A €50M manufacturer that dominates its niche worldwide will often run its entire security function on a three-person IT team that also fixes printers. That is the Mittelstand in 2026, and NIS2 is about to make it a legal problem.
These family-owned manufacturers, precision engineers and specialty suppliers built their lead through engineering, not information security. There is a real security gap here, and NIS2 now turns it from a risk choice into a statutory obligation. Most of them are not ready.
I’ve spent 15 years working with German mid-market companies on security and compliance. The pattern is consistent: excellent products, excellent processes, but security treated as an IT problem rather than a business function. NIS2 changes that equation.
Understanding the Gap
The gap isn’t about awareness or intent. These companies know cybersecurity matters. They read about ransomware attacks. They watch competitors get breached. They want to be secure.
The problem is structural. Mittelstand companies face constraints that make enterprise security approaches impossible:
Resource constraints: The average Mittelstand IT team is 3-5 people responsible for everything—infrastructure, applications, support, development, and yes, security. There’s no dedicated security function because there’s no headcount for one.
Budget limitations: Security competes with production equipment, R&D, and sales expansion. When you’re a €50M manufacturer, €100,000 for a security tool represents real trade-offs.
Expertise scarcity: The German security job market is fiercely competitive. Mittelstand companies can’t match enterprise salaries or offer the career progression that attracts top talent.
According to Bitkom surveys, 73% of German Mittelstand companies have no dedicated security role. Security is someone’s additional responsibility, not their primary focus.
Why Enterprise Solutions Fail
The security industry primarily serves enterprises. Products, pricing, and processes assume large IT teams, dedicated security staff, and substantial budgets. When Mittelstand companies try to adopt these solutions, they fail.
Pricing mismatch: Enterprise security tools cost €100,000+ annually. For a mid-market company, that’s the equivalent of 2-3 full-time employees. The ROI math doesn’t work.
Complexity overhead: Enterprise tools require specialists to operate. Implementation projects span months. Ongoing administration consumes significant time. The gap widens when a tool demands resources that don’t exist.
Feature bloat: Enterprise products include capabilities Mittelstand companies don’t need. You’re paying for and configuring features designed for Fortune 500 requirements.
Adoption failure: Tools that add friction get bypassed. I’ve seen expensive solutions sit unused while teams revert to spreadsheets and email because the “official” process was too cumbersome.
The BSI recognises this problem. Its IT-Grundschutz framework includes simplified profiles for smaller organisations, but implementation still assumes resources most Mittelstand companies lack.
The NIS2 Wake-Up Call
NIS2 changes everything for Mittelstand companies. For the first time, mid-sized manufacturers, food producers, and chemical suppliers face mandatory cybersecurity requirements with real penalties.
The BSI estimates 29,500 German companies fall under NIS2 scope. Most are Mittelstand. Most have the security gap described above. Most have until October 2026 to close it.
The penalties are significant: €10 million or 2% of global turnover. For a €50M company, that’s €1 million—potentially company-ending. The German implementation adds personal liability for management, making this a boardroom issue, not just an IT issue.
What was once a risk-management choice is now a legal compliance failure. Companies can no longer choose to accept security risk—the state has decided for them.
5 Structural Challenges
Understanding why the gap exists points to the fix. Here are the five structural challenges I see consistently:
1. IT Generalists, Not Security Specialists
Mittelstand IT teams are generalists by necessity. The person managing Active Directory also handles network infrastructure, user support and application maintenance. Security is one responsibility among many, not a specialisation.
That creates capability gaps. Security demands specific expertise—threat analysis, incident response, compliance frameworks—and generalists can’t go deep on it while handling everything else.
2. Production Technology (OT) Complexity
Manufacturing firms run operational technology that IT teams often don’t fully understand. Production systems, PLCs, SCADA—these need specialised knowledge that standard IT training doesn’t cover.
NIS2 requires security for both IT and OT environments. The gap is most acute at the IT/OT boundary, where expertise is rarest.
3. Supply Chain Exposure
Mittelstand companies often exist as suppliers within larger value chains. OEMs push security requirements downstream. A Tier-2 automotive supplier might face TISAX requirements without the resources to meet them.
NIS2 explicitly includes supply chain security requirements. Mittelstand companies must both secure their own operations AND assess their suppliers’ security—multiplying the compliance burden.
4. Legacy System Debt
Many Mittelstand companies run production systems that are decades old. These systems work perfectly for manufacturing but weren’t designed with modern security in mind. They can’t be easily patched, monitored, or segmented.
Replacing legacy systems is expensive and risky, and production downtime costs real money. Much of the gap is technical debt that’s costly to resolve.
5. Documentation Culture Gap
German engineering excellence focuses on products, not paperwork. Security documentation—policies, procedures, evidence—doesn’t come naturally to organisations optimised for building things.
NIS2 requires extensive documentation. Risk assessments, incident procedures, training records, audit trails. Companies that build excellent products but skip documentation will fail compliance.
Closing the Gap
The gap is real but not insurmountable. Solutions exist—but they have to be designed for mid-market constraints, not transplanted from the enterprise:
Right-sized tools: Security products designed for mid-market budgets and capabilities. Fast deployment, low administration overhead, focused functionality. Not enterprise tools with discounts—purpose-built solutions.
Managed services: Outsourced security operations for companies that can’t hire specialists. SOC-as-a-service, managed detection and response, virtual CISO arrangements. According to industry analysis, managed security services are the fastest-growing segment precisely because of Mittelstand demand.
Automation: Reduce human effort through automated documentation, monitoring, and response. If security requires less manual work, smaller teams can achieve more.
Focused scope: Prioritise the highest-risk areas rather than chasing enterprise-level security everywhere. A risk-based approach concentrates limited resources where they matter most.
Practical training: Build internal capability through targeted training. Security awareness for all staff, deeper skills for IT team members. Develop expertise over time.
A Different Approach
I’ve spent my career helping Mittelstand companies navigate security challenges. The gap frustrated me because existing solutions simply didn’t fit their reality.
That’s why I built FwChange—firewall change management designed for mid-market constraints. Fast deployment, affordable pricing, focused functionality. The compliance documentation that audits require, generated automatically.
The market needs more solutions built this way. Security vendors chasing enterprise deals leave Mittelstand companies underserved. NIS2 will force change—either vendors adapt or new solutions emerge.
The Path Forward
The NIS2 deadline is October 2026. The gap won’t close overnight, but companies can start now:
Assess honestly: Understand where you stand against NIS2 requirements. Don’t assume you’re compliant—verify.
Prioritise ruthlessly: You can’t fix everything at once. Tackle the highest-risk gaps first.
Invest appropriately: Security requires investment, but not necessarily enterprise-scale investment. Right-sized solutions exist.
Build capability: Start developing internal expertise. Even small improvements compound over time.
Get help: External expertise can accelerate progress. Consultants, managed services, specialised tools—draw on others’ experience.
German Mittelstand companies built global leadership through excellence. The same discipline, applied to security, will close the gap. NIS2 is the catalyst for a change that was overdue anyway.
The companies that act now will be ready. The companies that wait will scramble. Choose wisely.
About the Author
Nick Falshaw is a security consultant with 15+ years experience helping German Mittelstand companies with security and compliance. He’s the founder of FwChange, building security tools designed for mid-market constraints. Connect on LinkedIn.