SECURITYSQUAD
Back to the blog

NIS2: What mid-sized companies need to know now

2026-06-20 · by SECURITYSQUAD

NIS2: What mid-sized companies need to know now

The EU NIS2 directive significantly raises cybersecurity requirements – and affects far more companies than its predecessor. Many mid-sized businesses now fall within its scope for the first time.

Who is affected?

"Essential" and "important" entities above certain size and sector thresholds – including energy, health, transport, digital services, manufacturing and more. Importantly: even those not directly regulated are pulled in indirectly through supply-chain requirements.

What obligations apply?

  • Establishing information security risk management
  • Technical and organisational measures (hardening, access control, backup, incident response)
  • Reporting obligations for significant security incidents
  • Responsibility and training at management level

What you should do now

  1. Check applicability – are you in scope for NIS2?
  2. Assess your status – e.g. with a Cyber Risk Check per DIN SPEC 27076.
  3. Prioritise measures – pragmatic, risk-based, audit-proof.

Unsure whether and how NIS2 affects you? We help you gain clarity and take the right steps.

Read more: Expertise & Services · Cyber Risk Check · GUARDIANVIEW – Managed SIEM