Minimum Viable NIS2 Compliance for SMEs (Under 250 Employees)
A pragmatic NIS2 compliance roadmap for 50–249 employee European SMEs — 5 priorities mapped to Article 21, a 90-day plan, realistic cost ranges, and the proportionality principle that makes minimum viable defensible.
Minimum Viable NIS2 Compliance for SMEs (Under 250 Employees)
NIS2 was drafted with hospitals, energy grids, and major banks in mind. It now applies to roughly 160,000 European entities, including the 80-person manufacturer, the 150-person SaaS provider, and the 200-person logistics firm. None of them have a dedicated CISO. Most have a fractional one — or an overworked IT lead doubling as compliance officer.
This article gives you a defensible minimum: what you must actually do, what you can responsibly defer, and how to anchor that line to the directive's own proportionality principle. By the end you'll have a 90-day plan, a cost range, and a list of five priorities mapped directly to Article 21.
This is for compliance leads, IT directors, and CTOs at EU SMEs of 50–249 employees in NIS2 scope. If you're not sure whether you're in scope, start with the complete NIS2 and DORA compliance guide.
This is not legal advice. "Minimum viable" is a defensible position, not a guaranteed safe harbour. Document your reasoning.
Why "minimum viable" is a legitimate concept under NIS2
Without a legal foundation, "minimum viable compliance" sounds like shortcut-mongering. With one, it's defensible practice. The foundation is the proportionality principle.
The proportionality principle in plain language
Article 21(1) NIS2 requires "appropriate and proportionate" measures, and lists five explicit factors that determine what proportionate means in your context:
- The entity's degree of exposure to risks
- The entity's size
- The likelihood of incidents occurring
- The severity of incidents, including societal and economic impact
- The state of the art and relevant European or international standards, balanced against the cost of implementation
This isn't an opt-out clause. Every measure still applies. It's a scaling clause: the depth of implementation must match your context.
A 200-person manufacturer is not held to the same control depth as a major hospital chain — and the directive says so explicitly. For the full breakdown of the principle and how to use it, see NIS2 Article 21: All 10 Risk Management Measures Explained.
What "minimum viable" actually means
- Coverage = full. All 10 measures addressed.
- Depth = scaled to context. Proportionality memo defends the level.
- Evidence = sufficient. Artefacts auditors recognise, not enterprise-grade tooling.
- Maturity = baseline. You're at "controls operating," not "controls optimised."
What it does NOT mean
- Skipping measures you find inconvenient
- Documenting policies you don't follow
- Arguing "we're too small" without a written rationale
- Hoping enforcement won't reach you (it will, eventually)
The five priorities — where your limited resources should go
Five buckets that map to all 10 measures of Article 21, ordered by impact-per-effort for an SME.
Priority 1 — Foundation: risk register + policy set
Why first: This is the artefact regulators look at first in any audit. Without it, every other control conversation is anchored to nothing. With it, you have a documented basis for every "appropriate and proportionate" decision.
What you actually need to do:
- One risk register — spreadsheet is fine (Excel, Google Sheets, or Notion). Identify your top 15-25 risks, rate them, document treatment decisions, review annually
- One master information security policy — roughly 10-15 pages, approved by the management body
- A small set of sub-policies — typically 6-8 are sufficient for a 50-249 person company: Acceptable Use, Access Control, Incident Response, Business Continuity, Supplier Security, Cryptography, HR Security, Asset Management
- A proportionality memo — one to two pages, your written rationale for the depth of each measure
Article 21 measures covered: (a) risk analysis and policies, (i) HR security, access control, asset management
Minimum cost range: €0–€5,000. Free if you write it yourself using ENISA templates and ISO 27001 Annex A as scaffolding. €3,000–€5,000 if you engage a consultant for one week to draft and review.
Priority 2 — Cyber hygiene: MFA, backups, patching, training
Why second: This is the cluster that prevents the majority of incidents in the first place. If you do nothing else operationally, doing these four well moves your real risk posture more than any single tooling investment.
What you actually need to do:
- MFA on all administrator accounts and all external-facing services. Aim for 100% coverage on privileged identities first; expanding to all users is the maturity step
- Backups following the 3-2-1 rule (three copies, two media, one off-site or immutable). Run a restore test quarterly. Document the test result.
- Patching with severity-based SLAs: critical ≤7 days, high ≤30 days, medium ≤90 days. Cross-check against the CISA KEV catalogue weekly.
- Training — annual baseline awareness for everyone, quarterly phishing simulation, role-specific training for IT and management body. Keep completion records.
Article 21 measures covered: (b) incident handling, (c) business continuity, (e) secure acquisition and maintenance, (g) cyber hygiene and training, (j) MFA and secured comms
Minimum cost range: €1,500–€8,000/year. MFA is included with most identity platforms (Microsoft 365, Google Workspace). Backup tooling: €500–€3,000/year for a 50-250 person company. Training: €1,000–€5,000/year for a managed phishing-and-awareness platform.
