NIS2: The Underestimated Obligation for SMEs and Suppliers

Abstract:

EU Directive 2022/2555 ("NIS 2") marks a milestone for cybersecurity in Europe. It demands a high, uniform level of protection across 18 critical sectors and, for the first time, massively extends obligations to small and medium-sized enterprises (SMEs) and suppliers. Unlike its predecessor NIS 1, NIS 2 is based on mandatory requirements rather than mere recommendations, introducing strict governance, risk and reporting obligations (European Commission, 2022). This article explains the academic background of the NIS 2 Directive and its legal framework, analyses the new requirements in detail, from governance and ISMS integration through technical and organisational measures to supply chain security, and critically compares NIS 2 with ISO 27001, TISAX and DORA. Using a practical example from the mechanical engineering sector, challenges and solution approaches for implementation are outlined. The discussion explores why "NIS 2 compliance in SMEs" is widely underestimated and what economic and organisational impacts this entails. Finally, recommendations for action are given, including the use of integrated GRC platforms such as Kopexa, to implement NIS 2 efficiently and leverage synergies with existing standards.

1. Introduction: Context of the EU NIS 2 Directive and Societal Relevance

The Network and Information Security Directive (NIS 2), officially Directive (EU) 2022/2555, is the updated EU cybersecurity directive and entered into force in January 2023 (European Commission, 2022). It replaces NIS 1 from 2016, whose scope and security requirements were considered outdated given the threat landscape. The aim of NIS 2 is to achieve a uniformly high level of cybersecurity across Europe. To this end, it significantly expands the scope of application and harmonises the rules for risk management, incident reporting and supervision. For the first time, many small and medium-sized enterprises and suppliers are legally obliged to implement adequate cybersecurity measures, an aspect that has often been underestimated in practice.

The societal relevance of NIS 2 stems from the increasing digitisation of critical services and the growing vulnerability of modern supply chains. Europe is confronted with ever more sophisticated cyber threats, from ransomware attacks on hospitals to sabotage of energy and water supplies. The Directive responds by regulating not only traditional critical infrastructure operators but also public administration, postal and courier services, waste management, digital services (e.g. social networks) and manufacturers of critical products. NIS 2 thus directly addresses vital societal functions and indirectly the entire ecosystem of suppliers to these sectors. The risks of supply disruptions through cyberattacks, with potentially severe economic and social damage, are to be minimised through preventive security standards and reporting channels (ENISA, 2022).

Politically, NIS 2 reflects the paradigm shift towards an active cyber-resilience strategy. As with the General Data Protection Regulation (GDPR), the EU is now relying on binding requirements and significant sanctions in cybersecurity to enforce uniform minimum standards (Lemnitzer & Prockl, 2023). The Directive is regarded as a "quantum leap" since, compared with the predecessor regulation, it brings an estimated ten times more companies under obligation. Each EU Member State had to transpose the requirements into national law by October 2024. In Germany, this is being done through the NIS2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG), which amends the existing BSI Act and is often referred to as "Information Security Act 2.0". Although implementation was delayed, the Act is expected to enter into force in 2025. The societal expectation of NIS 2 is clear: Enhanced cybersecurity as a public good, achieved through a regulatory "duty to act" for companies of all sizes, especially in the SME sector.

2. Theoretical Framework: Concepts, Legal Framework and ISMS Reference

Critical and essential entities: The NIS 2 Directive distinguishes between Essential Entities and Important Entities. Essential entities comprise large companies in critical sectors (typically >250 employees and >EUR 50 million turnover/balance sheet total) as well as certain actors regardless of size (e.g. qualified trust service providers, top-level domain registries).

Important entities are medium-sized companies (>50 employees or >EUR 10 million turnover/balance sheet) in further sectors deemed important. This sectoral classification is defined in the annex to the Directive and is transposed in Germany through the NIS2UmsuCG via the categories "particularly important entities" (roughly corresponding to Essential Entities) and "important entities" (Important Entities). Additionally, there is the concept of "critical facilities", which designates traditional critical infrastructures (KRITIS), e.g. energy, healthcare, water, for which special rules partly apply. Overall, NIS 2 pursues a risk-based approach: obligations are linked to the criticality of the sector and the size of the company. As a result, compared with the earlier critical infrastructure regulation, the thresholds are lowered, significantly increasing the number of affected companies.

Legal framework (NIS2UmsuCG and IT Security Act 2.0): In Germany, the NIS 2 requirements are transposed into national law through the NIS2UmsuCG. This Act modernises the BSI Act (Act on the Federal Office for Information Security) and supplements existing regulations from the IT Security Act 2.0 of 2021. The IT Security Act 2.0, also called the "Second Act to Increase IT Security," had already placed additional sectors (e.g. municipal waste management, defence and large companies as "companies of particular public interest") under supervision and introduced new obligations such as the use of attack detection systems in critical infrastructure. NIS 2 now goes further: additional sectors are regulated, reporting obligations and sanction frameworks are harmonised EU-wide, and in particular the responsibility of management is emphasised. Nationally, the competent authorities (in Germany primarily the BSI) must monitor compliance and can sanction violations. For important entities in the SME sector, the typical upper limit is EUR 7 million or 1.4% of turnover as a fine; for essential entities, up to EUR 10 million or 2%. This harmonisation is modelled on the strict approach of the GDPR and aims to make enforcement more effective (European Commission, 2022).

