STEP 1: Confirm Applicability
Action: Determine if your SME is affected
How:
- Check if your business is part of the sectors listed in Annex I or II of NIS2
- Confirm you have >50 employees or >€10M turnover
Tool: EU SME Definition Tool
STEP 2: Identify Legal Obligations in Your Country
Action: Consult your national transposition of NIS2
How:
- Visit your National Cybersecurity Authority’s website
- Look for local NIS2 laws, guidelines, templates, and deadlines
Example: In Greece: https://cybersecurity.gov.gr
STEP 3: Perform a Cybersecurity Gap Assessment
Action: Evaluate your current security posture
How:
- Compare your setup with ENISA’s cybersecurity baseline
- Use tools like:
- CIS Controls v8
- ISO/IEC 27001
- ENISA’s SME Security Checklists
Look For Gaps In:
- Network protocols (Are they encrypted? Up to date?)
- Authentication mechanisms
- Incident response
- Asset management
- Vendor security
STEP 4: Review and Update Your Protocols and Policies
Action: Bring protocols to current security standards
How:
- Replace outdated protocols (e.g., FTP → SFTP, HTTP → HTTPS)
- Enable TLS 1.2+
- Use encrypted DNS (DNS over HTTPS or TLS)
- Apply role-based access and 2FA
- Disable insecure cipher suites and hashing (e.g., MD5, SHA-1)
STEP 5: Implement Technical and Organizational Measures
Action: Fulfill core NIS2 requirements
Key Controls:
- Firewalls, EDR, anti-malware
- Secure backups and disaster recovery
- Network segmentation and monitoring
- Logging, SIEM, alerts for critical events
- Data encryption at rest & transit
STEP 6: Draft Key Policies and Documentation
Action: Define governance and procedures
Documents to Prepare:
- Cybersecurity policy
- Incident response plan
- Business continuity plan
- Access control policy
- Supplier risk policy
- Reporting procedures (24h/72h window)
STEP 7: Assign Responsibility
Action: Appoint internal/external responsible parties
Roles Needed:
- Cybersecurity Officer or DPO (even part-time/outsourced)
- Management-level sponsor
- Awareness & training coordinator
STEP 8: Train Employees
Action: Regular security awareness for all staff
Topics:
- Phishing detection
- Secure data handling
- Device hygiene
- Incident reporting
STEP 9: Prepare for Incident Reporting
Action: Be ready to comply with notification deadlines
NIS2 Requirements:
- Early warning (24h)
- Incident notification (72h)
- Final report (within 1 month)
Tool Suggestion: Use ticketing or incident response tools (e.g., Jira, TheHive)
STEP 10: Monitor, Audit, and Improve
Action: Regularly review compliance
How:
- Schedule annual or semi-annual reviews
- Conduct penetration testing
- Monitor for NIS2 updates
- Implement audit logs for traceability
Pro Tip for SMEs:
Use the ENISA Cybersecurity for SMEs Guide
🔗 https://www.enisa.europa.eu/publications/cybersecurity-guide-for-smes
This includes a checklist, templates, and advice on securing:
- Web presence
- Internal systems
- Remote work infrastructure
- Third-party services
Final Advice
Even though protocols themselves aren’t explicitly named in the NIS2 directive, they are implicitly covered by its requirement for “state-of-the-art” technical measures. If you’re still using outdated or unencrypted communications, you will likely be in violation.
If in doubt: Replace, encrypt, and segment. NIS2 favors proactive risk reduction over reaction.
