For many companies, IT security is no longer a special issue – with NIS2 it is now also legally binding. The new requirements affect significantly more organizations than before. What previously primarily affected critical infrastructures now also applies to numerous medium-sized companies. This means that IT security finally becomes a business task – not just a question for the IT department.
As a medium-sized company, am I affected?
Basically:
Companies can fall under NIS2 if they:
• employ at least 50 people
• or achieve an annual turnover or an annual balance sheet total of more than €10 million
• and operate in certain defined industries.
These include, among others, energy, transport, healthcare, IT services, digital infrastructure, waste management and parts of the manufacturing industry.
But even companies that do not formally fall directly under NIS2 are often indirectly affected – for example as suppliers to larger organizations that increasingly require reliable safety evidence from their partners and suppliers.
What specific requirements NIS2 sets
NIS2 does not mandate individual technologies or products. Rather, what is required is a structured level of security at an organizational and technical level.
These include in particular:
• systematic risk management for IT systems and processes
• appropriate technical and organizational security measures
• Clear reporting processes for significant security incidents
• Emergency and restart plans to ensure business operations
• the consideration of security risks among service providers and partners
• Comprehensible documentation of all measuresSteps for implementing NIS2 in medium-sized companies
The question is less whether there is a need for action, but rather how the start can be made sensible. Individual measures often fall short if they are not based on clear prioritization.
For medium-sized companies, a structured approach can look like this:
1. Clarify the impact in a binding manner
At the beginning there is the classification: Does the company formally fall under NIS2 or do requirements arise from existing customer and supplier relationships?
This classification forms the basis for all further steps.
2. Evaluate existing security measures
In the next step, the current status of the IT security organization should be systematically recorded. This includes both technical protective measures and documented processes for dealing with security incidents as well as a reliable backup and emergency strategy.
Only a structured inventory shows where viable structures already exist and where there is a concrete need for action.
3. Prioritize risks and plan actions
Not every gap identified has the same importance. What matters is which systems and processes are critical to business operations and where a failure would have the greatest impact.
4. Define responsibilities
IT security cannot remain exclusively in the IT department.
Responsibilities, decision-making processes and reporting processes must be clearly regulated, including at management level.
5. Ensure documentation and verifiability
Measures should not only be implemented, but also recorded in a comprehensible manner. In the event of an audit, it is important that decisions and procedures are clearly documented.
Why NIS2 is not just an IT topic
The requirements from NIS2 do not exclusively concern technical measures. In addition to IT protection mechanisms, organizational regulations also play a role – such as clear responsibilities, regulated reporting channels and documented processes.
IT security thus becomes a cross-sectional task that involves not only the IT department but also management and specialist departments.
Conclusion
NIS2 brings with it additional requirements – above all, it makes visible how IT security has been organized in your own company to date. In many cases, responsibilities, processes and documentation have evolved over years and are not clearly structured.
This is exactly where the directive comes into play. It is crucial to realistically assess risks, clarify responsibilities and define procedures in the event of an emergency. Anyone who honestly assesses their initial situation and prioritizes measures in a comprehensible manner creates a solid foundation – both for regulatory requirements and for their own handling of IT security risks.
The post NIS2 in medium-sized companies: What needs to be done now appeared first on n-komm GmbH.
