NIS-2, ISO 27001, BSI IT baseline protection, DORA - the list of regulations and standards is growing. But what does this mean in concrete terms for small and medium-sized companies? And how can IT security be implemented sensibly and efficiently? Jannik Schumann from the Bundesverband IT-Mittelstand provides practical answers.
- 06/04/2025
- Technical contribution
- Management, Awareness and Compliance
Regulation & standards
How SMEs should strategically approach IT security now.
Written by it-sa Team

IT security standards in comparison: ISO 27001, BSI baseline protection, NIS-2 & Co. explained in an understandable way
Whether ISO/IEC 27001, BSI IT-Grundschutz, DIN SPEC 27076, DORA or NIS-2 - each framework pursues its own objectives:
- ISO 27001: internationally recognised, flexible, ideal for customer communication and tenders
- BSI IT Baseline Protection: more in-depth requirements, especially for authorities and KRITIS-relevant companies
- DIN SPEC 27076: ideal introduction for SMEs, practical and resource-saving
- DORA: mandatory for financial service providers, with a high level of maturity
- NIS-2: EU-wide minimum requirement for cyber security - also relevant for many SMEs
IT certifications for SMEs: Why ISO 27001 & BSI baseline protection are worthwhile
ISO 27001 or IT-Grundschutz certification is not an end in itself. It offers:
- An advantage in terms of trust with customers and partners
- Competitive advantages in tenders
- Structured processes for sustainable security
- Better insurability and liability protection
But getting there is challenging: it often takes 6-12 months from the initial analysis and documentation to the audit - depending on the level of maturity and size of the company.
IT security maturity level in SMEs: analysis, stages and optimisation tips
According to Schumann, many SMEs are at maturity level 1 or 2 - processes are ad hoc, documentation is missing, responsibilities are unclear. The aim should be at least level 3: processes in place, clear responsibilities, regular reviews. An external view helps: gap analyses and action plans by specialised consultants create clarity and prioritisation.
Common IT security mistakes in SMEs - and how to avoid them
- Unclear responsibilities
Clear allocation of roles and management commitment are essential. - IT ≠ Information security
Information security affects all departments - not just IT. - Documentation without substance
What is documented must also be practised - otherwise it will stand out in the audit. - Acting too late
Starting early saves costs, nerves and reduces risks.
IT security 2025: Why NIS-2, cyberattacks and insurance require action now
- NIS-2 is becoming mandatory - also for many SMEs
- Cyberattacks are on the rise - sometimes with consequences that threaten the company's existence
- Insurance companies and customers demand proof - e.g. through certificates
________________________________________
Conclusion: Implement IT security strategically - with a plan and vision
Regulation is not an end in itself. It is a tool to strengthen resilience, trust and competitiveness. Those who start early will benefit in many ways - and not only protect data, but also their own business model.

And save a note now:
IT Security Talk: Regulation
26.06.2025 | live, digital and free of charge
- noris network AG
- AI regulation - a brake on innovation or a signpost for secure applications?
- IT service providers and increasing customer requirements according to NIS2, DORA, CRA, etc.
This article is based on the corresponding presentation during the IT Security Talk on the topic of regulation on 27 May 2025 and was created with the support of KI.