KENSAI's analysis of 2,400+ German SMB security assessments reveals alarming NIS2 compliance gaps. Only 33% of organizations meet minimum NIS2 requirements across all 10 security domains. The weakest areas are incident reporting (18% compliance), supply chain security (22% compliance), and business continuity (29% compliance). With fines of up to €10 million or 2% of global turnover, the compliance gap represents significant financial and legal risk.
📊 Key finding: German SMBs average a 4.2/10 NIS2 readiness score. Immediate action required.
This analysis is based on 2,400+ KENSAI security assessments conducted between October 2025 and February 2026 across German small and medium-sized businesses (50–500 employees). Each assessment evaluated compliance across the 10 key NIS2 security domains defined in Article 21 of the NIS2 Directive (EU 2022/2555).
The average NIS2 readiness score across all assessed organizations is 4.2 out of 10. Only 33% of organizations achieve a passing score (7.0+) across all domains. The results paint a concerning picture of cybersecurity maturity in Germany's Mittelstand.
| NIS2 Domain | Compliance Rate | Grade |
|---|---|---|
| Risk Analysis & Policies | 41% | D |
| Incident Handling & Reporting | 18% | F |
| Business Continuity | 29% | F |
| Supply Chain Security | 22% | F |
| Network & System Security | 52% | D+ |
| Vulnerability Management | 38% | D |
| Cyber Hygiene & Training | 45% | D+ |
| Cryptography & Encryption | 56% | C- |
| Access Control & Asset Mgmt | 48% | D+ |
| MFA & Secure Communications | 61% | C |
NIS2 requires organizations to report significant incidents to their national CSIRT within 24 hours (early warning) and provide a full incident notification within 72 hours. Our analysis shows that 82% of German SMBs have no formal incident reporting process, lack CSIRT contact information, and have not conducted incident response exercises.
Article 21(2)(d) of NIS2 mandates security measures for supply chain and third-party relationships. Only 22% of assessed organizations maintain a supplier security assessment program. Most have no visibility into their suppliers' security posture, no contractual security requirements, and no process for managing supply chain incidents.
NIS2 requires business continuity and disaster recovery plans that are regularly tested. While 61% of organizations have some form of backup strategy, only 29% have documented and tested BCP/DR plans, maintain offline backups, and have established recovery time objectives (RTOs).
NIS2 penalties can reach €10 million or 2% of worldwide annual turnover, whichever is higher
NIS2 introduces personal liability for management bodies — C-level executives can be held personally responsible
Germany's BSI is actively conducting NIS2 compliance audits since Q4 2025 under the NIS2UmsuCG implementation
The manufacturing sector scores 3.8/10 on average, the lowest among all sectors. OT/ICS environments are particularly poorly protected, with 71% lacking network segmentation between IT and OT systems. Supply chain security is the weakest domain at only 15% compliance.
Professional services firms average 4.5/10, scoring well on encryption (68%) but poorly on incident reporting (21%) and business continuity (31%). Many firms rely on MSPs but lack oversight of their security practices.
Healthcare organizations score 3.9/10, with particular weaknesses in access control (28%) and vulnerability management (25%). Legacy medical devices and systems running unsupported software are significant contributors to the low scores.
Get a free security scan of your website in 60 seconds
Free Security Scan →