Contact Deutsch

ISiCO GmbH
Skip navigation
  • Privacy

    Get a head start with our optimal data protection consultancy

    Secure your competitive advantage with our business-focused data protection expertise.

    • Data Protection Consulting
      • Data Protection Impact Assessment (DPIA)
      • Threat Modelling
      • Data Breaches
      • Records of Processing Activities (ROPA)
      • Communication & Procedures with Authorities
      • Employee Data Protection
      • Data Protection Management System
      • Erasure and Archiving Policies
    • External Data Protection Officer
    • Data Protection Audits
    • EU Representative
    • Whistleblower Protection Act
  • IT Security

    Reliable protection for your company

    Make use of our expertise and customised IT security solutions to protect your digital assets.

    • External Information Security Officer (ISO)
    • ISMS
      • ISMS Service Package
      • ISMS Service Package NIS2
      • ISMS Service Package ISO 27001
      • ISMS Service Package TISAX
    • ISO 27001 Certification
    • Ransomware Protection
    • Risk Management
    • IT Compliance
    • NIS2
    • DORA
    • TISAX Certification
    • IT Forensics
    • Cyber Resilience Act
  • AI Consulting

    Gain a competitive edge with the best AI advice

    Secure your competitive advantage with our business-focused AI expertise.

    • ISO 42001 Certification
    • External AI Officer
  • Data Strategy

    Make the most of your data

    We will show you how to unlock the full potential of your company's data.

    • Develop Data Strategy
    • Maturity Assessment
    • Data Governance
    • Data Product
  • Solutions

    We create solutions for all challenges

    Whether you need advice on data protection management, its implementation, or employee training, we can provide the solution you need as part of a corporate network.

    • Workshops
    • DPO Coaching
    • Privacy Solution Software caralegal
    • E-Learning from lawpilots
  • Company

    Customised, efficient and business-oriented

    ISiCO is one of the top addresses in Germany for management consultancy in data protection, information security, AI and data strategies.

    • About ISiCO
    • Team
    • Offices
    • News
    • Contact
  • Make an appointment

16.07.2026

NIS2 Tools for SMEs: why tools help, but cannot buy compliance

No tool automatically makes a company NIS2-compliant. Tools only accelerate implementation if risks, responsibilities and processes have been clarified first. We show which tool categories you really need, what a pragmatic basic stack looks like and which questions you should answer before making any purchase.

Arrange a no-obligation initial consultation now
Your ISiCO-Expert:
Dr Jan Scharfenberg
Partner, Managing Director

Why many SMEs look for tools first and why this is the wrong starting point

In most companies, the tool question comes too early. Anyone who buys tools first and only afterwards clarifies which risks actually need to be managed is investing blindly.

After an initial NIS2 assessment or registration, pressure to act understandably arises: Which measures do we need to implement? Do we need a GRC tool, a vulnerability scanner or an awareness platform? The temptation to buy something immediately is strong — after all, a new tool feels like progress.

The problem is that without a prior risk assessment, there is no basis for meaningful prioritisation. NIS2 does not prescribe specific products or providers. The focus is on appropriate, proportionate and effective measures, as well as the ability to provide evidence of them — this is the logic of the BSIG and the underlying EU Directive.

A company that does not know which processes are critical, which systems may tolerate downtime and which suppliers are security-relevant cannot meaningfully prioritise even the best list of tools. The better starting question is therefore: Which risks, processes and evidence requirements do we need to manage?

Non-binding initial consultation on NIS2

  • Clarification of whether your company falls within the scope of the directive.
  • Analysis of your IT infrastructure to ensure NIS2 compliance.
  • We will create a catalogue of measures and support you with implementation.

Book your appointment now

Which tool categories are relevant for NIS2 implementation?

Eleven tool categories cover the key NIS2 requirements for SMEs: from identity protection and incident management to crisis communication.

Not every category is equally urgent for every company. Which one becomes relevant first depends on the risk profile, IT landscape and maturity level. These eleven tool categories are typically relevant for NIS2 implementation in SMEs:

  • Identity and multi-factor authentication (MFA): securing access, protecting privileged accounts and managing risk-based access rules.
  • Password management: managing shared vaults and preventing passwords from being shared by email or chat.
  • Asset management: inventorying devices, systems and owners — the foundation for almost everything else.
  • Endpoint protection: protecting endpoints against malware, ransomware and suspicious behaviour.
  • Backup and restore testing: not only setting up backups, but regularly checking whether recovery actually works.
  • Incident management / ticketing: documenting, escalating and traceably closing security incidents — including early initial notification within 24 hours, follow-up notification within 72 hours and a final report no later than one month after the 72-hour notification, where a significant security incident has occurred and the relevant reporting channel has been established.
  • Awareness training: regularly raising employee awareness — including phishing simulations and evidence of participation.
  • Vulnerability management: identifying open vulnerabilities, prioritising them and tracking their remediation.
  • GRC / ISMS / evidence: centrally documenting risks, controls, measures and responsibilities.
  • Supplier management: assessing critical service providers, requesting security evidence and maintaining emergency contacts.
  • Emergency communication: maintaining a communication channel that still works when email or Teams is unavailable.