Priority 3 — Incident readiness: response plan + reporting capability
Why third: Article 23's 24-hour early warning is non-negotiable. Without an incident runbook, named on-call roles, and a tested reporting capability, you cannot meet this obligation under audit. Build it before you need it.
What you actually need to do:
- An incident response plan with: severity classification matrix, named roles (incident commander, technical lead, comms lead), escalation tree, current contact list
- An out-of-band communication channel for use when primary email or Teams may be compromised — typically a Signal group or a separate emergency-only mailbox
- National CSIRT contact details in your runbook (CFCS in Denmark, BSI in Germany, ANSSI in France, etc. — see your country tracker)
- One annual tabletop exercise simulating a major incident. Document what worked and what didn't.
Article 21 measures covered: (b) incident handling, (c) business continuity (crisis management), (j) emergency comms
Minimum cost range: €500–€3,000 first year. Plan and tabletop facilitation can be in-house or one consulting engagement. Out-of-band tooling near-zero.
For the reporting mechanics see NIS2 Incident Reporting: The 24-72-30 Day Timeline.
Priority 4 — Supply chain: map your suppliers, harden your contracts
Why fourth: This is the measure most SMEs underestimate. Article 21(2)(d) explicitly addresses direct suppliers and service providers — and a typical 100-person SaaS company has 40+ vendors that nobody has inventoried.
What you actually need to do:
- A supplier register — every ICT vendor, SaaS subscription, MSP, and external developer. Tier them by criticality (top tier: ones whose failure would materially affect your operations)
- A lightweight due-diligence questionnaire for tier-1 suppliers — 10-15 questions covering security certifications, data location, incident notification commitments, sub-processor disclosure
- Standard security clauses added to all new contracts (or via addendum to existing). Templates from your industry association are usually sufficient.
- A documented annual review of tier-1 suppliers
Article 21 measures covered: (d) supply chain security
Minimum cost range: €0–€2,500. Register and questionnaire are spreadsheet artefacts. Cost arises if you engage a lawyer to template the security clauses (one-time €1,500–€2,500).
Priority 5 — Governance: management body engaged + evidence pack maintained
Why last (but not least): The first four priorities are operational. This one makes them auditable. Article 20 NIS2 requires the management body to approve risk management measures, oversee implementation, and undergo training. Article 21(2)(f) requires you to assess effectiveness.
What you actually need to do:
- Quarterly security review at management body level — half-day session, standing agenda: risks, incidents, control effectiveness, supplier issues. Minutes signed.
- Annual training session for the management body — even though some member states (notably Denmark) didn't transpose personal liability, the training obligation under Article 20(2) is universal
- Centralised evidence pack — a single location (folder, GRC tool, internal wiki) where every policy, training record, restore test, tabletop minutes, supplier review, and management body minutes lives. Auditors look here first.
- Annual policy refresh — review every policy at least once a year, update version and date, get re-approval
Article 21 measures covered: (f) effectiveness assessment, (g) management body training (cross-reference Article 20)
Minimum cost range: €0–€2,000. Cost is mostly internal time. Optional: GRC tooling at €100–€500/month if your evidence pack outgrows folders.
📨 This article is the framework. A free NIS2 for SMBs ebook is in development that expands every priority into a fillable evidence-pack template — risk register, policy set, supplier questionnaire, tabletop scenarios, evidence pack structure. Subscribe to be notified when it's ready.
A 90-day implementation plan
Days 1–30 — Foundation
- Week 1: Confirm scope (essential vs important, sectoral classification). Register with national authority if not already done.
- Week 2: Stand up risk register with top 15-25 risks. Draft proportionality memo.
- Week 3: Inventory direct suppliers; tier them.
- Week 4: Master policy plus 6-8 sub-policies drafted. MFA enforced on admin accounts.
Days 31–60 — Operating
- Week 5: Incident response plan drafted. National CSIRT contacts in runbook.
- Week 6: Backup test executed and documented. Patching SLAs published internally.
- Week 7: Supplier security clauses templated. Top-3 supplier questionnaires sent.
- Week 8: Training programme launched (awareness baseline plus first phishing simulation).
Days 61–90 — Governance and evidence
- Week 9: First management body security review held. Minutes filed.
- Week 10: Tabletop exercise run. Lessons-learned report filed.
- Week 11: Evidence pack consolidated in single location.
- Week 12: Internal review against Article 21 measures. Gaps documented and prioritised.
End of 90 days: you have a defensible compliance baseline. You don't have a finished programme — that's a 12-month horizon. You have the artefacts that demonstrate good faith and material progress to a competent authority.
