NIS2 Implementation for Mid-Market Companies
A practical 12-week implementation roadmap for German companies with 50–250 employees – no security team required.
You're Affected. Now What?
An estimated 29,500 companies in Germany fall under NIS2 scope. If you have more than 50 employees and operate in a covered sector – waste management, food production, manufacturing, energy, transport, health, digital infrastructure – you are almost certainly one of them. The BSIG entered force on December 6, 2025, and the BSI registration deadline was March 6, 2026.
Here's what most consultants won't tell you: for a mid-market company with basic IT, NIS2 compliance is manageable. It is not a 6-month, six-figure project. Most of the 49 BSIG requirements are write-once documentation – policies, risk assessments, procedures. Only a handful require ongoing operational processes. The law demands 'appropriate' measures proportional to your risk – not Fortune 500 security infrastructure.
This guide gives you the practical plan: a 12-week roadmap, the roles you need (all part-time, all existing staff), the common mistakes that trip up companies your size, and the priority order for tackling the 10 mandatory measures under §30 BSIG. No theory, no fear-mongering – just the steps.
- Companies with 50–250 employees in NIS2 sectors
- Limited IT staff – maybe 2–5 people, not a security team
- No dedicated compliance department or GRC experience
- First time dealing with NIS2, BSIG, or BSI registration
Implementation Roadmap
- BSI registration via Mein Unternehmenskonto + BSI portal
- Appoint compliance lead (part-time role, not a new hire)
- Management briefing on §38 BSIG duties and personal liability
- Set up compliance platform and invite team members
- Initial scope: identify which entity category applies (bwE or wE)
- Build asset inventory – group identical assets (e.g., '45 laptops' = 1 entry)
- Identify and categorize suppliers with access to your systems
- Conduct initial risk assessment: likelihood × impact for each asset
- Document risk treatment decisions: accept, mitigate, transfer, or avoid
- Map risks to BSIG measures – which controls address which risks
- Write or adopt security policies (information security, access control, incident response)
- Document cryptography usage and key management approach
- Set up incident response process with 24h/72h/1m cascade
- Review access control: least privilege, onboarding/offboarding procedures
- Document business continuity and backup procedures
- Implement or document MFA for critical systems
- Management formally approves all cybersecurity measures (§38 duty)
- Complete mandatory management cybersecurity training
- Upload evidence documents: screenshots, configs, policy sign-offs
- Run first effectiveness assessment – are controls actually working?
- Export compliance report for internal review
Compliance Lead (4–8 hours/week)
Drives the process, fills out requirement forms, coordinates with IT and management. Usually the IT manager, quality manager, or operations lead.
IT Contact (2–4 hours/week)
Provides technical input: asset details, network architecture, encryption status, access controls. Your admin or IT manager.
Management Sponsor (1–2 hours/week)
Reviews and approves measures, completes training, demonstrates oversight. Required by §38 BSIG – cannot be delegated.
External Auditor (optional)
For KRITIS operators: required every 3 years. For bwE/wE: optional but recommended for the first compliance cycle to validate your work.
Waiting for 'the final guidance'
The law is in force since December 2025. The CIR defines the technical measures. There is no further guidance coming that would change what you need to do. Start now.
Over-engineering the solution
A 100-person waste management company does not need a SOC or a SIEM. Match your controls to your actual risk profile. The BSIG requires 'appropriate' measures, not maximum measures.
Treating it as an IT project
§38 BSIG makes this a management responsibility. If the CEO isn't involved, you're already non-compliant. Schedule the management briefing in week 1.
Ignoring supply chain security
NIS2 explicitly requires assessing your suppliers' cybersecurity. This catches many companies off guard. Start documenting supplier relationships early.
Paper compliance without real measures
Writing policies nobody reads doesn't count. The BSI can request evidence that measures are actually implemented and effective. Build real processes, not just documents.