dbrd

NIS2 Compliance Checklist: What DACH SMEs Must Do Now

Belgium enforced NIS2 in April 2026. 84% of organizations aren't ready. Here is the practical compliance checklist for DACH SMEs with 50-250 employees.

NIS2 compliance checklist for German and Austrian small and medium enterprises

NIS2 Compliance Checklist: What DACH SMEs Must Do Now

Belgium enforced the NIS2 Directive on April 18, 2026 — the first EU member state to do so. Essential entities must submit verified self-assessments via three pathways: CyberFundamentals, ISO 27001, or direct CCB inspection. Self-attestation alone is not accepted.

Twenty-two of 27 member states have transposed NIS2 into national law. Germany is among them. The NIS-2-Umsetzungsgesetz is in effect, and the BSI registration deadline passed on March 6, 2026.

A CyberSmart survey of 670 business leaders across 8 countries found that 84% of organizations under active enforcement admit they are not ready. Only 16% feel fully prepared. Eleven percent are still unsure what NIS2 requires.

If your DACH SME has 50-250 employees and operates in a critical sector — energy, transport, manufacturing, digital infrastructure, managed IT services — this checklist is your starting point. Completing these steps does not guarantee compliance on its own, but it covers the controls auditors will examine first.

Step 1: Confirm Your Scope

NIS2 applies if (a) you operate in a sector listed in Annex I or Annex II of Directive EU 2022/2555, AND (b) you meet the size threshold: at least 50 employees OR annual turnover exceeding €10M.

Key nuance: size aggregation applies. A subsidiary with 40 employees may still be in scope if the parent group exceeds the thresholds. This catches many Mittelstand GmbHs organized as holding-plus-subsidiary structures.

The two-tier classification determines everything downstream:

  • Essential entities (Annex I, large: 250+ employees or €50M+ turnover): Proactive supervision, fines up to €10M or 2% of global turnover.
  • Important entities (Annex II, medium: 50-249 employees): Reactive supervision, fines up to €7M or 1.4% of global turnover.

Most DACH SMEs fall into the “Important” category. The supervision model is lighter, but the liability is not.

Step 2: Register with the BSI

If your entity is in scope, registration with the Bundesamt für Sicherheit in der Informationstechnik (BSI) was due by March 6, 2026. If you missed this deadline, you are not in a grace period — you are in non-compliance.

Late registration is still better than no registration. Contact the BSI immediately. Document the registration attempt and the response. If enforcement action follows, demonstrating that you identified your obligation and acted on it (even late) reduces penalty severity under the principle of proportionate enforcement.

Step 3: Implement Access Controls — First Thing Auditors Check

This is the compliance task with the highest impact-to-effort ratio. Auditors examine access management, credential policies, and MFA first — because these are the controls with the clearest audit trail and the fastest to implement.

The CyberSmart survey found that only 23% of organizations have enforced MFA. That means 77% are failing on the most basic NIS2 control.

For a 50-200 person SME, the implementation is straightforward:

  • Enforce MFA on all administrative accounts within 2 weeks
  • Enforce MFA on all email and document access within 4 weeks
  • Review active accounts and disable dormant ones. A clean access list of 50 active users beats a messy list of 50 active + 30 orphaned accounts
  • Implement a password policy that meets NIS2 baseline: 12-character minimum, no rotation requirement (NIST SP 800-63B does not recommend arbitrary rotation), block compromised passwords
  • Document the entire access control architecture — this is what the auditor reviews

For companies running Google Workspace, this is configurable in the Admin Console under Security > Authentication. MFA enforcement, session duration policies, and device management are available without third-party tools.

Step 4: Conduct a Gap Analysis

You cannot fix what you have not measured. A NIS2 gap analysis compares your current cybersecurity posture against the directive’s 10 categories of measures (Article 21):

  1. Risk analysis and information security policies
  2. Incident handling
  3. Business continuity and crisis management
  4. Supply chain security
  5. Security in acquisition, development, and maintenance
  6. Vulnerability handling and disclosure
  7. Testing and auditing
  8. Cryptographic measures
  9. Personnel security and access control
  10. Use of multi-factor authentication and secure communication

The CyberSmart survey found that only 26% of organizations have conducted a NIS2 gap analysis. This is the single most impactful step: it tells you exactly where you fall short and what to prioritize.

Step 5: Establish Incident Response and Reporting

NIS2 Article 23 requires reporting of significant incidents. The timeline is tight:

  • Early warning: within 24 hours of becoming aware of a significant incident
  • Notification: within 72 hours
  • Intermediate report: as requested by the CSIRT
  • Final report: within one month

For a DACH SME that has never documented an incident response procedure, this is a significant operational change. You need:

  • A documented incident classification system (what counts as “significant”)
  • A named incident response lead with defined authority
  • Communication templates for early warning and notification
  • A logging and forensics capability that captures the necessary data within 24 hours

If none of this exists, start with a one-page runbook. It does not need to be a 50-page policy document. It needs to exist, be tested, and produce the right data under pressure.

Step 6: Document Supply Chain Risk

This is the hardest NIS2 requirement. Only 23% of organizations have assessed their supply chain risk. The challenge is practical: most SMEs do not have leverage over their software vendors, cloud providers, or MSPs.

The compliance path for a DACH SME:

  • Map your suppliers: who handles your data, where is it processed, what security controls do they advertise
  • Request SOC 2 reports, ISO 27001 certificates, or equivalent attestations from each critical supplier
  • Document the response (or lack thereof). If a supplier refuses to provide security documentation, note that as a risk in your register
  • Prioritize suppliers that provide NIS2-relevant services: cloud infrastructure, managed IT, identity providers, backup services

Germany’s individual manager liability under Article 20 means responsibility cannot be delegated to “the IT provider.” The Geschäftsführer is accountable. If your managed services provider does not have documented NIS2 controls, you bear the risk — not them.

Step 7: Assign Board-Level Accountability

NIS2 Article 20 requires management to approve cybersecurity measures and receive training. In Germany, individual managers face fines up to €500,000 for governance failures.

This changes the compliance conversation from a technical IT project to a Geschäftsführung responsibility. The Geschäftsführer must:

  • Approve the risk management measures in writing
  • Attend NIS2-specific training (documented, with certificate)
  • Receive regular reports on cybersecurity posture (quarterly minimum)
  • Be named explicitly in the compliance documentation

The days of “IT handles security” are over. Under NIS2, the Geschäftsführer is on the line — personally, and in euros.

The Takeaway

NIS2 compliance is not a checkbox exercise. It is an operational condition that requires documented controls, continuous monitoring, and accountable ownership. The 84% readiness gap is not permanent — it reflects that most organizations have not yet started the process. Starting now puts you ahead of the curve, not behind it.

Access controls, gap analysis, and incident response documentation are the three highest-impact steps. If you complete those three first, you have addressed the controls auditors examine most and reduced your most material risks.

The controls that matter most — access management, MFA, incident response, supply chain documentation — are achievable without a massive budget. What they require is focused execution, documented decisions, and someone accountable for the outcome.

For DACH SMEs running Google Workspace, most access controls can be configured directly in the admin console without additional tools. Managed Google Workspace covers this baseline. For the broader compliance framework — gap analysis, incident response documentation, supply chain assessment — our services provide the operational backbone that keeps NIS2 requirements running continuously, not just checked once.

© 2026 dbrd. All rights reserved.