PlatformAI EngineFree ToolsSecurityResources
Back to Resources
Guides1 April 20269 min read

NIS2 for SMEs: A Realistic Compliance Guide for Companies with 50-249 Employees

By ArvexLab Team — Compliance Research

NIS2 Applies to You — Now What?

If your company has between 50 and 249 employees (or annual turnover between €10M and €50M) and operates in one of NIS2's 18 covered sectors, you are in scope. For most SMEs, this is unprecedented. Until NIS2, cybersecurity regulation was primarily aimed at large enterprises and critical infrastructure operators.

The challenge is real: NIS2 imposes the same 10 security measures (Article 21) on a company with 60 employees as on a multinational with 10,000. But the directive includes a critical caveat that works in your favour — the proportionality principle.

This guide is specifically for mid-sized companies navigating NIS2 for the first time, with realistic advice on budgets, staffing, timelines, and quick wins.

The Proportionality Principle: Your Best Friend

Article 21(1) of NIS2 states that measures must be "appropriate and proportionate" to the risks faced, taking into account:

  • The entity's size
  • The likelihood and severity of incidents
  • The state of the art and cost of implementation
  • The entity's exposure and overall risk profile

This means you do not need to implement the same controls as a Fortune 500 company. A 75-person logistics company's risk assessment, for example, will look fundamentally different from a major energy provider's. Regulators understand this — and so should your compliance programme.

What proportionality means in practice:

  • You can use simpler risk assessment methodologies (not everything needs to be quantitative)
  • Your incident response team can be smaller (or outsourced)
  • Your security training can be practical and role-based rather than comprehensive
  • Your supply chain assessments can focus on your most critical vendors rather than every supplier

The CISO Question: Who Leads Compliance?

Most SMEs do not have a dedicated Chief Information Security Officer. NIS2 does not mandate one — but it does require that someone is accountable for cybersecurity risk management and that management bodies approve and oversee security measures.

Option 1: CTO or IT Director Takes the Lead

In many SMEs, the CTO or head of IT absorbs the CISO responsibility. This works when:

  • The person has a reasonable understanding of cybersecurity (not just IT operations)
  • They have direct access to the management board
  • Their workload allows dedicated time for compliance activities (estimate 15-20% of their time)

Option 2: External Virtual CISO (vCISO)

A virtual CISO is a fractional security leader who works with your organization part-time — typically 2-4 days per month. This is increasingly popular for NIS2 compliance because:

  • Cost: €3,000-€6,000/month vs. €120,000-€180,000/year for a full-time CISO
  • You get experienced security leadership without the overhead
  • vCISOs often bring multi-client experience and know what regulators expect

Option 3: Managed Security Service Provider (MSSP)

Some MSSPs offer combined security operations and compliance support. They handle day-to-day security monitoring, incident response, and compliance documentation as a bundled service. This is the most hands-off option but typically the most expensive.

Recommendation for most SMEs: Start with your CTO or IT director as the internal lead, supported by an external vCISO for the initial 12-month compliance build. Once your programme is established, you may be able to sustain it internally.

Realistic Cost Ranges for SME Compliance

NIS2 compliance costs vary widely depending on your starting maturity level. Here are realistic ranges for SMEs:

Investment AreaLow Maturity (Starting from Scratch)Medium Maturity (Some Controls in Place)
Risk assessment and gap analysis€8,000-€15,000€3,000-€8,000
Policy development and documentation€5,000-€12,000€2,000-€5,000
Technical controls (MFA, EDR, SIEM)€15,000-€40,000/year€5,000-€15,000/year
Incident response capability€10,000-€25,000€3,000-€10,000
Training and awareness€3,000-€8,000/year€2,000-€5,000/year
Vendor risk management€5,000-€15,000€2,000-€8,000
Compliance platform/tooling€5,000-€15,000/year€5,000-€15,000/year
External support (vCISO/consultant)€30,000-€60,000/year€15,000-€30,000/year
Total Year 1€80,000-€190,000€35,000-€95,000
Annual ongoing€40,000-€100,000€25,000-€60,000

These numbers assume a company of 50-249 employees. Your actual costs depend on your sector, existing controls, and risk profile.

