The challenges of implementing NIS 2 for SMEs

Struggling with NIS 2? Here’s what SMEs need to know about the new requirements and how to stay compliant without the stress.

7 mins read

What is NIS 2?

With the rapid advancement of technology and its growing significance in business operations, the frequency and sophistication of cyberattacks have surged globally. In response, the European Union introduced the Network and Information Security (NIS) Directive in 2016, aiming to strengthen cybersecurity across member states.

As of December 2024, an updated and more comprehensive version (NIS 2) is now in effect, expanding both its requirements and the range of sectors it covers. While the goal is to create a safer, more resilient digital environment across the European Union, the road to compliance is particularly challenging for small and medium-sized enterprises (SMEs).

NIS 1 vs NIS 2: key differences explained

A practical breakdown of what has changed and what it means for your organisation.

Read the article

 

Wider scope, greater responsibility

NIS 2 is not just an update; it is a significant expansion in both coverage and complexity. The directive now applies to a much larger pool of organisations, including many mid-sized enterprises (SMEs) that previously fell outside the scope.

This broader reach is designed to foster a more resilient digital environment across the EU, but it also means that thousands of businesses must now meet stricter cybersecurity standards, often for the first time.

Unlike before, security can no longer be treated as a checkbox exercise driven by budget or client demands. SMEs must now adopt a company-wide, proactive approach to cybersecurity.

Is your company under the NIS 2 scope?

A practical guide to determining your organisation's classification under the EU's updated cybersecurity directive.

Read the article

 

Main challenges for SMEs

Compliance fatigue

For many European companies, NIS 2 is the latest in a growing list of compliance requirements, from GDPR to ESG reporting and climate disclosures. All of them require substantial attention and resources.

SMEs, which typically lack mature security infrastructures and dedicated compliance teams, can quickly feel overwhelmed. The risk is that companies may approach compliance as a box-ticking exercise, doing the bare minimum to meet requirements without achieving meaningful security improvements.

CyFun, ISO 27001 vs NIS 2

Learn how NIS 2 aligns with CyberFundamentals (CyFun), ISO 27001, and other cybersecurity standards

Read the article



It is not a one-person job

Another overlooked challenge is the misconception that cybersecurity is solely the responsibility of the IT department or a single compliance officer. Effective compliance with NIS 2 requires collaboration across the business.

HR, procurement, operations, and management all play critical roles. Every department must understand how its processes impact security, from managing access rights and handling sensitive data to securing supply chains and responding to incidents.

The security talent gap

Another major hurdle for SMEs is access to qualified security experts. Most do not have in-house security professionals, making them reliant on external consultants. However, the demand for these professionals far outweighs the supply.

For example, in Belgium alone, over 2500 companies now fall under NIS 2's scope. Given that a single consultant can typically support only four to five companies per year, the market is stretched thin. This creates a bottleneck in the market, driving up prices and leaving many SMEs struggling to find help.

Even when companies manage to hire or contract talent, retaining them is another story. Cybersecurity is a complex, cross-functional discipline, requiring coordination with multiple departments. When a key expert leaves, they take with them years of institutional knowledge that is difficult and time-consuming to replace. This creates a vulnerability, especially during critical certification cycles or when responding to new threats.

Spreadsheets won’t save you

Many organisations initially rely on familiar tools like Excel and Word to manage compliance tasks due to their accessibility and low cost. However, these tools quickly reveal significant limitations when faced with the complexity and scale of NIS 2 requirements.

Spreadsheets and documents are prone to security vulnerabilities, lack robust audit trails, and quickly become chaotic. They also make it difficult to assign ownership, track changes, and ensure version control, which are critical aspects for demonstrating compliance to regulators.

Ultimately, Excel and Word can only take you so far.

Continuous improvement: a moving target

NIS 2 is not about ticking boxes. It requires continuous improvement, risk analysis, and proactive management. Annual reviews are no longer enough.

New technologies, such as AI, introduce evolving risks. Staying ahead means allocating resources to monitor threats, analyse trends, and train employees, which can be an overwhelming task for a lean team.

Real-time monitoring is no longer optional

Under NIS 2, organisations are required to report security incidents as they happen, necessitating real-time monitoring of their systems and controls. Achieving this level of oversight manually would require a team of five or six full-time employees dedicated solely to monitoring, an unrealistic expectation for most SMEs.

The solution: smart tooling

Given these challenges, automation and advanced security tooling are no longer optional; they are essential. The right tools can provide continuous monitoring, streamline compliance processes, and help your team act quickly and confidently.

Automation is no longer a luxury; it's a necessity. It makes compliance sustainable. It reduces pressure on your staff, increases consistency, and gives the visibility needed to stay ahead of regulations like NIS 2.

That’s where Maiky comes in. While it helps companies meet NIS 2 obligations, it goes far beyond that, supporting organisations in building, managing, and continuously improving their entire security program. Whether you are scaling, facing compliance fatigue, or simply want to gain control over your security efforts, Maiky provides the clarity and automation needed to move forward with confidence.

How Maiky tackles these challenges

  • Stay compliant: Maiky keeps your security program active all year round. After audits or certifications, it ensures ongoing engagement through continuous tracking, clear responsibilities, and smart reminders.

  • Reduce manual work: Maiky automates up to 80% of routine security tasks. That means less paperwork and more focus on what really matters: risk management, incident response, and strategic planning.

  • Target the right people: Maiky is built to fit your company’s structure, not the other way around. It ensures that each stakeholder gets the information and tasks relevant to their role, without overwhelming or under-informing anyone in the process

  • Smooth personnel transitions: When team members leave, they often take critical knowledge with them. With Maiky, your security program stays centralised, documented, and easy to pick up, whether someone joins, leaves, or changes roles.

  • Detect issues earlier: Maiky proactively flags potential issues before they become critical, making it easier for small teams to address problems early and prevent them from spreading.

  • Actionable insights: Maiky provides actionable insights, so you can understand your strengths, improve your weak spots, and continuously level up your program.

  • Real-time monitoring: NIS 2 requires immediate awareness and response to incidents. Maiky continuously monitors your security program, alerting you to anomalies or incidents as they occur. Your team does not have to watch dashboards all day, just validate the alerts. This makes real-time compliance realistic even with a small team.

  • Understand the full picture:  Maiky maps relationships between assets, risks, controls, and incidents. You get clarity on what you are protecting, why it matters, and how it fits into business goals.

  • Zoom out with a helicopter view: Security affects every part of your business. Maiky shows the big picture, so you can see alignment, avoid blind spots, and move forward with confidence.

  • Comprehensive automation: From task reminders to evidence collection, Maiky automates the day-to-day operations of managing a security program. By reducing operational load, your team can focus on proactive improvements and stay compliant without burnout.


Implementing NIS 2 is a significant undertaking for SMEs, demanding new investments in people, processes, and technology. While the challenges are substantial, leveraging a tool like Maiky and seeking targeted expert support can make compliance achievable and ultimately strengthen the organisation’s resilience against cyber threats.

Key Takeaways NIS 2

Implementing NIS 2 is a significant undertaking for SMEs

Learn how Maiky can help
Book a Demo