NIS2 for Mid-Sized Companies: What Actually Matters

If you run IT for a mid-sized company in the EU, you've probably heard about NIS2 by now. Maybe from your legal team, maybe from a consultant trying to sell you something, maybe from a panicked LinkedIn post. The regulation is live, member states are transposing it into national law, and a lot of companies that never had to think about cybersecurity regulation are suddenly in scope.

I've spent the last two years building an information security program for TISAX AL3 certification across four sites. NIS2 covers different ground, but the muscle memory is the same: figure out what applies to you, build the minimum viable program, then iterate. Here's what I'd tell a peer who just found out they might be affected.

Are you even in scope?

This is the first question and most companies skip it. NIS2 applies to two categories:

Essential entities: Energy, transport, banking, health, water, digital infrastructure, ICT service management, public administration, space. If you're in one of these sectors AND you have 250+ employees or 50M+ revenue, you're essential.

Important entities: Manufacturing, food, chemicals, waste, postal services, digital providers, research. Same size thresholds apply, but the oversight regime is lighter.

The catch: Even if you're below the thresholds, you can be pulled in as a critical supplier to an essential entity. Your biggest customer might knock on your door and ask about your security posture. If you supply automotive, you probably already know this from TISAX.

What to do right now: Check the sector lists against your NACE code. If you're not sure, ask your legal team. Don't assume you're out of scope just because you haven't heard from anyone.

The 10 things NIS2 actually requires

Strip away the legal language and NIS2 boils down to these requirements:

1. Risk analysis and security policies. Document your risks. Have written policies. Not a 200-page binder nobody reads, just clear rules that people actually follow.

1. Incident handling. You need a process for detecting, reporting, and responding to incidents. The reporting timeline is tight: 24 hours for early warning, 72 hours for full notification.

1. Business continuity. Backup management, disaster recovery, crisis management. Can you recover from ransomware? How long would it take?

1. Supply chain security. Assess your suppliers' security. This is where it gets real for mid-sized companies, because your customers will assess yours.

1. Security in network and system acquisition. Secure development, vulnerability handling, disclosure.

1. Policies for assessing effectiveness. You need to actually check if your security measures work. Audits, tests, reviews.

1. Cybersecurity hygiene and training. Awareness training for all employees. Not a checkbox exercise, actual training that changes behavior.

1. Cryptography and encryption. Use encryption where appropriate. TLS everywhere, encrypted backups, encrypted laptops.

1. Human resources security and access control. Who has access to what? How do you handle joiners and leavers? MFA everywhere.

1. Multi-factor authentication. This one gets its own bullet because NIS2 is explicit about it. MFA for all critical systems, no exceptions.

What I'd do first (if starting from zero)

You're not going to implement all ten overnight. Here's the order I'd prioritize, based on what gives you the most protection per hour invested:

Week 1-2: The basics

• Enable MFA on everything (email, VPN, admin accounts, cloud services)
• Set up automated backups with tested restore procedures
• Document who has admin access to what

Week 3-4: Incident readiness

• Write a one-page incident response plan (who to call, what to do, how to report)
• Set up basic monitoring (failed logins, unusual access patterns)
• Identify your national NIS2 authority and their reporting portal

Month 2: Policies and risk

• Write your top 5 security policies (acceptable use, password, remote work, incident response, backup)
• Do a basic risk assessment (what are your crown jewels? what would hurt most?)
• Start a supplier security questionnaire for your top 10 vendors

Month 3-6: Mature and iterate

• Run your first tabletop exercise (simulated incident)
• Start security awareness training
• Review and update everything quarterly

The penalties are real

NIS2 isn't GDPR-level fines, but it's not nothing:

• Essential entities: up to 10M or 2% of global turnover
• Important entities: up to 7M or 1.4% of global turnover
• Management can be held personally liable

The personal liability part is new. Your board or C-level can't just delegate security to IT and forget about it.

What most consultants won't tell you

You don't need a six-figure consulting engagement to get started. Most of what NIS2 requires is basic security hygiene that you should be doing anyway. The regulation just makes it mandatory and adds reporting requirements.

If you already have ISO 27001 or TISAX, you're 70-80% there. The gap is mainly around incident reporting timelines and supply chain assessment, which are more prescriptive in NIS2.

If you're starting from scratch, focus on the basics first. A company with MFA everywhere, working backups, and an incident response plan is better off than one with a fancy GRC tool and no actual security controls.

The regulation rewards doing the work. Not having a perfect program, just having one that's real, documented, and improving.