Back to the blog
NIS2: What mid-sized companies need to know now
2026-06-20 · by SECURITYSQUAD

The EU NIS2 directive significantly raises cybersecurity requirements – and affects far more companies than its predecessor. Many mid-sized businesses now fall within its scope for the first time.
Who is affected?
"Essential" and "important" entities above certain size and sector thresholds – including energy, health, transport, digital services, manufacturing and more. Importantly: even those not directly regulated are pulled in indirectly through supply-chain requirements.
What obligations apply?
- Establishing information security risk management
- Technical and organisational measures (hardening, access control, backup, incident response)
- Reporting obligations for significant security incidents
- Responsibility and training at management level
What you should do now
- Check applicability – are you in scope for NIS2?
- Assess your status – e.g. with a Cyber Risk Check per DIN SPEC 27076.
- Prioritise measures – pragmatic, risk-based, audit-proof.
Unsure whether and how NIS2 affects you? We help you gain clarity and take the right steps.
Read more: Expertise & Services · Cyber Risk Check · GUARDIANVIEW – Managed SIEM