NIS2 for Small Enterprises 50-100 Employees: Quick Compliance

1. Are you in scope?

Essential entity status applies from 50 employees and EUR 10M turnover when the company operates in one of the 11 NIS2 essential sectors (energy, banks, health, cloud, etc.). Important entity status applies under the same size thresholds for the seven additional sectors. Below 50 employees you are usually out of scope unless the entity is "critical."

2. 8-week roadmap

3. EUR 8,000 budget breakdown

• Microsoft 365 Defender: included in E5 license (assume already in place)
• Veeam Cloud Backup: ~EUR 1,500
• External consulting (5 person-days): ~EUR 5,000
• Compliance-Kit NIS2 Kit: EUR 1,490

4. Outsourcing options

• SOC-as-a-Service: EUR 800-3,000 per month
• External CISO / virtual CISO: EUR 8,000-15,000 per year
• Cybersecurity advisor (1 person-day per month): EUR 1,500 per month

5. What you must keep in-house

Even with full outsourcing, three things stay with the management team:

• Risk acceptance decisions by the managing director
• Section 38 BSIG management-liability awareness
• Crisis-team availability when an incident occurs at 2 a.m.

Summary

An SME of 50-100 employees can reach defensible NIS2 compliance in 8 weeks for around EUR 8,000 by combining smart tooling, prebuilt templates, and a focused external advisor. The non-delegable parts are management accountability and crisis decision-making.

View NIS2 Kit →