The categories are interdependent: without an asset inventory, there can be no targeted vulnerability scan; without managed devices, there can be no effective endpoint protection; without ticketing, there can be no clean incident documentation. Understanding these dependencies helps avoid tool sprawl.

The minimal viable tool stack: start pragmatically instead of doing everything at once

For most SMEs, a lean basic stack is the right starting point. More important than completeness is that responsibilities, status and evidence are traceable from the outset.

The basic stack consists of around ten building blocks: from MFA, endpoint protection and ticketing to a supplier overview. That may sound like a lot, but it does not have to consist of specialist tools from day one. Existing Microsoft 365 environments, existing ticketing systems or documented Excel lists can be a starting point provided they are maintained.

The decisive question is whether you rely on open-source solutions or paid SaaS products. Both approaches have clear advantages and disadvantages:

  Open source SaaS / enterprise
Costs Lower entry costs, no licence fees Ongoing costs, but more predictable
Control Full data sovereignty, own infrastructure Dependency on the provider
Operation Own responsibility for updates, backups and security Support, hosting and updates included
Reporting Often manual or limited Usually integrated reporting and dashboards
Entry barrier Technical know-how required Faster start, less configuration

Open source can save licence costs but not operational responsibility. If you cannot ensure internal operation, an unmaintained open-source instance creates a new risk rather than a solution. Paid tools, in turn, do not buy compliance; they make operation, support and evidence management easier.

The honest total cost question is: Who maintains the tool, who evaluates the results, who decides on measures and what evidence does this produce? If these questions remain unanswered, even a good tool quickly becomes an additional maintenance burden.

Stack orientation by company profile

The right NIS2 tool stack depends on the size, IT landscape and maturity level of the organisation and not on a universal recommendation list.

A startup with 15 people needs a different NIS2 tooling strategy than a Microsoft-first mid-sized company with 200 employees. The following profiles show typical starting points and which building blocks make sense in each case.

Profile Typical stack Why it makes sense
Startup, 1–20 people MFA, Bitwarden, simple asset list, endpoint protection, backup, incident runbook Low cost, quick to implement, little overhead
SaaS startup, 20–75 people GRC/ISMS, MFA, Defender/CrowdStrike, backup, awareness, OpenVAS/Tenable Covers customer and evidence requirements early
Small SME, 20–75 people Business Premium or similar, Snipe-IT/GLPI, backup, vulnerability scanner, awareness, YubiKeys, emergency communication Pragmatic and broadly covered
Microsoft-first SME, 75–300 people Entra ID, Intune, Defender, Business Premium plus GRC/ISMS, supplier assessment, vulnerability management Microsoft covers a lot — GRC, suppliers and evidence need to be added
Open-source-oriented SME CISO Assistant, GLPI, Snipe-IT, Wazuh, OpenVAS, Bitwarden, TheHive Low licence costs, high control — but more operational effort
Regulated mid-sized company / high risk Enterprise GRC, EDR, SIEM/SOC, vulnerability management, Veeam, UpGuard, awareness, ticketing, emergency communication Greater evidence capability, monitoring and supplier control

These profiles are orientation aids, not blueprints. Which NIS2 tool stack actually fits depends on the individual risk assessment.

Free expertise in your e-mail inbox

All the important news on data protection, information security, AI and data strategy conveniently delivered to your e-mail inbox once a month - free of charge, of course. (Currently only available in German)

Please calculate 1 plus 8.

By clicking on the button, you consent to the sending of our newsletter and the aggregated usage analysis (opening rate and link clicks). You can revoke your consent at any time, e.g. via the unsubscribe link in the newsletter. More information: Privacy policy.

Tooling roadmap: creating structure in 30, 60 and 90 days

A pragmatic NIS2 tooling roadmap is divided into three phases: inventory, basic processes and reporting structure. This helps you avoid trying to introduce everything at once and ultimately operating nothing properly.

The first 30 days: create the foundation

Record which tools, systems, cloud services and service providers are already in use. Clarify responsibilities for the most important security areas. Identify critical processes and systems. Review the MFA status of all admin access, the backup status, the state of device management and the existing security policies. Also start an asset overview. This phase is not primarily about new procurement, but about transparency.