Definition of cybersecurity requirements: The cybersecurity requirements of NIS 2 refer to the totality of technical, organisational and procedural measures that an affected company must implement to manage risks to its information systems. NIS 2 prescribes a minimum catalogue of security measures (see Section 3), ranging from risk management policies to incident response and supply chain security. Importantly, these requirements must be implemented in a proportionate and risk-appropriate manner: what is considered sufficient depends on the size, risk profile and potential societal impact of a failure. The Directive therefore does not require a rigid scheme but rather a dynamic management approach oriented towards established standards. Recital 79 explicitly refers to international standards such as the ISO/IEC 27000 series as guidance. Accordingly, there are overlaps with ISO 27001 (Information Security Management Systems) and sector-specific standards such as the TISAX catalogue (for the automotive supply industry), which can serve as a "framework" but do not replace NIS 2 (DQS, 2023). Rather, the company-specific Information Security Management System (ISMS) must be further developed to meet the new legal obligations (including reports to authorities). The link to ISMS is therefore central: a systematic ISMS according to ISO 27001 forms the foundation on which NIS 2 compliance is built (ISO, 2022). Studies show that an ISO 27001 certification already covers a large proportion (approximately 70%) of NIS 2 requirements, particularly regarding risk analyses and organisational controls. However, supplementary points such as official reporting channels or specific governance requirements must be additionally established. NIS 2 thus fits consistently into the existing Governance, Risk & Compliance (GRC) landscape and increases the pressure, especially on SMEs, to operate a formalised ISMS, ideally integrated with data protection (GDPR) and other compliance topics, to leverage synergies.

3. Requirements in Detail: Governance, Measures, Risk Management, Reporting Obligations, Supply Chain Security

This section explains the specific obligations under NIS 2. The Directive defines a comprehensive catalogue of technical and organisational measures as well as processes that extend from corporate management to operational IT controls. The most important requirements are presented systematically below.

3.1 Governance and management responsibility: NIS 2 explicitly anchors cybersecurity as a board or executive management task. Management bodies of essential and important entities are obliged to oversee and steer compliance with cybersecurity measures. The EU legislator originally envisaged personal liability for managers; in the German draft this was softened, but civil and corporate law internal liability claims (e.g. Section 93 of the German Stock Corporation Act for public companies) remain. In practice, this means: top management must regularly undergo training and acquire sufficient knowledge of cyber risks and controls. NIS 2 prescribes training for the management level and requires that security responsibility is not simply delegated (European Commission, 2023). These governance requirements are intended to prevent a "compliance gap": in the past, security standards were often regarded as purely technical IT projects, whereas NIS 2 now demands a top-down approach. The culture within the company must anchor cybersecurity as a leadership priority, including clear responsibilities (e.g. CISO role) and regular board reports on cyber risk (BSI, 2023). Organisationally, at least two security officers must be appointed, sufficient resources provided and cybersecurity integrated into enterprise risk management (cf. DataGuard, 2023). This stricter governance corresponds to the significant fines: if management ignores NIS 2 obligations, penalties of up to EUR 10 million or 2% of turnover (for essential entities) or EUR 7 million / 1.4% (important entities) are possible. This creates pressure similar to GDPR violations and makes clear that cybersecurity is not a "nice-to-have" but a clear "must" at management level.

3.2 Technical and organisational measures: Article 21 of the Directive lists ten fundamental security areas that all affected companies must cover (NIS 2, 2022). These can be summarised as follows:

• (a) Risk management policy: Introduction of policies for regular risk analysis and protection of information systems. Companies must identify their specific threats and adopt a written information security concept ("IS policy").
• (b) Incident management: Establishment of processes for detecting, reporting and handling security incidents. This includes incident response plans, forensic capabilities and an internal reporting system.
• (c) Business continuity: Implementation of business continuity and disaster recovery measures, such as regular backups, emergency plans and crisis exercises, to maintain operational capability even during cyberattacks. A formal emergency management system is required, including planning for worst-case scenarios.
• (d) Supply chain security: Introduction of security supplier management. Companies must address security requirements along their supply chain. This concerns the relationship with service providers and suppliers: contracts should include minimum standards (e.g. ISO 27001 certification or audit reports), and critical suppliers are to be checked for vulnerabilities. The Directive explicitly requires assessing the quality of each direct supplier's security practices and considering the results of coordinated risk analyses (such as industry-wide "supply chain risk assessments").
• (e) Security in development/procurement: Ensuring security-by-design for IT systems throughout their entire lifecycle. This includes secure software development, thorough testing before deploying new systems, and patch and vulnerability management. Discovered vulnerabilities must be proactively reported and remediated (see also 3.4).
• (f) Effectiveness testing: Establishment of processes for regular evaluation of the implemented security measures. This implies internal or external audits, penetration tests (where appropriate) and management reviews of the ISMS. NIS 2 essentially requires a continuous PDCA cycle: measures are to be tested for effectiveness and adjusted as needed.
• (g) Basic cyber hygiene & training: Implementation of fundamental IT security practices (e.g. regular updates, hardening of system configurations) and comprehensive awareness training for employees. Human error (phishing, weak passwords) is one of the main causes of security incidents; accordingly, NIS 2 requires all employees to be regularly trained.
• (h) Use of cryptography: Development and implementation of policies for the use of cryptographic methods. Where appropriate, strong encryption and modern cryptography are to be used to ensure the confidentiality and integrity of data (e.g. encryption of sensitive databases, use of TLS for communications).
• (i) Personnel and access security: Measures for personnel security (e.g. background checks for critical admin roles), strict access control policies (role-based access rights, need-to-know principle) and inventory and protection of assets. In practice, this includes multi-factor authentication (MFA) for important access points, consistent permissions management and endpoint security.
• (j) Secure communications & emergency communications: Ensuring the security of voice, video and text communication systems within the company as well as emergency communication channels. This includes, for example, encrypted email/VoIP, secured video conferencing systems and redundant communication channels for crisis situations.

