NIS2ComplianceSME

NIS2 compliance: Vulnerability management for SMEs

Feb 20, 20267 min read

What is NIS2?

The Network and Information Security Directive 2 (NIS2) is an EU directive being transposed into national law since October 2024. It massively expands the scope of affected organizations, from a few hundred to an estimated 30,000+ companies in Germany alone.

Affected are companies in 18 sectors, including:

  • Energy, transport, healthcare, water
  • Digital infrastructure, IT service providers, cloud providers
  • Food, chemicals, manufacturing
  • Public administration

Important: SMEs are also affected if they operate in one of these sectors and exceed certain size thresholds (50+ employees or EUR 10M+ revenue).

What does NIS2 require for vulnerability management?

Article 21 of the NIS2 directive demands "appropriate and proportionate technical, operational and organizational measures" in several areas. Relevant for vulnerability management:

1. Risk analysis and security concepts (Art. 21 para. 2a)

  • Systematic identification of vulnerabilities in your own infrastructure
  • Risk assessment (this is where CVSS + EPSS help)
  • Documented processes for vulnerability handling

2. Effectiveness evaluation (Art. 21 para. 2f)

  • Regular review of whether measures are working
  • Demonstrable improvement over time (trend tracking)
  • Metrics: patch times, open critical CVEs, coverage

3. Reporting obligations (Art. 23)

  • Significant security incidents must be reported within 24 hours
  • A known, unpatched CVE that is being actively exploited can be a reportable incident

The reality in SMEs

Most SMEs have:

  • No dedicated security engineer. The IT manager or sysadmin handles security "on the side."
  • No budget for enterprise tools. Qualys, Tenable, Rapid7 cost $10,000+/year.
  • No established processes. Vulnerabilities are checked "when there is time."
  • No documentation. Audits cannot verify what was checked.

NIS2 changes this. The directive requires demonstrable processes. "We patch when we hear about it" is no longer sufficient.

A pragmatic approach for SMEs

Step 1: Create an inventory

What technologies do you use? What versions? Without an inventory, you cannot check if you are affected.

Step 2: Daily monitoring

Check new CVEs daily, filtered to your own inventory. Manually, this takes 30+ minutes per day. Automated (e.g. with Nautilus), just seconds.

Step 3: Risk-based prioritization

Not every CVE needs to be patched immediately. Prioritize by:

  • CISA KEV: Actively exploited? Patch now.
  • EPSS > 10%: Elevated probability? Review promptly.
  • CVSS >= 9.0: High damage potential? Schedule it.

Step 4: Documentation

For audits: When was each CVE identified? When was it patched? Why was a CVE classified as "not relevant"? A tool that maintains this data automatically saves days during audits.

Step 5: Notification

The team needs to be informed when a critical CVE affects your stack. Slack webhooks, email digests, or Discord notifications. The key is that nobody has to check manually.

What Nautilus contributes

Nautilus covers steps 2-5:

  • Daily monitoring from 4 sources (NVD, CISA KEV, ENISA EUVD, GitHub Advisories)
  • Prioritization with EPSS scores, KEV flags, and PoC detection
  • Technology filter for your specific inventory
  • Export (CSV/PDF) for audit evidence
  • Webhooks for automatic notification on critical CVEs

This does not replace a complete ISMS, but it gives SMEs a tool to demonstrably and efficiently meet the core requirement of "vulnerability management."

Frequently Asked Questions

Who is affected by NIS2? Organizations in 18 sectors (energy, transport, healthcare, digital infrastructure, IT services, and more) are affected if they exceed 50 employees or EUR 10 million in annual revenue. Both "essential" and "important" entities fall under NIS2.

When must NIS2 be implemented? EU member states have been transposing NIS2 into national law since October 2024. In Germany, the implementing legislation (NIS2UmsuCG) is expected to take effect in 2025. Organizations should start preparing now.

What does NIS2 compliance cost? Costs vary by organization size and maturity. Basic vulnerability monitoring can start at EUR 0 (e.g. Nautilus Free). A complete ISMS implementation for an SME typically ranges from EUR 5,000 to EUR 50,000, depending on scope and external consulting needs.

What are the penalties for NIS2 non-compliance? Penalties can reach up to EUR 10 million or 2% of global annual turnover for essential entities. Important entities face up to EUR 7 million or 1.4% of turnover. Management can be held personally liable.

Conclusion

NIS2 makes vulnerability management mandatory for thousands of SMEs. You do not need enterprise tools costing $10,000/year. With a focused approach (inventory, daily monitoring, risk-based prioritization, documentation) even a small team can meet the requirements.

Related: Learn how EPSS helps you prioritize patches by exploitation likelihood, or understand why the CISA KEV catalog is the gold standard for identifying actively exploited CVEs.

Nautilus gives SMEs the vulnerability intelligence they need, without an enterprise budget. Start for free.

Monitor vulnerabilities with EPSS, PoC detection, and KEV tracking.

All in one dashboard. Free to start.

Start for free
← Previous CISA KEV explained: which CVEs really need to be patched