Information Security


17 study interviews with SMEs: a clear pattern

NIS-2 in German SMEs: in scope, out of sight?

Younes Ahmadzei · Geschrieben am: 11.03.2026
NIS-2-Betroffenheit von KMU - Studienergebnisse

   In this article

  1. NIS-2 and SMEs: high exposure, low clarity
  2. The four key hurdles for SMEs
  3. An indicator of uncertainty: the extremely low response rate
  4. Why NIS-2 is more than just compliance
  5. Why the topic is becoming strategically relevant for SMEs
  6. Practical examples from the interviews: how SMEs respond
  7. Support: NIS-2 self-assessment tool
  8. Conclusion: taking action pays off

"NIS-2 applies – but many small and medium-sized enterprises (SMEs) don’t know whether they are affected."

This concise insight was summed up by our colleague Younes Ahmadzei when he presented the results of his bachelor’s thesis at BSides Munich. In 17 interviews with CEOs, IT managers, and CISOs of non-CRITIS SMEs, a clear picture emerged:

NIS-2 has arrived, but implementation is stalling.
 

NIS-2 and SMEs: high exposure, low clarity

Many mid-sized companies objectively fall within the scope of the NIS-2 Directive – yet few are aware of it. The interviews revealed three key causes:

  1. Uncertainty about NIS-2 applicability
    Many companies simply don’t know whether the directive applies to them or react with confusion to the requirements. Since national implementation in Germany was delayed and drafts changed, there is widespread uncertainty. One CEO put it this way:

„Honestly, I don’t understand any of it. It’s all such a mess of terms."

  1. Complexity of NIS-2 requirements
    For many mid-sized companies, the legal text seems abstract. There is often a lack of expertise to translate the legal requirements into concrete operational steps. NIS-2 is frequently perceived as a bureaucratic burden, producing documentation (“paper for the drawer”) without a tangible impact on security.
  2. Hesitant response due to missing national NIS-2 implementation
    A common strategy is to wait and see. As long as the national law is not finalized, companies are reluctant to invest resources to avoid missteps. This “wait-and-see” approach leads to a problematic standstill.

The four key hurdles for SMEs

The interviews revealed four structural challenges that particularly affect mid-sized companies:

  1. Clarifying applicability
    Many SMEs don’t realize that, based on their size and sector, they automatically fall under NIS-2.
  2. Managing complexity
    Governance obligations, risk management, incident response, supplier evaluation – many requirements feel written for large corporations.
  3. Lack of resources
    For many SMEs, the effort is simply unrealistic. One IT manager estimated:

„At least one person, two to three days a week, just for this topic.“ 

  1. Missing structure
    Technically, many companies are well-prepared – but organizationally and in terms of documentation, they are not.

These hurdles explain why NIS-2 is acknowledged but hardly actively addressed.

An indicator of uncertainty: the extremely low response rate


The extent of uncertainty and reluctance in mid-sized companies became strikingly clear during the data collection for the study. From an initial list of 3,000 companies, 1,800 were identified as potentially falling under NIS-2. Despite sending around 3,600 emails, only 17 interviews were ultimately conducted.

Many organizations declined, citing:

  • lack of time
  • disinterest
  • uncertainty about their own applicability

This response rate alone shows that mid-sized companies are aware of NIS-2 – but do not feel capable of engaging with it.
 

Vortrag NIS-2-Betroffenheit von KMU bei der BSides Konferenz in München

Source: BSidesMunich

Why NIS-2 is more than just compliance

Many initially think of NIS-2 as purely a “compliance issue.” However, the interviews show that the challenges run deeper:

Classification problem
Many companies responded to inquiries with confusion, claiming the law did not yet apply or that they were not affected, even though they fall within the scope based on objective criteria (sector and size).

Implementation problem
Even when the intent is there, practical implementation often fails due to the complex governance and documentation requirements, which seem designed more for large corporations than for SMEs.

The real risk, therefore, lies not just in potential sanctions, but in the structural postponement of security-relevant measures. Many of the elements required by NIS-2, such as:

  • risk management
  • incident response processes
  • business continuity
  • supplier evaluation

are not just formal requirements, but essential building blocks of modern IT security. Waiting here delays not only compliance but also cyber resilience.

Why the topic is becoming strategically relevant for SMEs

For many SMEs, NIS-2 is not an isolated regulatory issue – it is becoming a market factor:

  • Large clients will increasingly require proof of cybersecurity measures.
  • Insurers will review structured risk management.
  • Banks will consider cyber resilience in lending decisions.
  • Partners will demand security standards.

Companies that do not address NIS-2 today risk not only regulatory uncertainty but also long-term competitive disadvantages.

Practical examples from the interviews: how SMEs respond

The interviews revealed a frequent gap between technical security and formal compliance:

  • Example 1: the operational dilemma
    Many SMEs are technically well-positioned – firewalls and backups are in place. The challenge lies in formalization, as one IT infrastructure manager explained:

"Operationally, we are well prepared. Organizationally and in terms of documentation [...] we are not there yet."

  • Example 2: leveraging synergies
    Companies that have already implemented standards such as TISAX® find it significantly easier. One interviewee noted:

"The step from TISAX® to NIS-2 is very small – the structures are already in place."

These examples show: those who view NIS-2 not as an isolated requirement but as part of a broader security strategy (e.g., aligned with ISO 27001 or TISAX®) can leverage synergies – and avoid duplicate efforts.

Support: NIS-2 self-assessment tool

The interviews clearly show: SMEs need structure, guidance, and translation.
As part of the bachelor’s thesis, an Excel-based self-assessment tool was developed.
This tool helps companies to:

  • translate abstract legal texts into understandable questions
  • conduct an internal assessment
  • identify gaps in implementation and documentation
  • reduce uncertainty
  • build internal arguments (especially toward management) for allocating resources
  • SMEs that want to quickly assess their exposure can find the free NIS-2 self-assessment tool here.
     
NIS-2 Self Assessment Tool Screenshot

 

Conclusion: taking action pays off

NIS-2 is more than a bureaucratic hurdle or an isolated piece of legislation. The directive provides a framework for structuring cyber resilience in SMEs – and creates an opportunity to critically assess one’s own security organization. Companies that evaluate early on to what extent they are affected and use established standards as guidance gain a clear advantage: legally, organizationally, and in terms of security.

The real question, therefore, is not whether NIS-2 creates effort – but whether further delay is sustainable in the long run.

The directive provides a framework for strengthening cyber resilience in SMEs – and offers an opportunity to critically assess their security posture.

About the author

Younes Ahmadzei

Younes Ahmadzei

Trainee Information Security Consultant

Both during his studies and bachelor’s thesis, as well as in his time at HvS, he has worked extensively on the NIS-2 Directive and built solid expertise in the field. A key outcome of his work was the development of a self-assessment tool to determine the NIS-2 maturity level of organizations. His goal is to make complex regulatory requirements understandable and practical.

View LinkedIn profile