Skip to content
← All posts
· 2 min read·Emre Yurtbay

NIS2 for SMBs – what small businesses should do now

Germany's NIS2 implementation law is in force. Who is affected, why even small suppliers feel it – and the first concrete steps.

NIS2IT securityComplianceSMBLaw

For a long time NIS2 was a "someday" topic. That's over: Germany's NIS2 implementation law (NIS2UmsuCG) has been in force since 6 December 2025. Around 30,000 companies across 18 sectors are directly affected – and many more via supply chains.

Note: This article is not legal advice. It frames the situation and names first steps. As of May 2026.

Am I even affected?

There are two categories with thresholds:

  • Essential entities: from roughly 250 employees or €50M turnover and €43M balance sheet.
  • Important entities: from roughly 50 employees or €10M turnover – in sectors such as logistics, machinery, food, pharma, digital services, postal/courier services and others.

Many small businesses are below these thresholds and are not directly obligated. But:

What small SMBs often overlook: the supply chain

NIS2 requires affected companies to manage the security of their supply chain. In practice that means: your larger customers pass security requirements down to you contractually – even if you formally don't fall under NIS2 yourself. "We're too small for that" is therefore rarely the whole truth.

What it's about substantively

At its core NIS2 requires appropriate risk-management measures, including:

  • Risk analysis and a security concept
  • Incident detection and reporting obligations for security incidents
  • Backup, contingency and recovery management
  • Supply-chain security, access control, encryption, MFA
  • Management responsibility – including personal liability

Registration deadlines have already run (essential entities by 6 March 2026) – the "grace period" from the delayed legislation is over.

The first concrete steps

  1. Clarify exposure: directly obligated, or required via customers in the supply chain? Take both seriously.
  2. Gap analysis: where do you stand today against the requirements (backups, MFA, patching, contingency plan, reporting paths)?
  3. Quick wins first: MFA everywhere, tested backups, a patch routine, staff awareness – that lowers risk immediately.
  4. Document: make measures verifiable. No documentation, no compliance.

Much of this is solid IT security that's sensible anyway – NIS2 just makes it mandatory. If you already have a clean GDPR setup, you're not starting from zero.

Conclusion

NIS2 is no reason for panic, but it is a reason to act. Even small companies should actively check their exposure – at the latest when the first big customer sends the questionnaire.

Want to know if and how NIS2 affects you? In a free initial consultation we'll frame your situation – soberly and without scaremongering.

Discuss your project