By day 60: build basic processes and evidence

The first vulnerability scan often shows where the biggest gaps are. Use this phase to document an incident process in parallel, plan the first awareness training and build a supplier list. Also begin collecting evidence systematically.

By day 90: stabilise roadmap and reporting

Decide whether a GRC or ISMS tool should be introduced, and if so, which one. Assess the remaining tool gaps. Prioritise the further expansion of the NIS2 tool stack, establish management reporting and approve the budget and roadmap for the coming quarters.

This roadmap is deliberately conservative. Those who move faster gain time. Those who take more time should at least treat the 30-day steps as immediate measures.

Ten questions you should answer before buying any NIS2 tool

Choosing the right NIS2 tool does not begin with features and prices, but with basic organisational questions. You should be able to answer ten of them before every purchase:

  1. Which risk or evidence requirement is the tool supposed to make easier to manage?
  2. Who is responsible for the tool from a business and technical perspective?
  3. Which data need to be maintained initially and updated regularly?
  4. Which existing tools can already cover the requirement?
  5. How will the tool be integrated into incident, risk or management processes?
  6. Which reports do management or customers actually need?
  7. How are permissions, backups and updates for the tool itself regulated?
  8. What exit strategy exists if the tool is replaced?
  9. What ongoing costs arise in addition to licence costs?
  10. How is the effectiveness of tool use reviewed?

If you do not have a clear answer to more than three of these questions, the tool is probably not yet ready for procurement. Clarify the organisational framework first, this will make the tool decision better, not slower.

Conclusion: NIS2 compliance is created through processes, not licences

NIS2 compliance cannot be bought. It is created through demonstrable measures, clear responsibilities, regular testing, documented decisions and continuous improvement. NIS2 tools for SMEs can make this process significantly easier if they fit the risk profile, organisation and roadmap.

The pragmatic approach is to start with a lean basic stack, include existing systems, maintain evidence from the outset and expand the stack step by step as maturity and requirements grow. If you are unsure which stack fits your organisation, you should first carry out a risk-based current-state assessment for example in a NIS2 risk management workshop that prioritises risks and translates tooling questions into a realistic roadmap.

Information security that protects and thinks ahead

We don't just secure your systems; we also strengthen your structures. We provide well-thought-out IT security solutions that are tailored to your company and evolve alongside it.

Book your appointment now

Frequently asked questions

#1 Is a free open-source tool sufficient for NIS2 implementation?

Open-source tools can cover individual requirements, but they do not replace the organisational framework. They save licence costs, but require in-house operation, regular updates and security responsibility. Without clear responsibilities, an unmaintained open-source instance itself becomes a risk.

#2 Which tool should SMEs introduce first?

For many SMEs, multi-factor authentication is one of the measures with the best effort-to-impact ratio especially for email, cloud services, admin accounts, financial systems and critical specialist applications. Phishing and stolen credentials are among the common entry points for attacks. Multi-factor authentication significantly reduces this risk.

A password manager is often the logical next step because it makes secure passwords, separate access and controlled sharing easier.

#3 Do SMEs necessarily need a GRC or ISMS tool?

Not necessarily. NIS2 does not require any specific GRC or ISMS tool. What matters is that risks, measures, responsibilities, evidence and regular reviews are documented in a traceable manner. At the beginning, a structured list of risks, measures and responsibilities may be sufficient. Once evidence requirements increase, several responsible persons are involved or audits are approaching, a GRC tool is often the more efficient route.

#4 How much does a basic NIS2 stack cost?

Costs vary significantly depending on company size and the chosen approach. An open-source-based stack can have licence costs close to zero, but requires internal operational effort. A SaaS-based stack for 50 people is typically in the low to mid four-digit range per month — depending on the selected products and licence tiers.

#5 What happens if a company buys tools but does not define processes?

Without defined processes, tool sprawl arises without evidence capability the greatest risk when implementing NIS2 with tools. The software produces data, but nobody evaluates it, derives measures from it or reports to management. In a real-world scenario — for example a security incident or an audit — the documented decisions and responsibilities required by NIS2 are precisely what will be missing.

Back to the news overview

Berlin
Köln
München

Ready for the next step?

+49 30 21300285-0
info@isico.de

Directly to get to know us

 

Outstanding work

ISiCO is also an active member of the German Association for Data Protection and Data Security (GDD) and the German Association for Information Technology, Telecommunications and New Media (Bitkom).

Top-Links
Skip navigation
  • External Data Protection Officer
  • Data Protection Management System
  • Data Strategy
  • Data Breaches
  • ISMS
Find out more
Skip navigation
  • About ISiCO
  • Team
  • Contact

Language

DE EN

© ISiCO GmbH | Contact | Imprint | Privacy | Privacy Settings