• 06/04/2025
  • Technical contribution

Regulation & standards

How SMEs should strategically approach IT security now.

Written by it-sa Team

Hands on a keyboard with a modern graphical interface showing symbols of the strategy in the risk plan analysis

NIS-2, ISO 27001, BSI IT baseline protection, DORA - the list of regulations and standards is growing. But what does this mean in concrete terms for small and medium-sized companies? And how can IT security be implemented sensibly and efficiently? Jannik Schumann from the Bundesverband IT-Mittelstand provides practical answers.

Find out more about how you can master IT regulation

IT security standards in comparison: ISO 27001, BSI baseline protection, NIS-2 & Co. explained in an understandable way

Whether ISO/IEC 27001, BSI IT-Grundschutz, DIN SPEC 27076, DORA or NIS-2 - each framework pursues its own objectives:

  • ISO 27001: internationally recognised, flexible, ideal for customer communication and tenders
  • BSI IT Baseline Protection: more in-depth requirements, especially for authorities and KRITIS-relevant companies
  • DIN SPEC 27076: ideal introduction for SMEs, practical and resource-saving
  • DORA: mandatory for financial service providers, with a high level of maturity
  • NIS-2: EU-wide minimum requirement for cyber security - also relevant for many SMEs

IT certifications for SMEs: Why ISO 27001 & BSI baseline protection are worthwhile

ISO 27001 or IT-Grundschutz certification is not an end in itself. It offers:

  • An advantage in terms of trust with customers and partners
  • Competitive advantages in tenders
  • Structured processes for sustainable security
  • Better insurability and liability protection

But getting there is challenging: it often takes 6-12 months from the initial analysis and documentation to the audit - depending on the level of maturity and size of the company.
 

IT security maturity level in SMEs: analysis, stages and optimisation tips

According to Schumann, many SMEs are at maturity level 1 or 2 - processes are ad hoc, documentation is missing, responsibilities are unclear. The aim should be at least level 3: processes in place, clear responsibilities, regular reviews. An external view helps: gap analyses and action plans by specialised consultants create clarity and prioritisation.

Relevant providers for ISO 27001

Common IT security mistakes in SMEs - and how to avoid them

  • Unclear responsibilities
    Clear allocation of roles and management commitment are essential.
  • IT ≠ Information security
    Information security affects all departments - not just IT.
  • Documentation without substance
    What is documented must also be practised - otherwise it will stand out in the audit.
  • Acting too late
    Starting early saves costs, nerves and reduces risks.

IT security 2025: Why NIS-2, cyberattacks and insurance require action now

  • NIS-2 is becoming mandatory - also for many SMEs
  • Cyberattacks are on the rise - sometimes with consequences that threaten the company's existence
  • Insurance companies and customers demand proof - e.g. through certificates


________________________________________

Conclusion: Implement IT security strategically - with a plan and vision

Regulation is not an end in itself. It is a tool to strengthen resilience, trust and competitiveness. Those who start early will benefit in many ways - and not only protect data, but also their own business model.

More info on the topic? Watch the recording now!

And save a note now: 

IT Security Talk: Regulation 

26.06.2025 | live, digital and free of charge

  • noris network AG
  • AI regulation - a brake on innovation or a signpost for secure applications?
  • IT service providers and increasing customer requirements according to NIS2, DORA, CRA, etc.
Register for free and be part of it!
Editorial note:
This article is based on the corresponding presentation during the IT Security Talk on the topic of regulation on 27 May 2025 and was created with the support of KI.