16.07.2026
NIS2 Tools for SMEs: why tools help, but cannot buy compliance
No tool automatically makes a company NIS2-compliant. Tools only accelerate implementation if risks, responsibilities and processes have been clarified first. We show which tool categories you really need, what a pragmatic basic stack looks like and which questions you should answer before making any purchase.
Dr Jan Scharfenberg
Partner, Managing Director
Why many SMEs look for tools first and why this is the wrong starting point
In most companies, the tool question comes too early. Anyone who buys tools first and only afterwards clarifies which risks actually need to be managed is investing blindly.
After an initial NIS2 assessment or registration, pressure to act understandably arises: Which measures do we need to implement? Do we need a GRC tool, a vulnerability scanner or an awareness platform? The temptation to buy something immediately is strong — after all, a new tool feels like progress.
The problem is that without a prior risk assessment, there is no basis for meaningful prioritisation. NIS2 does not prescribe specific products or providers. The focus is on appropriate, proportionate and effective measures, as well as the ability to provide evidence of them — this is the logic of the BSIG and the underlying EU Directive.
A company that does not know which processes are critical, which systems may tolerate downtime and which suppliers are security-relevant cannot meaningfully prioritise even the best list of tools. The better starting question is therefore: Which risks, processes and evidence requirements do we need to manage?
Non-binding initial consultation on NIS2
- Clarification of whether your company falls within the scope of the directive.
- Analysis of your IT infrastructure to ensure NIS2 compliance.
- We will create a catalogue of measures and support you with implementation.
Which tool categories are relevant for NIS2 implementation?
Eleven tool categories cover the key NIS2 requirements for SMEs: from identity protection and incident management to crisis communication.
Not every category is equally urgent for every company. Which one becomes relevant first depends on the risk profile, IT landscape and maturity level. These eleven tool categories are typically relevant for NIS2 implementation in SMEs:
- Identity and multi-factor authentication (MFA): securing access, protecting privileged accounts and managing risk-based access rules.
- Password management: managing shared vaults and preventing passwords from being shared by email or chat.
- Asset management: inventorying devices, systems and owners — the foundation for almost everything else.
- Endpoint protection: protecting endpoints against malware, ransomware and suspicious behaviour.
- Backup and restore testing: not only setting up backups, but regularly checking whether recovery actually works.
- Incident management / ticketing: documenting, escalating and traceably closing security incidents — including early initial notification within 24 hours, follow-up notification within 72 hours and a final report no later than one month after the 72-hour notification, where a significant security incident has occurred and the relevant reporting channel has been established.
- Awareness training: regularly raising employee awareness — including phishing simulations and evidence of participation.
- Vulnerability management: identifying open vulnerabilities, prioritising them and tracking their remediation.
- GRC / ISMS / evidence: centrally documenting risks, controls, measures and responsibilities.
- Supplier management: assessing critical service providers, requesting security evidence and maintaining emergency contacts.
- Emergency communication: maintaining a communication channel that still works when email or Teams is unavailable.
The categories are interdependent: without an asset inventory, there can be no targeted vulnerability scan; without managed devices, there can be no effective endpoint protection; without ticketing, there can be no clean incident documentation. Understanding these dependencies helps avoid tool sprawl.
The minimal viable tool stack: start pragmatically instead of doing everything at once
For most SMEs, a lean basic stack is the right starting point. More important than completeness is that responsibilities, status and evidence are traceable from the outset.
The basic stack consists of around ten building blocks: from MFA, endpoint protection and ticketing to a supplier overview. That may sound like a lot, but it does not have to consist of specialist tools from day one. Existing Microsoft 365 environments, existing ticketing systems or documented Excel lists can be a starting point provided they are maintained.
The decisive question is whether you rely on open-source solutions or paid SaaS products. Both approaches have clear advantages and disadvantages:
| Open source | SaaS / enterprise | |
|---|---|---|
| Costs | Lower entry costs, no licence fees | Ongoing costs, but more predictable |
| Control | Full data sovereignty, own infrastructure | Dependency on the provider |
| Operation | Own responsibility for updates, backups and security | Support, hosting and updates included |
| Reporting | Often manual or limited | Usually integrated reporting and dashboards |
| Entry barrier | Technical know-how required | Faster start, less configuration |
Open source can save licence costs but not operational responsibility. If you cannot ensure internal operation, an unmaintained open-source instance creates a new risk rather than a solution. Paid tools, in turn, do not buy compliance; they make operation, support and evidence management easier.
The honest total cost question is: Who maintains the tool, who evaluates the results, who decides on measures and what evidence does this produce? If these questions remain unanswered, even a good tool quickly becomes an additional maintenance burden.
Stack orientation by company profile
The right NIS2 tool stack depends on the size, IT landscape and maturity level of the organisation and not on a universal recommendation list.