What it realistically costs
For a 100–150 person company with no prior security programme, doing this in-house with one external consulting engagement:
| Component | Low | High |
|---|---|---|
| Foundation (Priority 1) | €0 | €5,000 |
| Hygiene (Priority 2) | €1,500 | €8,000 |
| Incident readiness (Priority 3) | €500 | €3,000 |
| Supply chain (Priority 4) | €0 | €2,500 |
| Governance (Priority 5) | €0 | €2,000 |
| First-year total | €2,000 | €20,500 |
Plus roughly 0.4–0.6 FTE of internal time across IT and compliance roles for the first year.
Where the cost actually lands
Time, not money, is the dominant cost for most SMEs. The €2,000 low end assumes meaningful internal capacity; the €20,500 high end assumes you outsource heavily.
Tooling spend ramps in year two. Many SMEs reach the limit of spreadsheet-based evidence packs around month 9-12 and adopt a GRC platform.
Annual ongoing cost typically settles at €5,000–€15,000 once the programme is running.
What you should NOT spend on in year 1
- Enterprise GRC platforms (€20K+/year)
- ISO 27001 certification (worthwhile later, not for compliance year one)
- Penetration testing service contracts (one annual test is fine; don't buy a continuous-testing subscription yet)
- Compliance consultants on retainer
Common SME mistakes
Six failure modes you can avoid by knowing they exist:
- The template trap — buying a policy template pack, dropping in your company name, never customising. Auditors detect it instantly. Better: write half as many policies, but actually yours.
- The "we'll do it later" tabletop — running an incident response tabletop only after the first real incident. Run one in days 61-90, even if it's two hours of your IT lead reading scenarios at a whiteboard.
- The supplier blind spot — inventorying ICT vendors but missing SaaS sprawl. The HR platform, the payroll provider, the analytics tool — all are direct service providers under Article 21(2)(d).
- The training tickbox — annual 30-minute video that everyone clicks through without watching. Better: shorter, more frequent, role-specific content with measurable outcomes (phishing-click rate over time).
- The undated policy — auditors discount documents without dates, version numbers, or signed approvals. Every artefact must have these three.
- The proportionality silence — implementing the right depth but never writing down why. The proportionality memo is non-negotiable and takes one afternoon to write.
Frequently asked questions
My company has 30 employees — am I out of scope? Generally yes. NIS2 applies to medium-sized enterprises and above. But several entity types — DNS providers, TLD registries, qualified trust service providers, public administration entities — are in scope regardless of size. Check Annexes I and II.
Do I need ISO 27001 to comply with NIS2? No. ISO 27001 covers most of Article 21, but it's not required. If you don't already have it, don't add it as a year-one goal — the cost-benefit doesn't favour SMEs in their first compliance year.
Can I outsource everything to a managed service provider? You can outsource implementation. You cannot outsource accountability — your management body still owns the obligation under Article 20.
What if I miss the registration deadline in my country? Register as soon as possible. Late registration with a stated reason is preferable to no registration. See your country tracker for the specifics.
Will an auditor really come knocking at my 80-person company? Probably not in year one. But customer audits — driven by their NIS2 obligations — are arriving now. Most SMEs face commercial pressure before regulatory pressure.
How much of this can I do in-house? Most of it, if you have one motivated IT lead with roughly 0.5 FTE for 90 days. The harder parts are policy drafting and legal review of supplier clauses; those benefit from external help.
What if I'm DORA-regulated as well? DORA is lex specialis for financial entities under Article 4 NIS2. The minimum viable framework above still applies, but DORA's third-party regime is much heavier than NIS2's. See NIS2 vs DORA.
The bottom line
Three takeaways:
- "Minimum viable" is legally defensible — but only with a written proportionality memo. Without it, you're guessing.
- Five priorities, 90 days, roughly €2,000–€20,000 — the SME compliance task is bounded and achievable. It is not the multi-year enterprise programme that vendor content implies.
- Coverage beats depth in year one — addressing all 10 Article 21 measures at baseline depth is better than addressing five at enterprise depth.
If you want every artefact in this article as a fillable template — risk register, policy set, supplier questionnaire, tabletop scenarios, evidence pack — the NIS2 for SMBs ebook is in development. Subscribe to Risk Letters to be notified when it's ready.
Sources & further reading
- Directive (EU) 2022/2555 — NIS2 — Articles 20, 21(1), 21(2)(a) through (j), 23
- ENISA — Cybersecurity Guide for SMEs — self-assessment tools and reference framework
- ISO/IEC 27001:2022 — Annex A; referenced for policy set scaffolding
- NIST SP 800-61 Rev. 2 — referenced for incident response baseline
- CISA — Known Exploited Vulnerabilities catalogue