National Framework Shortcuts

Several member states have developed national frameworks that serve as NIS2 compliance pathways. Using these can significantly reduce your compliance effort:

Belgium: CyberFundamentals (CyFun) — "Small" Level

Belgium's CyFun framework includes a "Small" maturity level specifically designed for smaller NIS2 entities. It covers the core Art. 21 requirements with simplified controls appropriate for SMEs. Achieving CyFun certification at the Small level is effectively a NIS2 compliance stamp for Belgian entities.

Spain: Esquema Nacional de Seguridad (ENS) — "Basic" Level

Spain's National Security Framework offers a "Basic" category that maps to NIS2 requirements. For Spanish SMEs already familiar with ENS, the NIS2 compliance path is well-defined and documented.

Germany: IT-Grundschutz Light Profiles

BSI's IT-Grundschutz includes profile-based approaches that scale to organization size. The basic protection profiles ("Basis-Absicherung") provide a proportionate starting point for SMEs, covering fundamental controls without the full depth of comprehensive IT-Grundschutz.

Practical Recommendation

If your country has published a national NIS2 implementation framework with SME-specific guidance, use it. These frameworks are designed to be regulator-friendly and reduce the risk of audit disagreements.

Managed Security Services as a Force Multiplier

For SMEs without the staff to operate security tools in-house, managed services are not just convenient — they may be the only practical path to NIS2 compliance.

Key services that SMEs commonly outsource:

  • Managed Detection and Response (MDR) — 24/7 monitoring, threat detection, and incident response. Costs: €3,000-€8,000/month depending on scope.
  • Vulnerability Management as a Service — Regular scanning, prioritization, and remediation guidance. Costs: €500-€2,000/month.
  • Security Awareness Training — Phishing simulations and role-based training platforms. Costs: €2-€5 per user per month.
  • Compliance-as-a-Service — Ongoing documentation, evidence collection, and audit preparation. Costs: €1,000-€3,000/month.

When selecting managed service providers, ensure they can provide the documentation and evidence you need for NIS2 audits. A provider that handles incidents but cannot produce reports in the NIS2 format is only solving half the problem.

A 6-Month Implementation Timeline

This timeline assumes an SME starting from a moderate maturity level — some basic security controls exist but no formal compliance programme.

Month 1: Assess and Plan

  • Complete the NIS2 self-assessment to determine scope and classification
  • Identify your internal compliance lead
  • Conduct a gap analysis against NIS2 Art. 21 requirements
  • Budget and get management board buy-in

Month 2: Policies and Risk

  • Develop or update your core security policies (information security policy, acceptable use, incident response)
  • Conduct a formal risk assessment using a methodology appropriate to your size
  • Document your critical assets and services

Month 3: Technical Controls

  • Implement or verify multi-factor authentication across all critical systems
  • Deploy endpoint detection and response (EDR) on all workstations and servers
  • Ensure backups are tested and follow the 3-2-1 rule (3 copies, 2 media types, 1 offsite)

Month 4: Supply Chain and Vendors

  • Inventory your critical ICT vendors (focus on the top 10-20)
  • Send security questionnaires or request certification evidence
  • Review and update vendor contracts to include NIS2-required clauses
  • Use a vendor risk management platform to track assessments

Month 5: Training and Testing

  • Conduct management body cybersecurity training (document attendance and content)
  • Run security awareness training for all employees
  • Test your incident response plan through a tabletop exercise
  • Verify your CSIRT registration and notification capability

Month 6: Evidence and Readiness

  • Compile all evidence into a structured repository mapped to Art. 21 requirements
  • Conduct an internal audit or readiness review
  • Address any remaining gaps
  • Brief the management board on compliance status

Leveraging Existing Certifications

If your organization already holds cybersecurity certifications, you have a significant head start:

ISO 27001

Covers approximately 70-80% of NIS2 Art. 21 requirements. Key gaps:

  • NIS2-specific incident reporting timelines (24h/72h/1-month)
  • Management body training and personal accountability
  • Supply chain security documentation depth

SOC 2 Type II

Particularly relevant if you are an ICT service provider to other NIS2 entities. SOC 2 covers:

  • Security, availability, and confidentiality controls
  • Incident management
  • Vendor management

Key gaps: SOC 2 is not designed for EU regulatory compliance and lacks NIS2-specific requirements around CSIRT notification and management accountability.