The above catalogue of measures makes clear that NIS 2 demands a holistic security approach, from technical controls to organisational anchoring. Companies should ideally bundle these areas in an integrated ISMS programme. It is notable that many of the points mentioned are already provided for in standards such as ISO 27001 (e.g. access control, cryptography concept, supplier management). However, NIS 2 prescribes these points mandatorily and in some cases in greater detail (such as explicit supply chain risks or MFA obligation), so existing ISMS may need to be expanded (ENISA, 2023). In Germany, the above requirements are anchored in Section 30 of the NIS2UmsuCG draft. For operators of critical facilities (e.g. large energy producers), additional special requirements such as the use of intrusion detection systems also apply.

3.3 Risk management and documentation: A central element is a living risk management. NIS 2 requires companies to continuously identify, assess and treat risks. Implementation is typically carried out through a risk assessment process as part of the ISMS. Documentation is crucial: companies must adequately record their risk assessments and the derived measures in order to demonstrate to the supervisory authority that they have understood and addressed the risks (cf. Art. 21(4) NIS 2). The risk analysis must consider all sources of danger ("all-hazards approach"), encompassing both cyberattacks and physical risks such as fire or power outages. The Directive also requires the human factor to be systematically included, for example by considering insider risks and training needs (ENISA, 2022). Companies are encouraged to use recognised standards and methods in their risk assessment. The promotion of certified products and processes (e.g. under EU cybersecurity certificates pursuant to the Cybersecurity Act) is also mentioned. Overall, the emphasis is on proportionality: small important entities should not be overwhelmed, while large critical companies must take more extensive measures. This risk-based tailoring, however, requires each affected company to build sufficient internal competence to assess cyber risks, a process that particularly challenges SMEs (see discussion).

3.4 Reporting obligations (incident reporting): A notable aspect of NIS 2 is the mandatory reporting of security incidents to the authorities. Article 23 NIS 2 defines a staged procedure: first, within 24 hours of becoming aware of an incident, an early warning (initial notification) must be sent to the national Computer Security Incident Response Team (CSIRT) or the competent authority. Within a further 72 hours, a more detailed follow-up report must be submitted, containing the details known so far, the severity assessment and any technical indicators of compromise. No later than one month after the initial report, a final report must be filed documenting the cause, course of events and countermeasures taken. These strict deadlines, significantly more rigorous than, for example, the GDPR's 72-hour deadline for data protection incidents, are intended to ensure early warning and information sharing. Additionally, the BSI may request interim reports. Affected customers or the public must also be informed where this is appropriate in the individual case. NIS 2 thus harmonises incident handling EU-wide and obliges companies to engage in proactive communication during significant cyber incidents.

In Germany, Section 32 of the NIS2UmsuCG specifies these obligations and provides for reports to be made to the BSI. Interestingly, the transposition also provides that incidents must be communicated not only to the authority but also to the "affected service recipients" (i.e. customers/users) where appropriate, a transparency obligation that goes beyond purely regulatory concerns. The BSI plans to provide an online portal as a reporting point. Every affected company must also register, i.e. deposit its master data with the BSI within three months of the Act entering into force. A missed or late registration already constitutes an administrative offence. Overall, these reporting and registration obligations create a tight network of information intended to give authorities a better overview of the security situation. For companies, however, they also mean considerable effort, since emergency processes and reporting channels must be prepared internally, constantly updated and activated within hours in an emergency. Without appropriate incident response plans and teams, compliance is barely possible, which in turn underscores the need for SMEs to build (or procure) professional security response capabilities.

3.5 Supply chain security: As mentioned above under measures (point d), cybersecurity in the supply chain is a central new element of NIS 2. The Directive recognises that companies are increasingly dependent on third parties (cloud providers, software suppliers, maintenance firms, etc.) and that vulnerabilities in this value chain can have major impacts. Therefore, companies must demand evidence and security information from their suppliers and incorporate this into their own risk management. In concrete terms, this means: contractual security requirements for IT service providers, regular security assessments of suppliers (e.g. in the form of questionnaires or audits) and consideration of supply chain risks in business impact analyses. A company that falls under NIS 2 should therefore not only strengthen its own cyber defences but also ensure the reliability of its partners. This "flow-down" effect means in practice that many suppliers not directly captured by regulation are in fact pushed towards NIS 2 compliance. Large companies will demand security certificates or audit reports from their smaller suppliers in order to remain compliant themselves. A Danish study, for example, forecasts that indirect requirements on suppliers, such as new questionnaires and documentation obligations, will increase dramatically (Lemnitzer & Prockl, 2023). For suppliers, this can lead to duplication of effort: an IT supplier with ten major customers could have to fill out ten different self-assessment questionnaires per year, which in total ties up enormous resources (Lemnitzer & Prockl, 2023). Uniform standards for supply chain security are still being developed, so for now each larger company is likely to apply its own benchmarks. In Germany, Section 22 of the NIS2UmsuCG provides for the possibility of conducting coordinated security assessments of critical supply chains across sectors, e.g. authorities could define common requirements for all operators of a specific facility type and their suppliers. Overall, the message is clear: trustworthiness in the value chain becomes the decisive criterion. For SMEs as suppliers, this means they must make their cybersecurity demonstrable to remain attractive partners. At the same time, this opens up an opportunity: those who implement robust security measures early (e.g. obtain ISO 27001 or TISAX certification) can use this as a competitive advantage, since large clients reward this maturity (Lemnitzer & Prockl, 2023).

