeks 7-12: Review supply chains and establish governance structures
  • Weeks 13-15: Test and document incident response scenarios

Whoever starts now, can implement this with precision and structure and does not have to scramble at the last minute. Find the full roadmap here: NIS2 Implementation – Immediate Measures and Long-Term Roadmap

Conclusion

NIS2 is not just a bureaucratic obligation – it is an opportunity to strengthen your IT security in a structured way.
Companies that act early are not only compliant, but also more resilient to cyberattacks and better positioned in competitive tenders.

The 10 measures outlined in this checklist provide a practical starting point. Many can be implemented within just a few days – without major investments.

Note: This article provides general guidance on NIS2 and does not replace individual legal or compliance advice. Every company has a different starting point. Feel free to contact us and we will assess your specific situation together.

Request your free NIS2 consultation

Not sure where to start? netX consult supports SMEs throughout the entire NIS2 implementation process, from initial assessment to operational execution and employee training. We offer a 15-minute free consultation without obligation or sales pressure No obligation
With over 20 years of experience in complex IT environments, we know how to implement even demanding compliance requirements pragmatically. Book your consultation now below.

15 Minuten kostenlose Kurzberatung

Ihre IT-Beratungsdienstleister

Mit meinem Klick auf „Jetzt Termin buchen” erteile ich freiwillig meine Einwilligung in die Verarbeitung meiner personenbezogenen
Daten zu Zwecken der Kontaktaufnahme. Ich kann die datenschutzrechtliche Einwilligung jederzeit mit Wirkung für die Zukunft widerrufen. Durch den Widerruf der Einwilligung wird die Rechtmäßigkeit der aufgrund der Einwilligung bis zum Widerruf erfolgten Verarbeitung nicht berührt. Mit meiner Handlung bestätige ich ebenfalls, die Datenschutzerklärung und das Transparenzdokument gelesen und zur Kenntnis genommen zu haben.

Does NIS2 also apply to small companies with fewer than 50 employees?2026-05-29T12:08:50+02:00

Generally not—but there are exceptions. Companies , that provide critical services (e.g., in healthcare or digital infrastructure) may also be affected below the thresholds. In addition, large companies subject to NIS2 are increasingly requiring compliance evidence from their suppliers.

Can I implement NIS2 as a SME myself or do I need external consultants?2026-05-29T12:06:02+02:00

Simple immediate measures like MFA-Activation or setup your back up system can be done internally and immedaitely. For governance structures, principle guidance and supply chain review we recommend external support – especially if no internally dedicated IT security team has been appointed.

What is the first step in implementing NIS2?2026-05-29T12:01:13+02:00

The first step is to assess whether you are affected. The BSI provides a free online tool for this: betroffenheitspruefung-nis-2.bsi.de. After that, you should complete the BSI registration, if you have not already done so.

What is NIS2 in simple terms?2026-05-29T12:00:35+02:00

NIS2 is an EU directive on cybersecurity that has been in effect in Germany since December 2025. It requires companies with 50 or more employees in 18 sectors to implement specific IT security measures—with personal liability for management.

What Penalties Will We Face for Non-Compliance?2025-11-07T14:16:47+01:00

The amount of the penalty depends on the sector and the severity of the infringement, and can be up to 10 million Euros or 2% of the global annual turnover. This is another reason not to take the NIS2 directive lightly.

Is it Primarily IT or Management that Needs to Act?2025-11-07T14:16:46+01:00

Collaboration is crucial: Both the IT department and management must take action. The IT department implements technical security measures, while management ensures that resources, policies, and processes are in place. Both levels must work together to meet the requirements of the NIS2 directive and ensure the company’s cybersecurity. As non-compliance is often due to management issues, management should take the situation particularly seriously.

Related Posts

The Advantages and Disadvantages of Cloud Email Systems, Illustrated with 2 People.
Cyber Versicherungen
Sicher überall arbeiten

Leave A Comment

SOCIAL MEDIA

LEGAL

Imprint | Data protection
Transparency document | Code of conduct
Reporting office under the HinSchG
  | Dataprotection T&Cs

netX consult Logo

CONTACT

Tilsiter Str. 2
91522 Ansbach
+49 981 826 333 00