A startup with 15 people needs a different NIS2 tooling strategy than a Microsoft-first mid-sized company with 200 employees. The following profiles show typical starting points and which building blocks make sense in each case.
| Profile | Typical stack | Why it makes sense |
|---|---|---|
| Startup, 1–20 people | MFA, Bitwarden, simple asset list, endpoint protection, backup, incident runbook | Low cost, quick to implement, little overhead |
| SaaS startup, 20–75 people | GRC/ISMS, MFA, Defender/CrowdStrike, backup, awareness, OpenVAS/Tenable | Covers customer and evidence requirements early |
| Small SME, 20–75 people | Business Premium or similar, Snipe-IT/GLPI, backup, vulnerability scanner, awareness, YubiKeys, emergency communication | Pragmatic and broadly covered |
| Microsoft-first SME, 75–300 people | Entra ID, Intune, Defender, Business Premium plus GRC/ISMS, supplier assessment, vulnerability management | Microsoft covers a lot — GRC, suppliers and evidence need to be added |
| Open-source-oriented SME | CISO Assistant, GLPI, Snipe-IT, Wazuh, OpenVAS, Bitwarden, TheHive | Low licence costs, high control — but more operational effort |
| Regulated mid-sized company / high risk | Enterprise GRC, EDR, SIEM/SOC, vulnerability management, Veeam, UpGuard, awareness, ticketing, emergency communication | Greater evidence capability, monitoring and supplier control |
These profiles are orientation aids, not blueprints. Which NIS2 tool stack actually fits depends on the individual risk assessment.
Free expertise in your e-mail inbox
All the important news on data protection, information security, AI and data strategy conveniently delivered to your e-mail inbox once a month - free of charge, of course. (Currently only available in German)
Tooling roadmap: creating structure in 30, 60 and 90 days
A pragmatic NIS2 tooling roadmap is divided into three phases: inventory, basic processes and reporting structure. This helps you avoid trying to introduce everything at once and ultimately operating nothing properly.
The first 30 days: create the foundation
Record which tools, systems, cloud services and service providers are already in use. Clarify responsibilities for the most important security areas. Identify critical processes and systems. Review the MFA status of all admin access, the backup status, the state of device management and the existing security policies. Also start an asset overview. This phase is not primarily about new procurement, but about transparency.
By day 60: build basic processes and evidence
The first vulnerability scan often shows where the biggest gaps are. Use this phase to document an incident process in parallel, plan the first awareness training and build a supplier list. Also begin collecting evidence systematically.
By day 90: stabilise roadmap and reporting
Decide whether a GRC or ISMS tool should be introduced, and if so, which one. Assess the remaining tool gaps. Prioritise the further expansion of the NIS2 tool stack, establish management reporting and approve the budget and roadmap for the coming quarters.
This roadmap is deliberately conservative. Those who move faster gain time. Those who take more time should at least treat the 30-day steps as immediate measures.
Ten questions you should answer before buying any NIS2 tool
Choosing the right NIS2 tool does not begin with features and prices, but with basic organisational questions. You should be able to answer ten of them before every purchase:
- Which risk or evidence requirement is the tool supposed to make easier to manage?
- Who is responsible for the tool from a business and technical perspective?
- Which data need to be maintained initially and updated regularly?
- Which existing tools can already cover the requirement?
- How will the tool be integrated into incident, risk or management processes?
- Which reports do management or customers actually need?
- How are permissions, backups and updates for the tool itself regulated?
- What exit strategy exists if the tool is replaced?
- What ongoing costs arise in addition to licence costs?
- How is the effectiveness of tool use reviewed?
If you do not have a clear answer to more than three of these questions, the tool is probably not yet ready for procurement. Clarify the organisational framework first, this will make the tool decision better, not slower.
Conclusion: NIS2 compliance is created through processes, not licences
NIS2 compliance cannot be bought. It is created through demonstrable measures, clear responsibilities, regular testing, documented decisions and continuous improvement. NIS2 tools for SMEs can make this process significantly easier if they fit the risk profile, organisation and roadmap.
The pragmatic approach is to start with a lean basic stack, include existing systems, maintain evidence from the outset and expand the stack step by step as maturity and requirements grow. If you are unsure which stack fits your organisation, you should first carry out a risk-based current-state assessment for example in a NIS2 risk management workshop that prioritises risks and translates tooling questions into a realistic roadmap.
Information security that protects and thinks ahead
We don't just secure your systems; we also strengthen your structures. We provide well-thought-out IT security solutions that are tailored to your company and evolve alongside it.
Frequently asked questions
#1 Is a free open-source tool sufficient for NIS2 implementation?
Open-source tools can cover individual requirements, but they do not replace the organisational framework. They save licence costs, but require in-house operation, regular updates and security responsibility. Without clear responsibilities, an unmaintained open-source instance itself becomes a risk.
#2 Which tool should SMEs introduce first?
For many SMEs, multi-factor authentication is one of the measures with the best effort-to-impact ratio especially for email, cloud services, admin accounts, financial systems and critical specialist applications. Phishing and stolen credentials are among the common entry points for attacks. Multi-factor authentication significantly reduces this risk.
A password manager is often the logical next step because it makes secure passwords, separate access and controlled sharing easier.
#3 Do SMEs necessarily need a GRC or ISMS tool?
Not necessarily. NIS2 does not require any specific GRC or ISMS tool. What matters is that risks, measures, responsibilities, evidence and regular reviews are documented in a traceable manner. At the beginning, a structured list of risks, measures and responsibilities may be sufficient. Once evidence requirements increase, several responsible persons are involved or audits are approaching, a GRC tool is often the more efficient route.
#4 How much does a basic NIS2 stack cost?
Costs vary significantly depending on company size and the chosen approach. An open-source-based stack can have licence costs close to zero, but requires internal operational effort. A SaaS-based stack for 50 people is typically in the low to mid four-digit range per month — depending on the selected products and licence tiers.
#5 What happens if a company buys tools but does not define processes?
Without defined processes, tool sprawl arises without evidence capability the greatest risk when implementing NIS2 with tools. The software produces data, but nobody evaluates it, derives measures from it or reports to management. In a real-world scenario — for example a security incident or an audit — the documented decisions and responsibilities required by NIS2 are precisely what will be missing.