+49 7131 / 1226 – 500 info@dataglobal.com

NIS 2 Directive: 8 measures for SMEs

Everything you need to know about the NIS 2 Directive and how SMEs should proceed now

The NIS 2 Directive is the EU-wide legislation on network and information security and aims to achieve a universal and improved level of cyber security. It came into force at the beginning of 2023 and will also apply to many SMEs in Germany from October 18, 2024.

In this article, you will learn more about NIS-2, what measures you can now take and what requirements the new legislation places on your company’s email security.

What is NIS-2?

Die NIS-2-Richtlinie führt für viele Unternehmen verpflichtende Maßnahmen und Meldepflichten in der Cybersecurity ein. NIS-2 ersetzt die vorhergegangene Richtlinie NIS Directive von 2016: Im Vergleich erweitert sie zum einen den Kreis der betroffenen Unternehmen und zum anderen die Pflichten sowie das Ausmaß der behördlichen Aufsicht. Verstöße gegen die neue Richtlinie können hohe Geldstrafen nach sich ziehen.

Offizielle Meldung des BSI: BSI – Aktuelle Informationen aus dem KRITIS-Fachbereich – NIS-2-Richtlinie im Amtsblatt der EU veröffentlicht (bund.de)


Rethinking cybersecurity for SMEs

In Germany, almost 30,000 medium-sized companies have to deal with the new directive and take appropriate measures. One thing is certain: From 18.10. NIS-2 conformity must be guaranteed. The tight deadline now requires SMEs to act quickly.

The prompt introduction of the directive could particularly affect companies that have not yet had to deal with the topic of IT security and have little experience and know-how in this area.


NIS-2 Directive

What requirements does NIS-2 place on e-mail security?

From October, the requirements for e-mail service providers will also increase. In future, your services must be protected even more efficiently against cyber attacks so that the confidentiality and availability of email communication is adequately ensured at all times. The focus here is on protection against spam, phishing and malware.

The topic of e-mail security in the context of NIS-2 has not yet been worked out in detail. What is certain, however, is that effective email encryption will be a basic requirement for compliance with the NIS 2 directive.

You are on the safe side if spam, phishing, malware and other dangers in email communication cannot infiltrate your company’s mailboxes in the first place. A
professional email security solution for companies
becomes even more relevant with regard to NIS-2.

The dataglobal Group sees itself as a competent partner and advisor in this area. We have been achieving the highest standards in cybersecurity for companies for decades, especially with our email security solution eXpurgate.


8 Measures to comply with the NIS 2 Directive

We have summarized 8 measures for you that can help you achieve NIS 2 compliance for your company.


1) Set up a project group

Due to the urgency and complexity of the topic, we recommend setting up a separate NIS 2 project. The following group of people should be involved:

  • Management
  • IT managers
  • IT security managers
  • Other relevant persons (internal or external)

The requirements of the directive are high and implementation requires time and budget. A coordinated organizational structure with a clear distribution of responsibilities is essential here. The project group should conduct cybersecurity training at the beginning if the relevant understanding of the basics is not yet available.


2) Risk assessment

In the second step, you carry out a risk assessment. This allows you to identify potential security gaps and vulnerabilities in your IT systems and processes. Ensure that priorities are defined and resources are deployed where they are most urgently needed. Many companies rely on external consulting for this.

The review of supply chains, both in terms of information and network systems and their physical environment, is also a relevant aspect. You should consult the purchasing department for this.


3) Updating policies and procedures

Revise your internal policies and procedures to ensure that they meet the requirements of NIS-2. This may include changes in areas such as data security, access control and incident response procedures.


4) Implementation of security measures

Implement technical security measures such as firewalls, anti-virus software, encryption, access controls and email security software to ensure the security of your systems and data.


5) Regular review and updating

Regularly review your security measures and make adjustments where necessary to ensure that they remain effective and can withstand current threats.


6) Documentation and tracking

Document all steps to achieve NIS 2 compliance and conduct a thorough follow-up to ensure that all requirements are met. In the event of an inspection, you can also provide proof that all standards have been met.


7) Define reporting processes

Under the NIS 2 Directive, very tight reporting deadlines must be met in some cases. In the event of a security incident, the relevant reporting authority must be informed within 24 hours. An assessment of the incident must be submitted within 72 hours and a full report within one month.

