NIS-2 SME: Scope, Duties, 2025 Roadmap

The NIS-2 Directive captures around 29,000 companies in Germany according to estimates by the Federal Ministry of the Interior. Most are mid-sized operators that were not classified as KRITIS before. Anyone exceeding 50 employees and operating in one of the 18 sectors must check on their own whether they fall under the directive. There is no official classification letter. The following text breaks the duties down into operational building blocks.

NIS-2 SME: Who falls under the directive?

The thresholds are defined clearly. NIS-2 applies from 50 employees or 10 million euros annual turnover, provided the company operates in one of the 18 sectors listed in Annex I or II. Both conditions must be met: size and sector.

The directive distinguishes two categories. Essential entities from 250 employees or 50 million euros turnover and 43 million euros balance sheet total are subject to stricter supervisory rules and higher fine ranges. Important entities from 50 employees or 10 million euros turnover have the same catalogue of duties but are supervised reactively.

A special case: SMEs below the threshold can still be in scope if they act as sole provider of a critical service in a region or member state. Trust service providers, DNS operators, TLD registries and providers of public electronic communication networks fall under NIS-2 regardless of size.

Mandatory self-identification is the central difference compared to the old KRITIS logic. There is no letter from the BSI. Each company has to check, register and report on its own. Anyone who skips the check and is in scope remains liable.

Micro-entities under 10 employees and 2 million euros turnover are exempt, with exceptions for DNS, TLD and trust services. The KritisV defines sector-specific thresholds that the NIS-2 sector logic methodically builds on, although the NIS-2 thresholds are lower and capture more midmarket firms.

Next step: align the scope check against the KRITIS Umbrella Act checklist.

The 18 sectors in detail

Annex I lists the sectors of high criticality: energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management (B2B), public administration and space. Anyone operating in one of these sectors from 250 employees becomes an essential entity automatically.

Annex II covers the other critical sectors: postal and courier services, waste management, manufacture and trade of chemicals, food, manufacturing, digital providers and research. These sectors are classified as important entities.

Manufacturing is the broadest catch-all. Captured are makers of medical devices, in-vitro diagnostics, computers, electronic and optical products, electrical equipment, machinery, motor vehicles, motor vehicle parts and other vehicles. A machinery builder with 80 employees and 15 million euros turnover is in scope.

Food: wholesale as well as industrial processing and production are in scope. Retail is exempt. A dairy with its own distribution to supermarkets is in, the farm shop is out.

Chemical industry: manufacture, trade and storage of dangerous substances under the CLP Regulation are covered. A midmarket coatings producer with 60 employees also meets the criteria if it places classified mixtures on the market.

Duties under Article 21 NIS-2

The NIS-2 Directive explicitly requires measures for physical security of facilities in Article 21, as well as risk management across ten domains. The list of duties is exhaustive and applies identically to essential and important entities.

Risk management comes first. Required are a documented risk analysis, an assessment of the concrete threat landscape and regular updates. A one-off document is not enough. Only what is demonstrably maintained is audit-ready.

The ten areas of security measures cover backup management and recovery, incident response, business continuity, supply chain security, security in acquisition and development of systems, effectiveness assessment, cryptography and encryption, personnel security and access control, multi-factor authentication and training.

Physical security is required explicitly. Article 21(2)(e) names security of facilities, perimeter protection and access control as duties of equal rank alongside IT measures. Many SMEs do not read this from the statute and focus exclusively on firewalls and patch management.

Training and awareness of all personnel are subject to documentation and audit duty. Random e-learnings are not sufficient for audit reviews.

Supply chain security requires assessment of direct suppliers including security service providers, maintenance contractors and IT providers. Anyone contracting an external guard service must document its security level.

Reporting duties: 24, 72, 30 days

The reporting cascade has three stages. Within 24 hours of becoming aware of a significant incident, an early warning must be submitted to the competent authority. The notification contains first indications of unlawful or malicious activity. Cross-border effects must also be stated.

Within 72 hours follows the actual incident notification with an initial impact assessment, a severity rating and available indicators of compromise.

Within one month the final report is due: detailed incident description, root cause analysis, measures taken and planned, cross-border effects.

The BSI is the national reporting body and operates the registration platform for entities in scope. In parallel to the BSI notification, recipients of the service must be informed if they are significantly affected by the incident.

