NIS2 for SMEs: what managing directors in Bavaria really need to do in 2026

"Doesn't apply to us, we are too small." We still hear that in advisory conversations on NIS2 — from managing directors of mid-sized companies that employ 60 or 80 people, generate annual revenues of 15 to 40 million euros, and are nevertheless convinced that the EU directive plays no role for them.

Most of the time, they are wrong.

Who actually falls under NIS2 — and who is mistaken

The NIS2 directive distinguishes between "essential" and "important" entities. The thresholds frequently cited — 50 employees or 10 million euros in annual turnover — apply to the lower category. That sounds like a wide net, but it isn't in every sector.

The decisive factor is the sector. A metal company in Traunstein with 45 employees that produces parts for the automotive industry can be covered through the supply chain — even if it doesn't reach the thresholds. Anyone who counts as a critical supplier to an essential entity carries indirect obligations. That is the point most underestimated in practice.

In recent months we have held initial consultations with companies from the Chiemgau and the Berchtesgadener Land. Of nine mid-sized businesses that thought they were "definitely not affected," after analysis four were directly covered, three were relevant via supply-chain obligations — and only two were genuinely outside the scope.

What the German NIS2 transposition law actually requires

Germany has transposed the NIS2 directive through the NIS-2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG). The essential obligations for affected companies:

Risk management: every covered company must introduce a documented risk-management system for cybersecurity. Not a paper tiger, but a living document with regular reviews.

Reporting obligations: significant security incidents must be reported to the BSI within 24 hours — an initial first report, not the full analysis. That presupposes that internal detection and escalation processes exist at all.

Supply-chain security: companies must assess the security of their IT service providers and critical suppliers. That is new and affects many who previously assumed responsibility lay with the service provider.

Managing director liability: this is the point that deserves attention. In the case of culpable breaches of obligations, managing directors are personally liable — not just the company, but the individual.

What a realistic 90-day implementation looks like

A food processing company in Bad Reichenhall — 130 employees, supplier to regional retail and to a nationally operating discounter — engaged us last autumn for the NIS2 preparation. Starting position: no documented IT processes, no formal security policy, backup concept on a 2019 footing.

We structured the process in three phases:

Phase 1 (weeks 1–3): inventory. Capture the IT inventory completely, identify critical systems, document existing protection measures. What did we find? A terminal server that hadn't received a security update in three years because "it's running." Six user accounts of former employees that were still active. And a backup that had last been manually tested eight months prior.

Phase 2 (weeks 4–8): measures. Prioritised by risk, not by effort. Critical patches first. Identity management cleaned: 47 accounts deactivated, including three with admin rights. Backup process automated and brought into the monitoring rhythm. Emergency plan for reporting obligations created — who reports what, to whom, in what timeframe.

Phase 3 (weeks 9–12): documentation and training. The technical measures are of little use if employees don't know how to handle phishing emails or how to escalate an incident internally. We introduced a two-hour mandatory training — no death-by-presentation, but simulation exercises with concrete scenarios from the industry.

The result after 90 days: the company meets the essential NIS2 requirements and for the first time has a documented security baseline. No certificate, no gold standard — but a sound foundation.

What managing directors need to know before they sign

NIS2 implementation is not an IT project. That is the most important sentence we say in initial conversations. If a managing director delegates responsibility entirely to the IT department or an external service provider and then signs the closing report without understanding it, they have not solved the liability problem — they may have aggravated it.

What managing directors must concretely do: understand and formally adopt the risk analysis. Ensure that reporting chains are defined and tested. And honestly check whether the resources for permanent operation of the risk-management system are available — not just for the introduction.

For companies that have not yet assessed whether they fall under NIS2, we offer a free initial assessment. Details on our IT security & cybersecurity offering and on our IT consulting for digitalisation projects can be found on the corresponding pages.

---