NIS-2 Consulting for SMBs: What Companies Without an Internal Security Team Really Need Now

Ruesselsheim am Main, Germany – 21 May 2026 – The NIS-2 Directive is already in force. Not someday, but now. Since December 2025, the requirements of Germany's NIS-2 implementation framework have been legally binding, and many small and medium-sized businesses (SMBs) face an uncomfortable reality: they are affected, but do not have an internal team that can fully meet these requirements.

This article explains what NIS-2 requires in practice, why internal IT resources are often not enough, and what matters when selecting the right security partner. By the end, you will know the next concrete steps needed to reach NIS-2 compliance in a structured way.

You can quickly clarify whether your company is in scope with Pently's free applicability check: Go to the NIS-2 applicability check.

What NIS-2 Specifically Requires from SMBs and Why Most Are Not Ready Yet

NIS-2 is not an abstract EU rule for large corporations only. It affects organizations across many sectors, including energy, logistics, healthcare, manufacturing, and in many cases IT service providers. Companies in these sectors with at least 50 employees or more than 10 million euros in annual turnover are generally in scope. In any case, organizations should perform a clear and documented applicability assessment.

The requirements can be grouped into risk management measures under Article 21 and related organizational and legal obligations:

  1. Information security management and policies: Build an ISMS with binding policies for information security, responsibilities, and operational processes.
  2. Risk management: Systematically identify, assess, and treat cyber risks, and regularly review control effectiveness.
  3. Business continuity and crisis management: Implement BCM including backup management, disaster recovery, and crisis communication procedures.
  4. Supply chain security and secure procurement: Define security requirements for suppliers and for procurement of IT and network systems.
  5. Technical controls and cryptography: Apply access control, asset management, multi-factor authentication, encryption, and secure communication channels.
  6. Personnel, awareness, and training: Establish HR security, controlled access rights, and regular cyber hygiene training for all staff.
  7. Incident management and 24/7 monitoring: Preventing, detecting, and handling cyber incidents requires continuous monitoring of infrastructure and cloud resources around the clock.
  8. Incident reporting obligations: Significant incidents must be reported to the BSI within 24 hours (early warning), 72 hours (detailed update), and 30 days (final report).
  9. Personal liability of management: Managing directors and board members are personally liable for NIS-2 compliance; responsibility cannot simply be delegated to IT.
  10. Technical and organizational measures (TOMs): Companies must implement and document concrete controls, including access controls, encryption, backups, patching, and incident response.
  11. BSI portal registration duty: Affected companies were required to register by March 2026. Missed deadlines must be addressed immediately.
  12. Supply chain obligations: NIS-2 also extends into supply chains. Vendors can become indirectly in scope when they support critical business processes.

The Reality in Most SMBs: Well-Run IT, But Not NIS-2 Ready

Many mid-sized companies have invested in IT over recent years. They typically have admins, a maintained network, and often backup systems. That is a strong baseline.

For NIS-2, however, baseline IT is often not enough. The gap is usually not basic operations but specialized security capacity: a documented ISMS, a living risk process, robust continuity and crisis management, systematic supplier assessment, SIEM-based real-time detection, true 24/7 monitoring, and a documented incident response process that works under pressure.

Why Internal IT Teams Usually Cannot Deliver NIS-2 Alone

The issue is rarely competence. Internal teams are usually highly capable. The challenge is whether they have the capacity and specialization required for permanent security operations under NIS-2.

Five structural reasons explain why many internal teams hit limits:

  1. No true 24/7 operating model: Continuous monitoring without interruption is difficult to sustain with business-hour staffing.
  2. Security talent shortage: Experienced security specialists are scarce and expensive, and one role does not provide full coverage.
  3. Management liability remains: Even with internal delegation, legal accountability remains with executive leadership.
  4. Reporting windows require immediate readiness: The 24-hour early warning window leaves no buffer, including nights and weekends.
  5. Documentation overhead is substantial: NIS-2 requires controls plus complete evidence trails suitable for audits.