Definition of a significant incident: severe operational disruption of the service, significant financial loss for the affected entity or significant material or immaterial damage to third parties. The thresholds are imprecise, which complicates practice. When in doubt, report.

Management liability and sanctions

Management bodies must approve the risk management measures and oversee their implementation. The duty is personal and cannot be delegated to IT leadership. The CISO can prepare, the responsibility stays with the managing director or board.

In case of breach of duty, personal liability applies. Management bodies can be held liable for damages arising from inadequate implementation. A D&O policy does not necessarily cover gross breaches of duty.

The fine ranges are tiered. For essential entities they go up to 10 million euros or 2 percent of worldwide annual turnover, whichever is higher (Art. 34 NIS-2 Directive). For important entities the ceiling is 7 million euros or 1.4 percent.

Management bodies must attend mandatory training on cybersecurity risks and offer similar training to their staff. Attendance is subject to documentation duty.

Deeper view of the liability questions: Board liability under NIS-2.

Physical security as a NIS-2 duty

Article 21(2)(e) explicitly requires measures for physical security of facilities. That is not interpretive latitude, it is the wording of the statute. Perimeter protection, access control, video surveillance and protection of critical facilities from unauthorised physical access belong to the duty catalogue.

Audit practice checks this on site through spot checks. A documented authorisation concept without a working door is not enough. Anyone operating a transformer site, a server room cluster or a chemicals storage area must demonstrate physical protection.

Autonomous security robots meet three requirements at once: gap-free patrol documentation, continuous presence without staff rotation and automatic audit trails. Every round is logged with timestamp, sensor data and waypoint. The logs are immutable and available for audit review.

QR-2 for outdoor perimeters detects intruders via thermal sensors even with visibility restricted by fog, rain or darkness. Operation runs 24/7 without shift change, breaks or sick leave.

The cost comparison decides the CFO presentation. A 24/7 guard post costs according to BDSW industry data 15,000 to 25,000 euros monthly per stationary post, depending on tariff region and qualification. QR-2 under the Robotics-as-a-Service model is around 3,500 euros per month. Detailed calculation: TCO guard service versus robotics.

Registration and implementation deadline

The German transposition runs through the NIS2UmsuCG. Entry into force is delayed compared to the original EU deadline (17 October 2024) (Art. 41 NIS-2 Directive). Preparation is mandatory nonetheless, because the duties apply immediately upon entry into force and no transition period for the ten security measures is foreseen.

Registration with the BSI is required within three months after the national transposition takes effect. Anyone who fails to register risks fines based on the registration default alone.

Data to be provided: name of the entity, address, current contact data including email and phone, sector and sub-domain per Annex I or II, list of member states where services are provided, IP address ranges for DNS and cloud services.

Update duty: changes to master data must be reported within two weeks. Personnel changes in management, address changes, sector changes.

Recommended preparation path: gap analysis against Article 21, action plan with responsibilities and deadlines, pilot rollout of the most critical controls before entry into force. Anyone implementing from the start of the duty period has no chance of running the reporting duties within the 24-hour window operationally.

Concrete roadmap for SMEs

The week numbers below apply from project start. A 15-week programme is realistic for a mid-sized industrial operator with 80 to 250 employees.

Week 1 to 2: scope check. Match employee count, annual turnover and balance sheet total with the thresholds. Assignment to Annex I or II. Document the decision with date and responsible person. For borderline cases involve external legal counsel.

Week 3 to 6: gap analysis against the ten duty areas from Article 21. Each area is rated on three levels: met, partially met, not met. Evidence is captured directly. Focus on physical security, supply chain and reporting chain, because most SMEs have gaps here.

Week 7 to 10: prioritise quick wins. MFA for all admin access, tested backup recovery, documented physical access control for server rooms and production control rooms. Estimate cost and effort per measure.

Week 11 to 14: management decision on the action programme, training plan for staff and leadership, supplier audit for the ten highest-revenue providers including security and maintenance firms.

From week 15: implementation in steady-state operation, annual audit cycles, semi-annual reporting chain drill with stopwatch. The 24-hour early warning must be practised before it is asked for in earnest.

For external support along the roadmap, NIS-2 compliance at Quarero provides the gap analysis template and a pilot package for physical security. Reference implementations from manufacturing are documented there as well. Request the QR-2 pilot package for a four-week test of the QR-2 patrol at your own site.