What 'proportionate' really means in Art. 21(1) NIS 2
The single most useful word in NIS 2 is 'proportionate'. It is the line between an implementation a 60-person Mittelstand can sustain and an audit-theatre cost that no Geschäftsführung will approve.
Why proportionality is the load-bearing word
Most teams approach Art. 21 NIS 2 as a checklist of ten cybersecurity measures. The directive does not say that. It says entities must take measures that are appropriate and proportionate, and Art. 21(1) lists six factors that decide what proportionate means in your specific case.
This matters in two directions. Upwards: it lets a 60-person Stadtwerk operate without the GRC stack of a 5000-person bank. Downwards: it forces you to write down why your level is enough. Proportionality is not a get-out clause, it is a documented choice.
First-time readers often miss this because the word sounds like a hedge. It is the opposite. Proportionality is the only legal anchor for tailoring NIS 2 to a Mittelstand budget, and it is the only defence against an auditor who suggests you should have done more.
Art. 21(1) NIS 2 (operative)
Member States shall ensure that essential and important entities take appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems which those entities use for their operations or for the provision of their services, and to prevent or minimise the impact of incidents on recipients of their services.
The same paragraph lists six factors that decide proportionality: the degree of the entity's exposure to risks, the entity's size, the likelihood of occurrence of incidents and their severity, including their societal and economic impact, the state of the art, and the cost of implementation. All six are decision inputs, none of them is optional.
Recital 79 NIS 2
Cybersecurity risk-management measures should be commensurate with the degree of exposure to risks of the entity concerned and the societal and economic impact that an incident would have.
Recital 79 is the interpretive frame. It tells courts and auditors that a small entity with low cross-border footprint is not expected to match a large pan-European operator.
CIR 2024/2690, Art. 1
This Regulation lays down the technical and the methodological requirements of the measures referred to in Article 21(2) of Directive (EU) 2022/2555 with regard to the entities listed in the Annex.
The implementing regulation only quantifies measures for a narrow set of digital infrastructure providers (DNS, TLD, cloud, data centre, CDN, MSP, MSSP, marketplace, search engine, social-platform, trust services). Everyone else applies proportionality without those quantitative thresholds.
Degree of exposure to risks
What is the actual threat surface? A drinking-water utility with only a SCADA segment is in a different position from a hospital with patient records on the open internet.
Size of the entity
Headcount, turnover, market reach. The directive expects different controls from 60 employees and 6000 employees. Both can be compliant.
Likelihood and severity of incidents
Historic incident rate, threat-actor interest in the sector, severity if it happens. A pharma manufacturer faces different odds than a logistics broker.
Societal and economic impact
Who is harmed when you fail. A power grid operator has higher impact density per failure than a B2B SaaS company. This factor pulls toward heavier measures even in small entities.
State of the art
What is the technical baseline a reasonable peer would deploy. MFA in 2026 is state of the art for admin access; SHA-1 password storage is not.
Cost of implementation
Documented in Art. 21(1) explicitly. You may not skip a measure because it is expensive, but you may choose a less expensive route if it achieves the security objective.
Stadtwerk, 80 employees, energy distribution
Annex I sector, falls in scope regardless of size if it provides essential services. Proportionate stack: MFA on admin and OT-access, segmented OT network, written supplier contract clauses, annual incident drill, documented risk register. No SOC, no SIEM-as-a-service. Defensible because exposure is sectoral but headcount is small.
Hospital, 200 employees, regional clinic
Annex I health sector. Proportionate stack adds: patient-data encryption at rest, supplier audit for clinical IT vendors, 24/7 on-call for incident response, formal incident classification policy. Heavier than the Stadtwerk because societal impact is higher per failure and the threat surface is broader.
A written proportionality analysis
Walk through the six factors, state your position on each, justify why the resulting measure depth is sufficient. One page is enough for a 60-person entity.
A cost-and-benefit record per skipped step
If a peer entity does X and you do not, document why. Stand der Technik plus cost is a legitimate reason. Silence is not.
An annual review
Proportionality decisions age out. Threat landscape moves, your size changes, peer practice shifts. Re-state your position at least yearly.
- Directive (EU) 2022/2555 (NIS 2), Art. 21(1) and Recital 79, www.eur-lex.europa.eu
- Commission Implementing Regulation (EU) 2024/2690 (CIR), Art. 1, www.eur-lex.europa.eu
- Act on the Federal Office for Information Security (BSIG), §30 (national transposition of Art. 21), www.gesetze-im-internet.de
- ENISA Technical Implementation Guidance v1.0 (June 2025) on proportionality assessment
This page provides structured guidance based on publicly available sources (NIS 2 Directive, CIR 2024/2690, BSIG, ENISA TIG). It does not constitute legal advice within the meaning of §2 RDG. For specific cases consult an admitted lawyer. As at 2026-06-04.