Groenewold IT Solutions LogoGroenewold IT Solutions – Home
🇩🇪

As of May 2026.

Back to IT Security
Topic: IT Security

Key insights: NIS-2 for Mid-Sized Companies: Duties, Deadlines, Implementation

NIS-2 for mid-sized companies: sector scope, security duties, BSI notification windows, supply chain and what IT leadership must evidence in Germany and the EU.

This English summary accompanies the German pillar page. For binding thresholds and legal classification, refer to official legal texts and counsel. Technical delivery patterns align with our IT security and IT consulting services — Made in Germany.

Scope & duties (overview)

Essential and important entities must implement a risk-based cybersecurity programme: policies, proportionate technical controls, incident handling, business continuity and supply-chain measures. Logging and secure engineering practices mirror what we describe for German readers under Security by Design and ISO 27001-oriented controls — see ISO 27001 glossary.

Incident reporting

National authorities (BSI) expect staged notifications for significant incidents. Align SOC/ticket timestamps, communications playbooks and evidence retention with GDPR minimisation — overlaps are common, documentation should stay single-sourced where possible [Source: national law & BSI guidance].

Software suppliers

If you ship software or operate managed platforms, customers will request SBOM-related transparency, patch SLAs and contractual breach notifications. Bake secure CI/CD, signing and RBAC into delivery — connectable to our NIS2 & custom software cluster page.

Book a 30-minute strategy call to prioritise controls and a roadmap.

Frequently asked questions about NIS-2 for Mid-Sized Companies: Duties, Deadlines, Implementation

What is the difference between essential and important entities?
Classification drives intensity of duties and supervisory interaction — typically higher expectations for essential entities. Exact criteria follow national law and annexes; validate sector, size and critical services with counsel.
As a software vendor, am I in scope?
If you provide ICT services to critical customers or qualify as an important/essential entity yourself, processes and evidence matter — often amplified by customer contract clauses.
What are penalties for non-compliance?
Fines up to EUR 10 million or up to 2% of worldwide annual turnover may apply; management may face personal consequences for gross negligence.
Fastest way to start?
Inventory assets and suppliers, build a risk heatmap, implement MFA and backup restore tests, draft an incident playbook and appoint owners — then roadmap ISMS-style documentation.
How does this relate to ISO 27001?
ISO 27001 gives a structured ISMS approach — many controls align with NIS-2 expectations but do not replace national reporting duties.
Do we need a SIEM?
Depends on sensitivity and scale — centralised, tamper-evident logging is common; choose full SIEM vs staged monitoring based on risk.
Why OT/IT separation matters?
For production and utilities, isolating control systems from office IT reduces lateral movement paths for attackers.
What about hosting location?
NIS-2 emphasises resilience and governance — where GDPR applies to personal data, lawful bases and DPAs remain decisive; keep hosting choices consistent.

Topics & Topic Pages

Browse all expert topics by service in our Topics overview. For project-related consulting and our service portfolio, see Services. Key terms are explained in our IT Glossary.

Free Consultation

Next Step

Let's quickly clarify what makes sense for your project.

In 30 minutes we'll clarify scope, risks, and the most sensible next step for your project.

Start Project CheckSchedule Consultation

30 min strategy call – 100% free & non-binding