In summary, NIS 2 requires affected companies to have an integrated security concept: starting with clear management responsibility, through a risk-based set of technical and organisational measures, to transparent communication during incidents and in the supply chain. This "catalogue of obligations" is comprehensive and often exceeds existing practices in SMEs. The following practical example shows how a typical company can approach this.

4. Comparative Analysis: NIS 2 versus ISO 27001, TISAX and DORA

The NIS 2 Directive does not stand in isolation but fits into a fabric of existing standards and regulations. Below, NIS 2 is compared with ISO/IEC 27001 (the internationally leading ISMS standard), the sector-specific TISAX standard for the automotive industry, and the new EU regulation DORA (Digital Operational Resilience Act) for the financial sector. The aim is to identify overlaps, differences and the respective regulatory logic.

NIS 2 vs. ISO 27001: ISO 27001 defines a voluntary certification framework for information security management systems that is applied across industries. Many requirements overlap conceptually with NIS 2: both pursue a risk-based approach, require the implementation of security controls in areas such as access management, backups, training, etc., and demand continuous improvement. Overlaps: Studies confirm that companies with an established ISO 27001 ISMS already cover a large proportion of NIS 2 controls. For example, ISO 27001/27002 controls cover many of the elements mentioned in NIS 2 Article 21 (e.g. ISO control area A.16 corresponds to incident management, A.15 to supplier relationship security, etc.). Differences: NIS 2, however, goes beyond ISO in several respects. Firstly, NIS 2 is mandatory for certain companies ("compliance" rather than voluntariness) and is reviewed by authorities, whereas ISO is voluntary and audited by external auditors, primarily for market recognition. Secondly, NIS 2 contains legal reporting obligations for security incidents that are not provided for in ISO 27001 in this way: an ISO 27001-compliant ISMS must have internal incident handling, but no reporting to authorities; NIS 2, however, strictly requires this. Thirdly, NIS 2 addresses governance aspects such as management liability and state oversight, while ISO is more of a management process without external sanctions. NIS 2 also sets certain priorities that ISO only implicitly covers, e.g. the explicit supply chain consideration or MFA obligation. The regulatory logic thus differs: ISO 27001 aims to achieve an appropriate level of protection flexibly through company-specific risk analysis, while NIS 2 aims to anchor a minimum level of protection broadly and sanction failure through enforcement. Nevertheless, both complement each other: an ISO 27001 certificate is considered a suitable means of demonstrating compliance with many NIS 2 obligations (European Union Agency for Cybersecurity, 2023), but it is not automatically equivalent to NIS 2 compliance. Companies should use ISO 27001 as a tool to implement NIS 2 requirements in a structured manner. It is no coincidence that authorities and consultancies often recommend approaching NIS 2 implementation within the framework of an ISMS project (Simpliant, 2024). In summary: ISO 27001 is the "baseline" and can fulfil approximately 70% of NIS 2, but areas such as regulatory reporting and specific governance requirements must be addressed additionally.

NIS 2 vs. TISAX: TISAX (Trusted Information Security Assessment Exchange) is not a law but a testing and exchange standard for information security in the automotive industry, developed by the German Association of the Automotive Industry (VDA). It is based on the VDA ISA requirements catalogue, which in turn incorporates many elements of ISO 27001 but is tailored to prototype protection, data privacy and supplier auditing in the automotive sector. Overlaps: For an automotive supplier company that is TISAX-certified, essential security controls (policy, access, laptop security, supplier assessment, etc.) are already implemented, meaning there is a high degree of coverage with what NIS 2 requires. In fact, many automotive suppliers come under legal obligation for the first time through NIS 2: for example, mechanical engineering/vehicle manufacturing is explicitly listed among the covered sectors (Annex II NIS 2), making medium-sized supplier companies (from 50 employees) "important entities". In such cases, TISAX serves as valuable groundwork for achieving compliance. Differences: NIS 2 is, however, broader and sector-independent, while TISAX contains specific automotive topics (e.g. confidentiality levels for prototypes) that go beyond NIS 2. Furthermore, TISAX, like ISO, is voluntary and established by OEMs as a sector-internal requirement, without direct state compulsion. The regulatory logic differs: NIS 2 aims to ensure societal resilience, TISAX primarily trust between business partners. Nevertheless, experts emphasise that a TISAX certification prepares a company very well for NIS 2, because all relevant processes (risk analyses, regular audits, technical controls) already exist. According to current analyses, TISAX practically covers all NIS 2 core requirements, including risk management and supplier security (ENX, 2023). What would still need to be supplemented in TISAX-oriented companies is primarily incident reporting to external parties and possibly the formalities of authority communication. Overall, it can be said: NIS 2 and TISAX are complementary. Automotive suppliers with TISAX already fulfil the spirit of NIS 2 to a large extent but must ensure formal legal compliance. Companies without TISAX in NIS 2 sectors should consider obtaining such a certification (or ISO 27001) as a means of meeting NIS 2 obligations. It is no coincidence that GRC experts recommend using cross-industry and sector-specific standards in combination to meet growing compliance requirements efficiently (Kopexa, 2025).