Due to these tight deadlines, those responsible in the project group must have the information they need quickly in the event of a security incident. All processes should be clearly defined in advance in order to collect this data and then report it promptly.


8) Registration with the BSI

If your company is affected by NIS-2, registration with the BSI (Federal Office for Information Security) is mandatory. Before registering, it is essential to check whether your company is subject to the NIS 2 Directive.

The current limitation: The corresponding reporting office does not yet exist (as of April 2024). The organizational and personnel requirements for this are to be created by BSI by October 2024.



Achieving NIS 2 compliance for SMEs requires careful planning and the implementation of appropriate measures. The deadline for implementing these measures is tight and could pose challenges for many companies – especially if they have had little contact with cybersecurity to date. The project requires time, resources and commitment, but it is crucial to ensure the security of your IT systems and data.

Would you like more information about e-mail security? Click here to download our factsheet.


More news

Social engineering – 6 tips on how companies can protect themselves

No matter how good the technical security precautions in companies are: The human factor is often the weakest link in the security chain. In social engineering, cyber criminals exploit this potential vulnerability by faking a personal relationship with the victim in order to carry out their criminal activities. How do you recognize social engineering and how can companies protect themselves and their employees?

read more

Digital document management system – Find out everything you need to know about DMS.

The efficient management of digital documents is a necessity in the modern working world. A digital document management system (or “DMS” for short) is therefore becoming a must-have for companies – and not just for corporations, but also for SMEs. In this article, you will find out what a digital document management system actually is, what functions it fulfills and what advantages it can offer your company.

read more

Managed IT services: Is it worth it for my company? Can I simply outsource my IT?

Managing and monitoring their IT poses challenges for many companies. There is a lack of resources to set up an in-house support team that is up to the task. Managed IT services offer one solution, with external specialists taking over individual IT sub-areas through to complete IT operations. Find out here what Managed IT Services actually are, what advantages they offer and whether the model is also worthwhile for you.

read more

Your Digital Workplace - Solutions


Email Security Cloud

Email Security On-Premise


Digital Travel Expense Report

Digital Contract Management

Digital Purchase Requisition

Digital File Solution

Business Process Management

Managed Service

Managed IT Services

Managed Services für ECM

IT security for SMEs: dg Group publishes official e-book

The dataglobal Group publishes the official dg Group guide on IT security for SMEs. Find out everything you need to know about the current state of IT security in SMEs, cyber threats and the measures you can take to counter them successfully.

Phishing Mail Report for June 2024

Welcome to the latest Phishing Mail Report for June 2024. In this report, we take a look at some of the most common phishing emails in June and show you how to recognize them.

Phishing Mail Report for May 2024

In this report, we take a look at the most common phishing emails in May and explain how you can recognize them. The alleged senders of the biggest phishing attacks this time include comdirect Bank, Commerzbank and Telekom.

Employee interview 05/2024: Lina Dillhardt (working student in Marketing)

The interview series with employees of the dataglobal Group. An interview with Lina Dillhardt, working student in Marketing.

Microsoft: Police warn of cyber attacks on Office 365

The LKA NRW warns of cyberattacks on Office 365, especially via Outlook and document management. The attacks affect not only companies, but also their customers. The perpetrators aim to take over email accounts and send malicious attachments or links in the name of companies.

Telegram bots: Phishing attacks create danger in chat. 4 tips for companies

Phishing attacks via Telegram bots are on the rise and are unsettling many users of the messaging platform. Companies are also affected – what should you know now?

vykon joins dataglobal Group

The provider of resource management solutions...

Phishing at Temu, AliExpress, Wish & Co. – Fraud trap online marketplace

More and more people are using non-European online marketplaces such as Temu, Wish and AliExpress However, in addition to problems such as the risk of counterfeit or inferior products, the threat of cyberattacks in the form of spam, phishing and malware is also growing.

DORA Regulation: Financial sector must protect itself more effectively against cyber risks from 2025

The DORA regulation is intended to better protect the financial sector against cyber risks. What do financial service providers need to know now?

DMS-Guide: Free e-book on digital document management

The official dataglobal Group guide to digital document management: everything you need to know about functions, benefits, software and the right DMS provider. The integrated implementation tips will help you with the implementation in your company.

Content & News Hub


Know - what is...?