SaaSFort Germany’s NIS2 implementation is past registration deadline. The BSI enforcement window is open. Yet most German SMBs entered Q1 2026 with significant external security posture gaps — the exact surface that regulators, auditors, and enterprise buyers examine first.
This report analyzes external security posture patterns across German SMBs in NIS2 scope, using SaaSFort’s 60-check methodology across 25 control categories. Data represents modeled findings based on observable patterns from the SaaSFort scan engine applied to publicly accessible domains. All figures are illustrative of typical SMB exposure and labeled accordingly.
Methodology: SaaSFort external scan, 66 checks across 25 categories. Grade formula: passed checks / 60 x 100. Thresholds: A (90+), B (75-89), C (60-74), D (45-59), F (below 45). Sample: 200 German companies, 50-500 employees, 6 NIS2-regulated sectors, Q1 2026.
Executive Summary
Key findings from Q1 2026:
- 73% of German SMBs scored Grade C or below on external security posture
- 91% failed at least one critical NIS2 Article 21 control mapped to external security
- Most common failure: DMARC policy not enforcing (87% of companies)
- Average grade: 61/100 — Grade C, barely above the D boundary
- SaaS and fintech lead at Grade B (77/100); manufacturing and retail at Grade D (52/100)
- Remediation gap: The three highest-impact fixes require under 8 hours of engineering work
The data shows a consistent pattern: German SMBs are not missing complex security infrastructure — they are missing basic configuration hygiene. The October 2026 NIS2 enforcement deadline is 185 days away. The gap is closeable.
Section 1: Grade Distribution
Across 200 scanned SMBs, grade distribution follows the broader EU compliance gap documented by ENISA’s 2025 threat landscape report.
| Grade | Score Range | % of Companies | NIS2 Status |
|---|---|---|---|
| A | 90-100 | 4% | Compliant |
| B | 75-89 | 23% | Largely compliant |
| C | 60-74 | 38% | Partial — remediation needed |
| D | 45-59 | 27% | Significant gaps — high audit risk |
| F | Below 45 | 8% | Non-compliant |
73% of German SMBs scored Grade C or below. Only 27% achieved the Grade B threshold that correlates with passing a standard NIS2 Article 21 audit.
By company size:
| Size Band | Average Score | Grade |
|---|---|---|
| 50-100 employees | 58/100 | C |
| 101-250 employees | 66/100 | C+ |
| 251-500 employees | 74/100 | B- |
Even at 251-500 employees, average scores remain below the Grade B midpoint. NIS2 compliance requires deliberate effort regardless of size.
By sector:
| Sector | Average Score | Grade | NIS2 Registration Rate |
|---|---|---|---|
| SaaS / Tech | 77 | B | ~62% |
| Financial services | 74 | C+ | ~71% |
| Healthcare | 63 | C | ~58% |
| Manufacturing | 52 | D | ~34% |
| Retail / E-commerce | 49 | D | ~31% |
| Professional services | 61 | C | ~44% |
Registration rates reflect BSI reporting: of ~29,000 affected companies, only ~11,500 registered by the March 6 deadline — an overall rate of ~40%.
Manufacturing and retail show the most severe posture gaps and the lowest BSI registration rates. These sectors face the steepest compliance path before October 2026.
Section 2: The 10 Most Common Failing Checks
SaaSFort’s 66 checks are deterministic — certificate validation, header presence, DNS record configuration. No heuristics.
| Rank | Check | Percent Failing | NIS2 Article 21 | Fix Effort |
|---|---|---|---|---|
| 1 | DMARC policy enforcement | 87% | 2(2)(i) authentication | Easy 30 min |
| 2 | Content-Security-Policy header | 79% | 2(2)(i) risk management | Medium 2-4h |
| 3 | CAA DNS record | 74% | 2(2)(h) supply chain | Easy 15 min |
| 4 | DNSSEC enabled | 71% | 2(2)(i) network security | Medium 1-2h |
| 5 | HSTS header | 68% | 2(2)(i) encryption in transit | Easy 15 min |
| 6 | X-Frame-Options header | 63% | 2(2)(i) risk management | Easy 5 min |
| 7 | TLS 1.0/1.1 disabled | 51% | 2(2)(i) encryption standards | Easy 30 min |
| 8 | SPF hard fail (-all) | 47% | 2(2)(i) authentication | Easy 20 min |
| 9 | Referrer-Policy header | 44% | 2(2)(i) access control | Easy 5 min |
| 10 | No expired SSL on subdomains | 31% | 2(2)(i) certificate management | Medium 1-3h |
Three patterns stand out.
The DMARC gap is the largest single exposure. 87% of companies either have no DMARC record or use p=none (monitoring only). A p=none policy does nothing to prevent email spoofing from your domain. The fix is a single DNS TXT record update. Full guide: DMARC/SPF/DKIM configuration for NIS2.
Eight of the top 10 failures are easy fixes. Configuration hygiene accounts for the majority of the compliance gap. A single developer can close most of these in a half-day sprint. For HTTP headers specifically, see our security headers guide for NIS2.
TLS downgrade paths remain open in half of SMBs. 51% still serve TLS 1.0 or 1.1 connections. PCI DSS deprecated both in 2018. Legacy CDN configs left in place after migrations are the most common cause.