What Good NIS-2 Consulting for SMBs Looks Like

NIS-2 consulting is more than a one-off audit or checklist. A strong partner supports your company from initial assessment to continuous operation of security measures.

Local presence and personal accessibility

Cybersecurity is built on trust. In a real incident, organizations need direct access to people who know their environment and can communicate clearly in their language.

"What mattered most to us was having a contact nearby, in our language, and being able to clarify all NIS-2 topics quickly and easily. We are very satisfied with Pently."

Michael M., Managing Director

Transparent scope and pricing

A reliable partner offers clear pricing, defined response times, and transparent service scope. In critical situations, your team should receive concrete guidance within minutes.

Seamless integration with your existing team

NIS-2 compliance does not require rebuilding your IT organization. The right partner integrates into existing processes and works as a practical extension of your team.

Proven compliance support

NIS-2 requires evidence. A qualified partner supports technical implementation, BSI registration, audit preparation, and ongoing documentation.

Security made in Germany

Data protection and security operations must align. Ensure your partner follows German data protection standards, is BSI-aligned, and does not process sensitive data in risky third-country setups. Pently meets these criteria and is also a Microsoft Solutions Partner Security and member of the Alliance for Cyber Security.

NIS-2 Implementation with an External Partner: Step-by-Step Roadmap

NIS-2 compliance is not a sprint; it is a structured program:

  1. Applicability check: Confirm whether your company is in scope. Start here: Go to the NIS-2 applicability check.
  2. BSI registration: Complete registration immediately if deadlines were missed.
  3. Gap assessment: Analyze current controls, architecture, and missing capabilities.
  4. Prioritized roadmap: Define what must be implemented now versus in later phases.
  5. Build or strengthen the ISMS: Establish policy framework, responsibilities, and effectiveness measurement.
  6. 24/7 monitoring and incident response: Operate continuous detection and response through an SOC model.
  7. Ongoing documentation and audit readiness: Keep controls, reporting, and evidence continuously up to date.

For a personal initial consultation, contact the Pently team directly: Go to contact.

What Happens If Companies Ignore NIS-2?

NIS-2 cannot be neutralized by waiting. Consequences are concrete and can become existential for SMBs:

  • Fines of up to 10 million euros or 2% of global annual turnover, whichever is higher.
  • Personal liability of executive management, potentially including private assets.
  • Reputational damage after publicly known incidents.
  • Sanctions for reporting violations, even when no successful attack occurred.

The registration deadline has already passed. The longer organizations wait, the higher the liability exposure for both company and leadership.

Frequently Asked Questions About NIS-2 Consulting for SMBs

Does NIS-2 apply if we only have 30 employees?

Not necessarily. NIS-2 usually applies from 50 employees or more than 10 million euros in annual turnover in relevant sectors. However, smaller companies can still be indirectly impacted via regulated customers or supply chain obligations.

Can an external provider take over NIS-2 liability for us?

No. Management liability cannot be contractually transferred. A strong partner can significantly reduce operational risk by ensuring requirements are implemented and documented.

How much does NIS-2 consulting and implementation cost?

Costs depend on current maturity, company size, and required scope. Key factors are transparent pricing and realistic implementation planning.

How quickly can a managed security provider make us NIS-2 compliant?

Initial measures can usually start within days. Full compliance is an individual program and may take several weeks or months depending on the starting point.

What is the difference between local NIS-2 consulting and large global providers?

Large providers often deliver standardized models with less direct access. A local partner usually provides faster response, direct ownership, and communication in your operating language.

We missed the registration deadline. What now?

The registration duty still applies. Companies should complete late registration immediately to reduce liability risk.

Conclusion

NIS-2 is manageable, even for companies without an internal security team. The key is a partner that is locally accessible, operationally strong, and treats compliance as continuous business practice.

Pently supports mid-sized organizations from initial applicability checks to ongoing 24/7 monitoring with a practical, transparent model operated from Germany.

Start your free applicability check now:
Go to the NIS-2 applicability check

Book a personal consultation:
Go to contact

Take a structured approach to NIS-2 now

Start with the free applicability check and receive concrete next steps tailored to your company.

Start applicability checkBook initial consultation