ISO 22301 (Business Continuity)

Directly addresses NIS2 Art. 21(2)(c). If certified, your business continuity management is likely compliant. Focus your NIS2 effort on the other nine Art. 21 measures.

Quick Wins: 10 Things You Can Do This Week

These are immediate, low-cost actions that improve your NIS2 posture today:

  1. Enable MFA everywhere — Start with email, VPN, and cloud services. This addresses Art. 21(2)(j) and is the single highest-impact control.
  1. Register with your national CSIRT — If your country's registration portal is open, register now. It takes less than an hour.
  1. Run a phishing simulation — Use a free or low-cost tool to test employee awareness. Document the results as evidence for Art. 21(2)(g).
  1. Document your vendor list — Create a spreadsheet of all ICT vendors with contract details, criticality, and contact information. This is the foundation of Art. 21(2)(d).
  1. Schedule management training — Book a 2-hour cybersecurity briefing for your management board within the next 30 days. Document it for Art. 20 evidence.
  1. Verify your backups — Test that you can restore from backup within your target recovery time. Document the test for Art. 21(2)(c) evidence.
  1. Review your password policy — Ensure minimum length of 12 characters, prohibit reuse, and enforce complexity. Update your policy document.
  1. Enable logging on critical systems — Ensure authentication logs, access logs, and system event logs are being collected and retained for at least 90 days.
  1. Create an incident response contact list — Document who to call internally and externally (CSIRT, legal, insurer, PR) when an incident occurs.
  1. Download the NIS2 Art. 21 checklist — Map your current controls against each of the 10 measures. Identify the gaps. This 2-hour exercise gives you a compliance roadmap.

FAQ

Q: My company has 45 employees but turnover exceeds €10M. Am I in scope?

Yes. NIS2 uses an or threshold — you are in scope if you meet either the employee count (50+) or the turnover threshold (€10M+). With €10M+ turnover in a covered sector, you are classified as an important entity regardless of headcount.

Q: Can I use a compliance platform instead of hiring a full-time CISO?

A compliance platform like ArvexLab handles documentation, evidence management, risk tracking, and vendor assessments — the administrative backbone of NIS2 compliance. However, you still need someone with security knowledge to make decisions and guide strategy. The combination of a compliance platform plus a vCISO (2-4 days/month) is the most cost-effective approach for most SMEs.

Q: What if I can't afford the compliance costs?

Focus on proportionality. Start with the quick wins listed above — most are free or very low cost. Then address the highest-risk gaps first. Some member states are offering subsidies or co-funding for SME cybersecurity improvement. Check with your national cybersecurity authority for available programmes.

Q: How long do I have before auditors come knocking?

This depends on your country and entity classification. Essential entities face proactive supervision and could be audited at any time. Important entities are typically subject to reactive supervision — meaning audits are triggered by incidents or complaints. However, registration compliance is being checked now, and some countries may conduct random inspections. The safest approach is to aim for audit readiness within 6-12 months.

Ready to assess your NIS2 readiness?

Use our free self-assessment tool or speak with our compliance team.

Start NIS2 AssessmentContact Us

Related Articles

Guides

One Control Set, Three Regulations: How to Satisfy NIS2, DORA, and GDPR Without Tripling Your Work

NIS2, DORA, and GDPR overlap more than most organizations realize. This guide shows how to build a unified control framework that satisfies all three — covering incident reporting, risk management, and vendor security.

30 March 2026|14 min read
TPRM

NIS2 Supply Chain Security: The Art. 21(2)(d) Guide

Article 21(2)(d) makes supply chain security a legal obligation for 160,000+ EU entities. Third-party breaches cost USD 4.91M on average. This step-by-step guide covers classification, contracts, and monitoring.

13 April 2026|14 min read
NIS2

NIS2 in Italy: ACN Registration and Compliance Guide

Italy transposed NIS2 via D.lgs. 138/2024 with unique annual re-registration windows. ENISA data shows 26.3% of Italian public admin incidents go unreported. Here is your complete ACN compliance guide.

13 April 2026|11 min read

Get NIS2 Insights Weekly

Stay ahead of EU compliance requirements. Practical guidance on NIS2, DORA, and third-party risk management delivered to your inbox.