← All articles
CompliancePricing

NIS2 Pentest Cost: Testing on an SME Budget

NIS2 pulls ~30,000 German companies into scope with no grace period. Here is how the Mittelstand proves its measures work on an SME budget.

Jamin Mahmood-Wiebe · Published · 10 min read

Engraving-style illustration for NIS2 Pentest Cost: Testing on an SME Budget

NIS2 now catches companies from 50 employees or €10M revenue, squarely the German Mittelstand, and § 30 BSIG requires them to manage vulnerabilities (Nr. 5) and prove their security measures work (Nr. 6). The catch: a quality manual pentest from a German provider runs €5,000–15,000, and many mid-sized firms don't have that per application, per year. The budget answer has two parts: public funding covers a flat 50% of a pentest in some states, and autonomous platforms decouple the price from person-days. A focused DeepMantis test starts at €890, with a reproducible proof of concept for every finding: the exact evidence Nr. 6 asks for.

Why does NIS2 suddenly apply to mid-sized companies?

Because the size thresholds are lower than most operators expect. § 28 BSIG defines an "important entity" (wichtige Einrichtung) as a company that meets the medium-enterprise threshold, and the statute is explicit about where that line sits:

"mindestens 50 Mitarbeiter beschäftigen oder einen Jahresumsatz und eine Jahresbilanzsumme von jeweils über 10 Millionen Euro aufweisen"

— § 28 Abs. 2 Nr. 3 BSIG ("employ at least 50 people, or have both annual turnover and an annual balance sheet total above €10 million")

Fifty employees. That is not an enterprise threshold; it is a typical Mittelstand SaaS vendor, a regional logistics operator, a mid-sized manufacturer with a connected supply chain. Germany's government puts roughly 30,000 entities in scope, split into about 8,250 "essential" (besonders wichtig) and 21,600 "important" (wichtig) — the figures trace to the NIS2UmsuCG Regierungsentwurf cost assessment (Erfüllungsaufwand), tallied by openKRITIS. The larger of those two groups, the ~21,600 "important" entities, is the newly caught Mittelstand.

And there is no runway. The NIS2UmsuCG has been in force since 6 December 2025 with no transition period (Bundesregierung); the BSI registration window ran three months from entry into force and closed on 6 March 2026 (DENIC, on the NIS2 registration deadline). A company that crosses the threshold is already obligated. The question is no longer whether to test, but how to afford it.

What does NIS2 actually require you to prove?

Not a pentest by name, but a working set of measures. This post does not re-argue that point; the companion post on whether NIS2 requires a pentest walks through § 30 in full. The budget-relevant part is which two measures cost money to demonstrate:

  • § 30 Abs. 2 Nr. 5 names security measures "… einschließlich Management und Offenlegung von Schwachstellen": you have to actively find and manage vulnerabilities, which presupposes looking for them.
  • § 30 Abs. 2 Nr. 6 requires "Konzepte und Verfahren zur Bewertung der Wirksamkeit von Risikomanagementmaßnahmen im Bereich der Sicherheit in der Informationstechnik": you have to prove your measures work, not just declare them (§ 30 BSIG).

Nr. 6 is the expensive one. A questionnaire or a policy binder does not assess effectiveness; a test against a real attack does. That is why the practical evidence for Nr. 6 is a proof of concept per finding, and why "just run a free scanner" doesn't discharge the obligation. A scanner lists potential vulnerabilities; it does not prove exploitability, and unproven exploitability is not effectiveness evidence.

The threat scale behind the regulation is not abstract. Bitkom's Wirtschaftsschutz 2025 study, presented on 18 September 2025 with the Bundesamt für Verfassungsschutz across more than 1,000 companies, puts the annual damage from cyberattacks to the German economy at:

"202,4 Milliarden Euro nach 178,6 Milliarden Euro im Vorjahr"

Bitkom, Wirtschaftsschutz 2025 (study report, PDF) (€202.4 billion in cyberattack damage, up from €178.6 billion the prior year — of a €289.2 billion total across data theft, espionage and sabotage)

That is the cost of inaction stated soberly: not a reason to panic, a reason the legislator set the threshold where it did.

Why does a manual pentest cost more than most SMEs budget?

Because manual testing is billed per person-day, and person-days are expensive. Industry pricing from German providers puts a first quality pentest for an SME at roughly €5,000–15,000, with a broad market range of €2,000–25,000 depending on scope, and day rates reaching about €1,800 for certified testers (industry pricing per provider data: microCAT and DeepStrike).

The trap sits at the bottom of that range. Offers under €2,000 are almost always automated scans dressed up as pentests: exactly the "scanner output, no proof" artifact that fails the Nr. 6 test. So the Mittelstand faces a squeeze: the cheap option isn't real evidence, and the real evidence isn't cheap. Multiply by frequency (NIS2 wants "policies and procedures", a recurring process, not a one-off) and a firm running four €10,000 tests a year on one application is at €40,000 before it touches a second product.

That math is what makes NIS2 feel unaffordable to a 60-person company. It isn't the regulation that's expensive; it's the person-day billing model applied to a recurring obligation.

Can public funding pay for a NIS2 pentest?