NIS 2 vs. DORA: The Digital Operational Resilience Act (DORA) is an EU regulation from 2022 that specifically concerns the financial sector (banks, insurers, securities firms, etc.). While NIS 2 is a directive (i.e. to be transposed into national law by Member States), DORA is a directly applicable regulation that entered into force in January 2025. Overlaps: Both regimes aim to strengthen cyber and operational resilience and prescribe risk management processes, security measures and incident reporting obligations. For financial companies (which often fall under both NIS 2 as "essential entities" and DORA), there are therefore overlaps. In fact, NIS 2 provides that its obligations do not apply insofar as a special legislative regime such as DORA imposes "equivalent requirements". In practice, banks will primarily follow DORA, which regulates incident reports to financial supervisors, and will be exempted from NIS 2 in this respect (to avoid double regulation). Differences in focus: NIS 2 is designed horizontally for many sectors, DORA vertically for the financial industry. DORA places strong emphasis on operational resilience, i.e. the ability to continue functioning even under cyberattacks. DORA therefore requires, for example, regular resilience tests (e.g. penetration tests) for significant institutions, including scenario exercises with assumed cyber crises (threat-led pen testing). NIS 2 does not explicitly prescribe such tests but leaves it at general effectiveness reviews and governance requirements. DORA also specifically addresses the dependence on ICT third-party providers in finance: it establishes an oversight regime where critical IT service providers (e.g. cloud providers for banks) are subject to EU supervision. NIS 2, by contrast, obliges companies to manage supply chain risks, but there is no comparable centralised monitoring of suppliers; here the responsibility remains with the individual companies. Differences in reporting: NIS 2 has, as described, very tight deadlines (24h/72h/1 month) and a multi-stage reporting obligation to cyber authorities. DORA also requires reporting of significant ICT incidents, although the exact thresholds and deadlines are somewhat different (typically an initial report within 24 hours to the financial supervisor, followed by updates within further days, with details specified by ESA guidelines). Regulatory logic: One could say that NIS 2 addresses broad critical infrastructure, while DORA "zooms in" on the financial sector and implements stricter resilience-oriented obligations there (Nachmany, 2024). DORA takes into account the systemic importance of financial services and trust in the financial market, which is why it covers aspects such as failover tests, backup times, communication plans with customers during disruptions etc. in detail. All of this could implicitly be seen under NIS 2 as part of risk management but is not specified there. Interestingly, in the German NIS2UmsuCG, banks and insurers were largely excluded from the scope of important/particularly important entities and only fall under "critical facilities" (if, for example, defined as stock exchange infrastructure). This makes clear: in the financial sector, DORA takes precedence as a special law, and NIS 2 serves at most as a safety net for peripheral areas. In summary: NIS 2 and DORA share the goal of increased cyber resilience, but NIS 2 is broad and cross-sectoral, while DORA is in-depth and sector-specific. Companies in the financial sector must primarily ensure DORA compliance but should also check whether supplementary NIS 2 aspects remain relevant (e.g. for parts of the company in other sectors). For all other sectors, DORA can serve as an example of how sectoral regulations supplement or exceed NIS 2, and similar considerations apply, for instance, to the EU Health Data Regulation with regard to hospitals.

In summary, the comparative analysis shows that NIS 2 is not an isolated phenomenon but part of a larger web of standards and laws: companies can leverage this by approaching their compliance efforts in an integrated manner. A company that has already implemented ISO 27001 or TISAX has a structured framework in which to embed NIS 2 requirements. Conversely, NIS 2 aims to anchor a minimum level across sectors, which increases the importance of standards like ISO or TISAX, since they help with practical implementation. The result is a multi-level governance of cybersecurity: voluntary best practices (ISO), sector-specific requirements (TISAX, DORA) and horizontal legal obligations (NIS 2) interlock. For SMEs, it is crucial to find synergies here rather than looking at everything in isolation (Information & Management, 2024).

5. Practical Example: NIS 2 Implementation in an SME Mechanical Engineering Company

To make the challenges and solution approaches tangible, we consider an exemplary medium-sized company from the mechanical engineering sector (approx. 150 employees, EUR 30 million turnover), a typical supplier in industrial technology that delivers components to energy providers and automotive manufacturers. This company was not previously classified as critical infrastructure and, while it had basic IT security measures (antivirus, firewall, regular backups), did not have a formal ISMS. With NIS 2, it now falls under regulation as an "important entity", since the mechanical and plant engineering sector is listed in Annex 2 of the Directive and the thresholds (>=50 employees or >=EUR 10 million turnover) are exceeded.

Starting position: Management is initially surprised that their company is affected at all, as was the case for many other SMEs, they were unaware of the scope of NIS 2. (In fact, a VDMA survey in 2024 showed that 24% of mechanical engineering companies surveyed assumed NIS 2 did not apply to them, and were wrong in 71% of cases.) After initial contact with the BSI and the industry association, it becomes clear: the company has until Q1 2025 at the latest to achieve NIS 2 compliance. Management recognises the risk of inaction: in addition to possible fines of up to EUR 7 million, there is also the loss of customer orders if the company is seen as an insecure partner.

Planning measures: First, an internal NIS 2 project team is formed, led by the IT manager and embedded under board sponsorship (the CFO takes on the sponsor role). External consultancy is brought in to assess the maturity level (cf. VDMA recommendation). A gap analysis reveals: many basic technical functions are in place (e.g. data backups, access rights), but formal policies, structured risk management, let alone an incident reporting system, are missing. The project team decides to build an ISMS according to ISO 27001 to have a framework, supported by compliance software (e.g. Kopexa) that provides templates for policies and centralised action tracking. This is intended to avoid redundancy: the same documents and controls should serve both ISO and NIS 2 requirements, to keep the effort manageable (Kopexa Docs, 2025).

