Compliance Series

NIS2 Scope and SME Applicability

NIS2 Directive: What EU and German Companies Must Know

Introduction

The NIS2 Directive (Directive (EU) 2022/2555) establishes a strengthened cybersecurity framework across the European Union. It expands the scope of the original NIS Directive and introduces stricter risk management, governance, and incident reporting obligations for companies operating in critical and important sectors.
EU Member States were required to transpose NIS2 into national law by October 2024. In Germany, implementation occurs through amendments to the BSI Act and the NIS2 Implementation Act, significantly increasing regulatory expectations for affected organizations.

Background: Why NIS2 Was Introduced

NIS2 was adopted to respond to the rising number and sophistication of cyber threats across Europe. Its objective is to harmonize cybersecurity standards, close regulatory gaps, and ensure that essential services remain operational even during significant cyber incidents.
Compared to its predecessor, NIS2 substantially broadens the number of sectors covered and shifts accountability directly to company management. Supervisory authorities now have stronger enforcement powers, including the ability to impose significant administrative fines.

Which Companies Are in Scope?

NIS2 applies to entities operating in defined critical and important sectors. These include:
Energy, transport, banking and financial market infrastructure, healthcare, drinking water and wastewater, digital infrastructure (including cloud providers and data centers), public administration, space, postal services, waste management, chemicals, food production, and certain manufacturing sectors.
Organizations are classified as either “essential entities” or “important entities,” depending on their sector and significance.
As a general rule, companies are in scope if they have at least 50 employees or generate at least €10 million in annual turnover or balance sheet total, provided they operate in a covered sector.

Does NIS2 Apply to Small Companies?

In most cases, micro and small enterprises fall outside the automatic scope of NIS2. However, there are important exceptions.
Small companies may still be covered if they provide critical services, act as sole providers in a market, play a key role in national supply chains, or are specifically designated by national authorities.
Therefore, company size alone does not guarantee exemption. A structured assessment of sector classification and business activities is required.

Core Obligations Under NIS2

In-scope entities must implement comprehensive cybersecurity risk management measures. These include:
Documented security policies and risk assessments, incident detection and response processes, business continuity and crisis management planning, supply chain security controls, and regular evaluation of technical and organizational safeguards.
Management bodies are explicitly responsible for approving and overseeing cybersecurity measures. Personal liability risks may arise in cases of serious non-compliance.

Incident Reporting Requirements

NIS2 introduces strict and staged reporting obligations for significant cybersecurity incidents:
An early warning must be submitted within 24 hours of becoming aware of the incident.
A formal incident notification must follow within 72 hours.
A final report, including root cause analysis and mitigation measures, must be submitted within one month.
In Germany, incidents must generally be reported to the Federal Office for Information Security (BSI).

Enforcement and Sanctions

Supervisory authorities have expanded investigative and enforcement powers under NIS2. Administrative fines may reach up to €10 million or 2% of global annual turnover for essential entities, and up to €7 million or 1.4% of global annual turnover for important entities.
Authorities may also impose binding security instructions, conduct audits, and require corrective measures.

Conclusion: Early Assessment Is Critical

NIS2 significantly raises cybersecurity expectations across the EU. While many small companies are not automatically covered, the broadened sector scope means thousands of additional mid-sized organizations must now comply.
The first practical step is a structured scope analysis: Which services are provided? Which sector applies? Does the organization exceed the size threshold? Early clarification reduces legal risk and enables structured compliance planning.
Sources
Directive (EU) 2022/2555 (NIS2 Directive), Official Journal of the European Union
German NIS2 Implementation Act and amendments to the BSI Act
European Commission – NIS2 policy overview
Federal Office for Information Security (BSI) – NIS2 guidance
Created with