In parts of Germany, yes, and it is the single most underused lever available to the Mittelstand. North Rhine-Westphalia runs the MID – Digitale Sicherheit programme, which funds SME security work through NRW.BANK and explicitly names penetration testing as an eligible cost:

"Gefördert werden … Penetrationstests, Behebung von Schwachstellen."

MID – Digitale Sicherheit FAQ ("Funded activities include penetration tests and remediation of vulnerabilities")

The terms are concrete: a flat 50% of eligible costs, capped at a €15,000 grant, with a €4,000 minimum grant threshold, running via NRW.BANK under the current Richtlinie in force since 1 January 2026 (MID – Digitale Sicherheit Richtlinie, recht.nrw.de, PDF): "Der Fördersatz beträgt einheitlich 50 Prozent der förderfähigen Ausgaben bis zu einer maximalen Zuwendung in Höhe von 15 000 Euro." For a company inside NRW, that halves the bill on an €890–7,500 autonomous test or a €5,000–15,000 manual engagement, up to the €15,000 cap. Even where your state has no equivalent programme yet, the federal Förderdatenbank is the place to check before you assume the full cost is on you; funding lines for SME cybersecurity are actively being added, and eligibility is defined per programme.

(Note: earlier iterations of the MID programme funded up to 80% — that rate was superseded. The binding Richtlinie in force since 1 January 2026 sets a flat 50%. Stale 80% figures still circulate on marketing pages; the Richtlinie text above is authoritative.)

The order of operations matters: check funding eligibility before you book, because most programmes require approval before the work starts. Retroactive funding is the exception, not the rule.

How do autonomous pentests change the budget math?

By pricing per engagement instead of per person-day. That is the structural shift, the same one covered in depth in the pentest cost breakdown, and for a NIS2-caught SME it is what turns a recurring obligation from unaffordable into routine.

DeepMantis publishes three on-demand tiers: €890 for a single-surface application (depth of a one-week manual test), €3,800 for a connected product with sensitive data, and €7,500 for a distributed system with regulated data. Each finding ships with a reproducible proof of concept: the Nr. 6 effectiveness evidence, produced by default rather than as a paid extra. Because no person-days accrue per run, the recurring case works too: monthly pentests start at €99 per month, billed annually. That is the "policies and procedures" cadence Nr. 5 and Nr. 6 imply, at a price a 60-person company can actually carry.

50%
Flat share of an SME penetration test covered by NRW's MID – Digitale Sicherheit programme (grant capped at €15,000) — stackable against a €890 autonomous DeepMantis test.Sources: MID – Digitale Sicherheit Richtlinie, recht.nrw.de (in force 1 Jan 2026); DeepMantis prices per deepmantis.io/en#pricing.

The economics close cleanly. Under § 65 BSIG, an important entity faces fines of "bis zu sieben Millionen Euro" and an essential entity "bis zu zehn Millionen Euro" (§ 65 BSIG), and § 38 BSIG makes management personally accountable for implementing the measures. Set the €7,500 top-tier test against a €10M ceiling and it sits three orders of magnitude below. Stated matter-of-factly: the evidence costs less than the rounding error on the penalty. The point is not fear. It is that on an SME budget, proving your measures work is now a solved problem. The DeepMantis methodology and scope limits are documented so you can see exactly what the test does and does not cover before you buy.

Frequently asked questions

Does a 50-employee company really fall under NIS2?

If it also operates in one of the 18 regulated sectors, yes. § 28 BSIG sets the "important entity" threshold at 50 employees or €10M in both turnover and balance sheet. Sector membership is the second gate; check yours against the BSI's published list. Being small is no longer an exemption; the threshold was deliberately lowered to pull the Mittelstand in.

Is there any funding to cover NIS2 pentest costs?

In some states, yes. NRW's MID – Digitale Sicherheit programme covers a flat 50% of a pentest (grant capped at €15,000, €4,000 minimum grant), with the FAQ listing "Penetrationstests, Behebung von Schwachstellen" among eligible activities. Check the federal Förderdatenbank for your state's equivalent, and apply before booking; most programmes require approval before the work begins.

Isn't a free vulnerability scan enough on a tight budget?

No. A scanner satisfies part of the detection under Nr. 5 but not the effectiveness assessment under Nr. 6, because it does not prove exploitability. Offers under €2,000 are usually scans, not pentests. The defensible evidence is a proof of concept per finding, which an €890 autonomous test delivers and a free scan does not.

How much can a Mittelstand company realistically spend to comply?

Less than the person-day model suggests. A single autonomous test runs €890–7,500 depending on scope; recurring monthly testing starts at €99/month. With state funding covering a flat 50% where available, the out-of-pocket cost for evidence-grade testing can land in the low four figures, well below the €5,000–15,000 that a manual engagement alone would cost.

Further reading


As of July 2026. The cited statutory provisions are from §§ 28, 30, 65 BSIG (gesetze-im-internet.de); pentest price ranges are industry pricing per the linked provider data. This page is not legal advice; verify your company's classification and funding eligibility with qualified counsel. DeepMantis methodology and scope limits are documented on the security page.

Want findings like these for your own stack?

Start your pentest

More articles

Request a Pentest

Fill out the form and we'll get back to you within 24 hours.

Tell us about your project

Protected by Cloudflare Turnstile.

HQ
Hamburg, Germany
Prefer to talk first?
Book a 15-min call