Implementation of core requirements: Over 12 months, several work packages are implemented in parallel:

• Governance: The board adopts an information security policy that explicitly mentions NIS 2 obligations. An information security officer (CISO) is formally appointed. The company decides to use the IT manager in a dual role, supported by an external security expert as an adviser. Management attends a workshop on the fundamentals of cyber risks (threat landscape, worst-case scenarios). One managing director has the topic of security incorporated as a personal target in the bonus plan to ensure commitment.
• Risk management: A risk assessment workshop is conducted with the specialist departments (production, development, administration). The team jointly identifies the key business processes (e.g. control software development, delivery logistics) and maps the IT assets behind them. Threats and vulnerabilities are then brainstormed: from the scenario "Malware paralyses production facility" to "Data leak of engineering drawings" to "Supplier cloud fails". For each risk combination, the probability of occurrence and potential damage impact are assessed. The result is a risk register with prioritisation. Concrete measures are derived from this, e.g. network segmentation and better access controls in production IT, enhanced off-site backups, additional endpoint security for developer laptops, and agreements with the cloud provider on faster disaster recovery. All of this is recorded in a documented risk treatment plan and approved by management.
• Technical measures: The IT department implements or improves numerous controls: introduction of multi-factor authentication for remote access and administrative accounts (a direct NIS 2 requirement), rollout of centrally managed patch management software to ensure timely updates (cyber hygiene), hardening of firewall rules and implementation of an intrusion detection system at critical network nodes. Emergency drills are also conducted, e.g. simulating a ransomware attack to test response capabilities. Weaknesses in communication are uncovered (who informs whom, where are current network diagrams, etc.) and corresponding improvements (emergency contacts list, defined communication channel via emergency phone) are implemented.
• Supply chain management: The company identifies its critical suppliers: including a cloud infrastructure service, an external IT service provider for ERP software, and two suppliers of electronic components. It develops minimum requirements for each key supplier: the service providers must, for example, provide an annual security report or demonstrate a recognised standard (such as ISO 27001 or TISAX). New contracts are amended accordingly. Additionally, the suppliers are integrated into the incident response concept: should the cloud provider experience a security incident, they must inform the company immediately (contractual clause for mutual reporting). Procurement sets up a supplier assessment: once a year, defined questions on IT security are sent to important suppliers and evaluated. This is where practical support from the GRC platform comes into play: the entire process can be digitally mapped, including tracking responses and automatic risk scores.
• Reporting channels and CSIRT integration: The company sets up an internal 24/7 on-call service in IT so that potential incidents can be assessed immediately. It is defined what constitutes a "significant security incident" (guideline: failure of time-critical processes > xx hours, data loss > xxx records, etc.). In the event of such a case, the IT manager must inform the BSI within 24 hours. This procedure is practised in theory. The BSI now provides an online form that is used in a test run. It is also determined who writes the 72-hour reports (the IT department in coordination with PR and legal). Template reports are prepared to save time in an emergency. In parallel, the company registers on time in the new BSI portal as an affected entity and deposits its contact persons.
• Documentation and evidence: All the above measures and policies are documented: the ISMS manual is maintained, and a NIS 2 compliance dossier is created with cross-references showing which internal controls fulfil which NIS 2 requirement. The GRC software supports this through a mapping function (e.g. it shows that the access policy introduced covers the requirement from Section 30 NIS2UmsuCG "access control, MFA"). The company is thus prepared for a possible audit by the BSI. Under German law, important entities are not initially required to submit regular proof audits, but the BSI can demand audits on a case-by-case basis. The company plans to pursue ISO 27001 certification in the longer term, partly to strengthen customer trust and partly to be prepared for NIS 2 should an external audit be required.

Challenges: During implementation, several difficulties arise. Firstly, establishing the processes requires a culture change: initially, there is resistance from the development team against more restrictive access rights and additional security checks ("slows down productivity"). Through workshops and clear support from management, however, acceptance is achieved by emphasising the benefits (e.g. protection of intellectual property, avoidance of production outages). Secondly, resources are scarce: the company had to hire an information security manager since the tasks overwhelmed existing personnel. However, skilled professionals are rare; as a transitional solution, an external service provider is used who also serves as an external CISO. The costs of implementation (consultancy, tools, personnel effort) total a low six-figure euro amount. This is significant for an SME and requires budget reallocation. However, it is recognised that many expenditures are one-off (e.g. initial training of all employees, system setup) and lower ongoing costs will follow. A further challenge is the complexity of supply chain requirements: many suppliers to whom requirements are addressed are themselves small SMEs and react differently. Some proactively show certificates, while others are unsure of what is required. Here, the company also acts as a multiplier and supports its suppliers with information material (provided by the association) to achieve the common goal.

Initial successes and lessons learned: After about a year of intensive work, the company internally reports positive side effects. IT downtime has decreased as preventive measures (patching, monitoring) take effect. Insurance costs for cyber insurance were reduced because the insurer rewards the improved security measures. An important major customer explicitly praised the proactive approach and waived their own security audit, as they accepted the existing ISO 27001 documentation. This underscores: NIS 2 compliance can bring competitive advantages. Additionally, management feels significantly more secure in their responsibility: the vague risk of "cyber" has been translated into concrete plans, which is reassuring from a liability perspective.

This practical example demonstrates that NIS 2 is implementable in SMEs but requires a systematic approach. An integrated GRC system, in this case supported by the Kopexa platform, helped maintain oversight and reduce effort by bringing documentation, task management and compliance mapping together in one tool. Especially for SMEs without a large legal department, such platforms are a game changer for saving 80% of manual effort (Kopexa, 2025). The example company is now well positioned but is already planning the next steps (e.g. annual emergency drills and fine-tuning of the ISMS). It has understood that cybersecurity is not a one-off project but a continuous process, entirely in line with both NIS 2 and ISO 27001.

