NIS2 is here: who is covered, what is required and why SMBs should care
18 July 2026 · 7 min read · INTO MSP team
NIS2, the EU's cybersecurity directive, has stopped being a future topic. Member states have been rolling out national implementation laws, Germany's entered into force in December 2025, and Serbia aligned its own Law on Information Security with NIS2 in October 2025. The common thread everywhere: far more companies are covered than under the old rules, and many of them do not know it yet.
If your company always assumed cybersecurity regulation was a problem for banks and telecoms, this is the round of legislation written specifically to change that.
What NIS2 actually changes
The original NIS rules covered a narrow set of operators. NIS2 widens the net dramatically: energy, transport, health, food production, waste management, postal services, manufacturing, digital infrastructure and managed IT services, among others. Entities are classified as essential or important, with stricter supervision for the first group.
The size threshold is what pulls in mid-sized companies: as a rule, you are in scope if you operate in a covered sector and have more than 50 employees or over 10 million euros in annual turnover. In Germany alone that put roughly 29,500 entities in scope, a seven-fold increase, and companies had to register with the federal cyber authority within three months.
The obligations, in plain language
Strip away the legal layer and NIS2 asks for what a well-run company should have anyway:
- A risk assessment: what is critical, what can fail and what that would cost
- Technical and organizational security measures proportionate to the risk, with evidence they exist
- An incident response plan: who does what when something happens
- Incident reporting to the authorities on a deadline measured in hours, not weeks
- Management accountability: leadership must oversee cybersecurity and train for it, personally
The reporting deadline is the biggest practical change. An early warning within 24 hours means your company must know in advance how it recognizes an incident, who assesses it and who reports it. That is not something to improvise during the night your systems are down.
Fines are real, but they are not the main cost
EU implementations carry fines up to 10 million euros or 2 percent of annual turnover for essential entities. Serbia's aligned law has far smaller fines, up to about 17,000 euros, but the arithmetic is the same everywhere: the fine is the smallest line on the bill. Downtime, recovery, lost clients and years of legal tail are the expensive part, as we broke down in our article on what a data breach really costs. Regulation just adds formal accountability on top, with supervision and records.
The supply chain effect: you are covered even when you are not
Even if your company falls outside the scope, NIS2 reaches you through your clients. Covered entities are explicitly required to manage the security of their supply chain, which means they push security requirements into contracts with vendors, IT providers, accountants, logistics partners. The question "are you compliant" arrives from a client long before any inspector shows up. For companies selling into the EU, especially the DACH market, security posture is quietly becoming a sales prerequisite.
What to do now, in a sensible order
For a small or mid-sized company the reasonable sequence is:
- Check your sector: health, manufacturing, transport, food, waste, digital and IT services are all covered
- Build an inventory: which systems and data are critical and who has access
- Put the basics in place: MFA, tested backups, access control, logging
- Write a one-page incident plan: who assesses, who reports, who talks to clients
- If you are someone's vendor, prepare answers to security questionnaires before they arrive
The good news: this list protects the company regardless of any law. Compliance then stops being a separate project and becomes a byproduct of well-run IT. If you are not sure where you stand, a short review shows the gaps against these requirements and what to close first.
Want this handled, without the drama?
INTO MSP runs security, backup and IT for small and mid-size companies. Step one is a short, no-obligation review.
IT Consulting & vCIO → Contact