NIS2 in medium-sized companies: The 10 most expensive mistakes in implementation

Two thirds are not compliant - are you one of them?

The NIS2 Implementation Act has been in force since December 6, 2025. Around 29,000 companies in Germany are affected - most of them are facing such regulation for the first time. According to a current Computerwoche study, two thirds have not yet fully implemented NIS2.

The middle class in particular is struggling. The requirements are complex, the resources are limited and the deadlines are short. Here are the 10 most costly mistakes we see in practice — and how to avoid them.

Mistake 1: “We are too small for NIS2”

The thresholds:If you have 50 employees OR €10 million in sales in one of the 18 defined sectors, you fall under NIS2. But smaller companies can also be affected - as part of the supply chain of larger companies or as providers of digital services.

Tip: Use itBSI impact check— the result is available in 5 minutes.

Mistake 2: “The IT department will take care of it”

NIS2 makes cybersecurity a top priority.§38 NIS2UmsuCG states unequivocally: Management must approve the risk management measures and monitor their implementation. This duty cannot be delegated to the IT manager or CISO.

The consequence: Managing directors are personally liable with their private assets. This applies to GmbH managing directors as well as to board members of an AG.

Mistake 3: “We have registered — we are compliant”

BSI registration by March 6, 2026 is mandatory. But it is only the starting signal, not the finish line. After registration you must:

• Implement risk management measures according to §30

• Establish reporting processes for security incidents

• Conduct regular audits

• Secure your supply chain

• Prove training for management and employees

Error 4: No ISMS available

NIS2 requires a systematic information security management system (ISMS). Many medium-sized companies have so far practiced “IT security” but have not had a structured management system.

Reality:TheBuilding an ISMSlasts 6-12 months. Anyone who starts now will not meet the full NIS2 requirements until the end of 2026 at the earliest. The good news: If you already have ISO 27001, you already cover 70-80% of the requirements.

Mistake 5: Underestimating reporting requirements

The NIS2 reporting requirements are strict and already apply:

• 24 hours:Initial report to the BSI (“significant security incident”)

• 72 hours:Updated message with assessment and indicators

• 30 days:Final report with root cause analysis and measures

Many companies have neither the processes nor the tools to report a security incident within 24 hours. This becomes a problem during the first BSI exam.

Mistake 6: Ignoring the supply chain

NIS2 introduces the concept of “shared responsibility”: you share responsibility for security incidents in your supply chain. This means:

• Systematic risk assessment of all critical service providers

• Contractual security requirements (not just a data protection clause)

• Regular audits or certification evidence from your suppliers

• Incident response plans that include your supply chain

This is a blind spot, especially for medium-sized companies that use cloud services, SaaS tools or external IT service providers.

Mistake 7: Forgetting training

NIS2 requires cybersecurity training at two levels:

1. Management:Must have verifiably completed NIS2 training. Without proof = liability risk.

2. Employees:Regular security awareness training is mandatory. Phishing simulations, password hygiene, safe AI use.

And since February 2025, the AI skills training requirement pursuant to Article 4 of the EU AI Act has also applied to all employees who work with AI systems.

Mistake 8: Budget released too late

ISMS setup, training, tools, external consulting — NIS2 compliance costs money. Typical budgets for medium-sized businesses:

• ISMS setup: €50,000-150,000 (depending on company size)

• External audits: €10,000-30,000 per year

• Security tools (SIEM, vulnerability scanning): €20,000-80,000 per year

• Training: €5,000-20,000 per year

For comparison:A NIS2 fine can be up to €10 million. Investing in compliance is insurance.

Mistake 9: “We have ISO 27001 — that’s enough”

ISO 27001 is an excellent basis and covers the majority of NIS2 requirements. But there are gaps:

• Reporting obligations with fixed deadlines (24h/72h/30d) - do not exist in ISO 27001

• Personal management responsibility — ISO 27001 does not recognize any managerial liability

• Supply chain security in depth - NIS2 goes much further

• Business continuity management — not covered in all ISO 27001 implementations

Anyone who has ISO 27001 should perform a gap analysis against NIS2. The effort is manageable.

Mistake 10: Forgetting AI risks

Perhaps the most expensive mistake: not including AI systems in NIS2 risk management. Any AI tool — whether ChatGPT, Copilot or an internal ML pipeline — is an ICT system and is subject to NIS2 risk management requirements.

In addition, the high-risk obligations of the EU AI Act will apply from August 2026. Companies that use AI (which according to studies are already 42%) need an AI governance framework that covers both regulations.

We explain what an integrated NIS2+AI framework looks like in ourAI Governance Consulting Offer.

Checklist: NIS2 compliance for medium-sized businesses

☐ Impact check carried out

☐ BSI registration completed by March 6, 2026

☐ Proven managing director training completed

☐ ISMS built or expanded (ISO 27001 as a basis)

☐ Reporting processes established for 24h/72h/30d

☐ Supply chain risk assessment carried out

☐ Security awareness training for all employees

☐ AI inventory created and integrated into risk management

☐ Business continuity plan created and tested

☐ Budget for 2026/2027 released

Frequently asked questions

How much time do I realistically need for full NIS2 implementation?

6-12 months for a complete ISMS. The first quick wins (registration, training, reporting processes) are possible in 2-4 weeks.

Can we implement NIS2 internally or do we need external advice?

Small and medium-sized companies usually benefit from external support - at least for the initial gap analysis and ISMS development. Ongoing maintenance can then be carried out internally.

What does the BSI check during an audit?

Risk management, reporting processes, training records, technical measures, supply chain management and documentation. The BSI can carry out unannounced audits.

Conclusion

NIS2 is not an IT project — it is a business issue.The most common mistakes do not arise from a lack of knowledge, but from underestimation. Small and medium-sized businesses that act now not only protect themselves against fines - but also build real cyber resilience.

ADVISORI has been advising medium-sized businesses on information security and compliance for over 11 years. ISO 27001 certified, NIS2 experienced, practice-oriented.Arrange a free initial consultation now.

📖 Also read:NIS2 meets AI: Why AI governance is now mandatory