6. Discussion: Reasons for the Underestimation of NIS 2, Impacts and Synergies

Although NIS 2 brings comprehensive obligations, surveys and business practice show that many companies underestimate their own exposure. Why is this the case? A central reason is certainly the lack of awareness of being part of "critical infrastructure". In common parlance, only sectors such as electricity, water and healthcare were previously considered critical. A medium-sized mechanical engineering company or a chemical company with 100 employees did not see itself in this role and is now surprised to be covered by NIS 2 (BVMW, 2024). The expansion to "important entities" from 50 employees means that thousands of SMEs are subject to cyber supervision for the first time. This change was communicated publicly but was partly overlooked in broader awareness, especially as many companies were dealing with other crises (pandemic, energy prices). Additionally, NIS 2 is a directive: as long as the national transposition law was not in force, there was uncertainty ("Is this really coming? When exactly?"). Some companies probably waited for clarity and thereby underestimated the urgency, until the implementation deadline of 2024 passed (cf. Simpliant, 2024).

Another reason is the complexity and cost argument. SME executives fear extensive bureaucracy and high investments. NIS 2 is sometimes seen as "IT fundamental law for SMEs" with significant effort, which can lead to a defensive attitude. Companies without a dedicated IT security department in particular tend to push the topic aside, since they lack know-how and personnel resources (Lemnitzer & Prockl, 2023). There is a danger of a "box-ticking" mentality: some companies may be tempted to only formally produce documents without real security benefit, to seemingly meet the obligations. This would, however, be short-sighted, since inadequately implemented measures would be exposed in an emergency and result in penalties.

Economic and organisational impacts: Implementing NIS 2 initially requires investments in technology (e.g. security solutions, monitoring systems), personnel (training, possibly new positions) and external consultancy. For SMEs in particular, this can be noticeable. However, these expenditures are also an investment in resilience: a major cyber incident (production standstill, data theft) could cause far higher costs. Studies and experience show that the cost-benefit balance is positive in the medium term, as efficiency gains and risk reduction take effect (cf. Kopexa ESG study, 2025). Organisationally, NIS 2 forces companies to break down silos: IT, legal, management and specialist departments must work more closely together to establish security processes. This may initially increase internal friction, but in the long run leads to a more professionalised organisation in which security by design becomes part of the corporate culture. The reputation aspect is also positive: a company that is demonstrably NIS 2-compliant signals reliability. In supply relationships, this can become the decisive criterion, referred to as a "cybersecurity trust label" in the B2B context. Falling below this norm can conversely be damaging to business if customers leave because of security concerns (Mustaca, 2025).

Why is NIS 2 still underestimated? Beyond ignorance, an overlap with existing programmes may also play a role: many SMEs have already implemented ISO 9001 (quality management) or ISO 27001. Those responsible may mistakenly assume that everything necessary has been done. But as shown, ISO 27001 covers only approximately 70% of NIS 2 obligations; in particular, authority reporting, registrations or specific governance aspects must be additionally considered. The complexity of various regimes (GDPR, IT Security Act 2.0, sector-specific standards) easily leads to confusion about what exactly applies to whom. Without targeted information campaigns, which are now being run by the BSI, industry associations (VDMA, Bitkom) and initiatives such as Mittelstand-Digital, the urgency remains diffuse. Only when the first supervisory measures take effect (e.g. hearing notices from the BSI or fines against prominent companies) is the broader mass likely to recognise the significance. This "learning phase" was similarly observed with the GDPR.

Synergies with other frameworks: Despite initial overwhelm, NIS 2 also offers opportunities to consolidate compliance efforts. Companies can use NIS 2 to expand existing management systems: those already pursuing ISO 9001 (quality) and ISO 27001 (security) can integrate NIS 2 implementation into this framework, generating value that goes beyond mere compliance. Many measures (risk management, supplier audits, internal audits) help not only with NIS 2 but also strengthen data protection (GDPR requires "state of the art" security), quality objectives (reduced outage risks) and IT governance overall. The linkage with business continuity management (e.g. ISO 22301) is particularly sensible: NIS 2 requires emergency preparedness, and companies can directly launch a BCM project, killing two birds with one stone. Similarly, TISAX can be used in the automotive industry as a NIS 2 compliance enabler, as described above. The effort for audits and documentation can be reduced by using integrated GRC tools that map multiple requirements simultaneously. For example, Kopexa GmbH reports that users of their platform manage requirements from ISO 27001, GDPR and NIS 2 in parallel, thereby avoiding fragmentation (Kopexa, 2025). Discussion with auditors shows that where an ISO 27001 certification exists, auditors are inclined to recognise NIS 2 compliance, i.e. a compliance package emerges that companies can handle more efficiently.

Not least, NIS 2 has triggered a cultural change in the SME sector: cybersecurity is increasingly being seen not as a tedious IT task but as a leadership topic and integral part of corporate management. This shift towards "Cyber GRC" (Governance, Risk & Compliance in IT) creates more robust, resilient companies in the long term, which is also desirable from a macroeconomic perspective. The costs of shared standards ultimately contribute to strengthening the business location by reducing systemic risks. In the financial sector, for example, it is argued that DORA/NIS 2 increases trust in digital services and thus even promotes innovation by creating a secure environment (EU Commission, 2023). Applied to the SME sector, NIS 2 conformity can become a quality seal that positively distinguishes German and European suppliers from less regulated competitors (e.g. from third countries).

