← Back to the blog

April 8, 2026 · 2 min read

NIS2 Now Reaches the SME Sector Too

NIS2 extends cybersecurity obligations to many mid-sized companies. Who's affected, what to do about it — and how managed hosting covers part of it.

AA
Anton Anders
IT consultant & developer

Quick answer up front: very likely yes, if you operate in one of the sectors NIS2 covers and you’re not a micro business. The circle of affected companies has grown sharply: under the German NIS2 implementation law, roughly 29,500 entities now fall under BSI supervision, up from about 4,500 before the reform (BSI, 2025).

IT security used to be “nice to have.” With the EU’s NIS2 directive, it becomes mandatory for many companies — and the circle of those affected is considerably wider than under the previous rules.

Note: whether and to what extent NIS2 applies to you depends on your sector and size. This overview doesn’t replace a legal assessment.

What’s Actually New About NIS2?

Two things are genuinely new. First, far more mid-sized companies from far more sectors now fall within scope, not just the classic “critical infrastructure.” Second, management is personally liable for implementation — security is now a leadership responsibility, not just an IT matter. In Germany this gets spelled out through the national implementation law. If it applies to you, don’t sit on it. And for how to check properly whether you’re in scope at all — including the trap with linked enterprises — see the NIS2 scope test.

In substance, it comes down to a handful of core obligations:

  • Know, assess, and treat your risks.
  • Basic hygiene: updates, patches, access control, encryption.
  • Backups that are tested, not just present.
  • Monitoring and clear reporting channels to detect incidents and report them within the deadline.
  • A supply chain where your service providers play along too.

How Much of This Does Good Operations Already Cover?

That sounds like a lot. But the larger part of it is simply solid operations — something any system worth taking seriously needs anyway. This is how the work splits:

NIS2 demandsDoes managed hosting cover it?
Updates, patches, hardened systemsYes — ongoing maintenance is part of operations, documented
Tested backupsYes — including practised recovery
Monitoring and incident detectionYes — around the clock, with a fixed point of contact
Reporting to the authorityNo — you have to report yourself, the operator supplies the facts
Risk analysis and security strategyNo — that stays a leadership matter

If your hosting brings the upper half, you’ve got a substantial part covered already, demonstrably so. It doesn’t replace an actual security strategy. But a cleanly run foundation makes that strategy a lot smaller.


Not sure whether NIS2 applies to you and where you stand? Let’s sort it out in a short conversation.

Frequently asked questions

Does NIS2 apply to mid-sized companies? +

Very likely yes, if you operate in a covered sector and aren't a micro business. The circle has grown sharply with the implementation law: according to the BSI, around 29,500 entities are now under supervision, up from about 4,500 before the reform.

What does NIS2 actually require? +

Knowing and treating your risks, basic hygiene such as updates and access control, tested backups, monitoring with clear reporting channels, and a supply chain where your service providers play along. Management is liable for implementation.

Does managed hosting take the NIS2 obligations off my plate? +

A substantial part: updates, tested backups and monitoring are documented, demonstrable operations. Risk analysis, security strategy and reporting incidents remain the company's job.

Is IT security a leadership matter under NIS2? +

Yes. Management is liable for implementation and cannot fully hand the responsibility to IT or external providers. You can delegate the operations, not the responsibility.

Sounds like your situation?

Let’s talk about it — free and with no strings attached.