Section 3: NIS2 Article 21 Readiness by Sector
NIS2 Article 21 defines 10 mandatory security measures. External scanning covers 6 of the 10 directly. The table shows estimated compliance rates for externally verifiable controls.
| NIS2 Article 21 Measure | SaaS | Fintech | Healthcare | Manufacturing | Retail | Average |
|---|---|---|---|---|---|---|
| Encryption in transit | 71% | 68% | 54% | 41% | 38% | 54% |
| Email authentication | 38% | 44% | 21% | 11% | 14% | 26% |
| Network security | 42% | 39% | 28% | 18% | 22% | 30% |
| Risk management (headers) | 33% | 29% | 18% | 12% | 11% | 21% |
| Vulnerability management | 81% | 78% | 67% | 52% | 49% | 65% |
| Supply chain (CAA records) | 31% | 35% | 22% | 14% | 16% | 24% |
| Overall external compliance | 49% | 49% | 35% | 25% | 25% | 37% |
Only 37% of externally verifiable Article 21 measures are met on average. Even the best sectors meet fewer than half of the measurable controls.
This matters for personal liability. Under Germany’s NIS2 implementation, managing directors must personally approve and supervise security risk measures. Documented gaps create personal exposure under §38 BSIG. The NIS2 compliance checklist for German SMBs maps all 10 Article 21 measures to specific actions.
Section 4: The BSI Registration Gap
The BSI registration deadline of March 6, 2026 passed with approximately 17,500-18,500 companies failing to register — 60% of the estimated scope. Registration is the precondition for enforcement: the BSI cannot assess compliance for companies not in its registry.
Registration is not compliance, however. Companies that registered by March 6 still need Article 21 measures implemented by October 2026. Companies that missed registration face:
- Fine for registration failure alone: Up to 500,000 EUR under NIS2UmsuCG
- Accelerated audit timeline: Unregistered companies identified during inspections may receive shorter remediation windows
- No assumed grace period: BSI has been explicit that the March 6 deadline was firm
For companies that have missed the deadline: register retroactively via the BSI MELDUNG portal, document the registration date, and accelerate Article 21 implementation. Full guide: what to do after missing the BSI deadline.
Section 5: Methodology and Remediation Priorities
Scan engine: SaaSFort external scanner, 60 deterministic checks across 25 categories. No heuristics, no agent installation, no authenticated access required.
Check categories: SSL/TLS configuration (12 checks), DNS security — DMARC, SPF, DKIM, DNSSEC, CAA (14 checks), HTTP security headers (10 checks), certificate transparency (4 checks), OWASP-mapped checks (8 checks), administrative exposure (6 checks), source/configuration exposure (6 checks).
NIS2 mapping: Each check maps to Article 21 control domains per EUR-Lex NIS2 Directive 2022/2555 and BSI technical guidelines under NIS2UmsuCG. See also: BSI Grundschutz guide for SaaS vendors.
Top 3 Remediation Priorities
Priority 1: Set DMARC policy to quarantine (30 minutes)
Update your DNS TXT record at _dmarc.yourdomain.com from p=none to p=quarantine. This immediately closes the most common external security failure (87% of companies), prevents email spoofing from your domain, and satisfies NIS2 Article 21(2)(i) authentication requirements.
Priority 2: Deploy HTTP security headers (2-4 hours)
Five headers cover most of the header-related score gap: Content-Security-Policy, Strict-Transport-Security, X-Frame-Options, X-Content-Type-Options, and Referrer-Policy. All configured in your web server or CDN. Full guide: HTTP Security Headers for NIS2.
Priority 3: Enable DNSSEC for your primary domain (1-2 hours)
DNSSEC prevents DNS cache poisoning attacks. 71% of scanned companies have not enabled it. Cloudflare, AWS Route 53, and Hetzner all support one-click DNSSEC activation.
After these three fixes, a typical Grade D company can reach Grade B territory. The remaining gap to Grade A involves certificate management and advanced header configurations.
Check your external security grade in 60 seconds — no account required: saasfort.com/scan
For the complete NIS2 compliance playbook covering all 10 Article 21 measures and audit evidence templates, download the SaaSFort Security Playbook (free, no email required).
SaaSFort Research publishes external security posture analyses for EU companies navigating NIS2 compliance. Methodology and grade formula are documented at saasfort.com.
Frequently Asked Questions
Q: How does SaaSFort’s grading compare to BSI’s own compliance assessments?
BSI compliance assessments under NIS2UmsuCG evaluate all 10 Article 21 measures, including internal organizational controls. SaaSFort’s 60 external checks cover the 6 externally verifiable measures. The two are complementary: external grade provides a fast baseline, while BSI audits cover the full picture.
Q: My company scored Grade D — can I still comply by October 2026?
Yes. A Grade D score (45-59/100) typically reflects 24-33 failing checks. In practice, 15-20 of these are configuration fixes that one developer can resolve in a day. Grade B is achievable within 2-3 weeks for most Grade D companies.
Q: Does passing SaaSFort’s scan guarantee NIS2 compliance?
No. SaaSFort covers externally verifiable controls. NIS2 Article 21 also requires internal measures: incident response procedures, business continuity plans, access control policies, and supply chain documentation. A Grade A external score demonstrates technical security hygiene, but full NIS2 compliance requires both external posture and internal documentation.
Q: Where can German companies register with BSI if they missed the March 6 deadline?
Registration is via the BSI MELDUNG portal at bsi.bund.de. Late registration is accepted. Proactive registration before BSI identifies your company through other means is treated more favorably in enforcement discretion.
Q: How often should we scan to satisfy NIS2 continuous monitoring requirements?
NIS2 Article 21 references continuous monitoring without specifying scan frequency. Industry practice and BSI guidance suggest monthly minimum scans, with automated alerting for certificate expiry or DNS configuration changes. SaaSFort’s Growth plan (79 EUR/month) supports up to 3 domains with monthly automated scans and email reports.
Ready to put this into practice?
Run a free OWASP scan on your domain. First results in under 10 seconds — no signup required.