7. Conclusion: Summary, Recommendations for Action and Outlook

NIS 2, "the underestimated obligation for SMEs and suppliers," upon closer examination turns out to be an important driver for the cyber resilience of our economy. Directive 2022/2555 compels a far greater number of companies than before to systematically address IT risks and comply with minimum standards. In this article, we have examined the academic-regulatory background, broken down the obligations in detail and placed them in the context of existing standards. It became apparent that NIS 2, viewed from a neutral academic perspective, is stringent and logically structured: a risk-based, holistic security approach with a state enforcement mechanism. The obligations range from governance (training, management liability) through technical controls (MFA, cryptography) to process-oriented tasks (reporting, supplier management), a broad programme that is nevertheless internally consistent and aligned with international best practices.

The analysis also highlighted why this obligation has been widely underestimated: psychologically, because many SMEs did not perceive themselves as "critical"; organisationally, because the jungle of regulations is confusing; and economically, because the effort was feared. However, NIS 2 implementation offers significant opportunities. Companies that act proactively benefit from greater IT stability, customer trust and avoidance of damage costs. The synergies with ISO 27001, TISAX, IT Security Act 2.0 and others can be leveraged to avoid duplication and achieve multiple compliance goals simultaneously through an integrated GRC approach.

Recommendations for action: For IT and compliance managers in medium-sized companies, a clear roadmap emerges:

• Clarify scope and relevance: Check immediately whether your company is to be classified as an essential or important entity under NIS 2 (sector and thresholds). If in doubt, consult industry associations or authorities. Do not underestimate your exposure: experience shows that many supposedly "unaffected" companies do in fact fall under the Directive.
• Secure management buy-in: Present the topic at leadership level. Use facts (scope, fines, comparison with GDPR impact) to underline urgency. Clarify responsibilities (e.g. appointment of a NIS 2 project leader) and raise management awareness of their obligations (if necessary through a short NIS 2 training session).
• Conduct a gap analysis: Compare the current state of your information security management with the NIS 2 requirements (Section 3 above). Identify gaps in policies, technical measures, incident response, supplier contracts, etc. BSI materials (checklists) or reference to ISO 27001 controls as a benchmark can help here.
• Plan resources: Create an implementation plan with a timeline up to 2024/25. Consider what external resources are needed (consultancy, audits) and internal ones (possibly hiring an ISMS manager). Budget the required investments in technology (e.g. security tools, monitoring), bearing in mind that some expenditures may be eligible for subsidies (there are government funding programmes for IT security in SMEs).
• Build or expand an ISMS: Rely on recognised standards to proceed in a structured manner. If not already in place, establish an ISMS, which can pragmatically begin with ISO 27001, even without immediate certification. It is important that all relevant processes are defined and documented (policy development, risk assessment, training, audit plan, continuous improvement). Use automation where possible: an integrated GRC platform such as Kopexa can relieve much manual effort by combining risk tools, documentation and reporting in one system. This reduces errors and accelerates implementation.
• Identify quick wins: Some NIS 2 measures can be implemented relatively quickly and show results. For example, introducing multi-factor authentication for critical access, conducting regular backup tests, appointing an incident response team and defining emergency contacts. Such quick wins immediately increase security and create internal momentum for the project.
• Engage suppliers: Start early to inform your key service providers and suppliers about the upcoming requirements. Amend contracts at the next opportunity (security clauses). Perhaps you can coordinate requirements with other companies in your industry to avoid giving suppliers contradictory specifications. Transparency and cooperation in the supply chain pay off here: remember that your customers will also expect the same from you.
• Training & awareness: Create awareness among your employees. Start mandatory security awareness training (consider using e-learning offerings). Make it clear that cybersecurity is part of everyone's responsibility. Only with an informed workforce can processes such as incident reporting or hygiene requirements function.
• Continuously monitor and improve: Set indicators (KPIs) for your cybersecurity (e.g. time to close a vulnerability, phishing click rate in tests, number of detected attack attempts) and report these regularly to management. NIS 2 compliance is not a one-time state but requires ongoing maintenance. Establish a cycle (e.g. quarterly ISMS review) to account for new risks or changes (such as updates to the legal situation).

Through these steps, NIS 2 is transformed from an abstract regulatory topic into a concrete roadmap for better security in your company. SMEs in particular should see NIS 2 not as a burden but as an opportunity for modernisation: those who act now improve not only compliance but also their own robustness against the very real cyber threats of our time.

Outlook: The implementation of NIS 2 will continue to take shape across all EU states in the coming years. It can be expected that supervisory authorities will step up inspections from 2025 and the first precedent cases (fines, warnings) will occur. This will rouse further companies from any possible lethargy. At the same time, the EU is working on supplementary regulatory frameworks (e.g. the Cyber Resilience Act for product security of IT devices), which will regulate the ecosystem even more comprehensively. For both academia and practice, interesting questions arise: how effectively will NIS 2 actually improve the security situation? What best practices will emerge from implementation in SMEs? And how can harmonisation be advanced across Europe so that companies do not have to navigate 27 different interpretations? Initiatives such as the NIS Cooperation Group and ENISA guidelines are promising here (ENISA, 2025).

For SMEs and suppliers, the conclusion is: NIS 2 is an obligation, but a feasible and sensible one. Those who underestimate it risk compliance violations and endanger their business relationships. Those who, however, take it seriously and implement it strategically can position themselves as pioneers in cybersecurity, a status that is increasingly becoming a core requirement in a digitally connected economy. Kopexa as a compliance platform is already accompanying many of these companies on their journey and helping to ensure that the German SME sector does not merely react "as required" but advances to become a thought leader in the field of Governance, Risk & Compliance. Today's underestimated obligation can thus become tomorrow's competitive advantage.