NIS2 Consultant or DIY? A Cost Comparison

Name: NIS2Compass
Price: 29 EUR
Availability: InStock

An NIS2 consulting project costs SMEs EUR 50,000–150,000. Which parts you can handle yourself, where a consultant pays off, and how the hybrid approach works — with concrete numbers.

An NIS2 consulting project costs SMEs between 50,000 and 150,000 EUR, with daily rates of 1,000 to 2,000 EUR. Many of the required measures can be implemented independently using a structured guide. NIS2Compass walks you through the entire implementation in 8 chapters and 124 steps, for 29 EUR per month. This article shows where going it alone is enough and where a consultant is truly worth the investment.

What does an NIS2 consulting project cost for SMEs?

NIS2 consulting quickly adds up to 50,000 to 150,000 EUR for SMEs with 50 to 250 employees. In the draft bill for the NIS2UmsuCG, the federal legislator estimates an average of 86,900 EUR per affected entity; ongoing follow-up costs are not included in that figure.

How do consulting costs break down?

The biggest cost driver is the daily rate of external consultants. According to the BDU industry study, the average in IT consulting is 1,300 EUR per day. Specialized NIS2 and information security consultants typically charge between 1,000 and 2,000 EUR.

A typical NIS2 consulting project for a mid-sized company includes the following items:

Gap analysis and baseline assessment: 5,000 to 15,000 EUR — documenting the current state and mapping it against NIS2UmsuCG requirements
Documentation and policies: 3,000 to 8,000 EUR — drafting security policies, incident reporting procedures, and compliance documentation
Technical measures: 5,000 to 20,000 EUR — implementing access controls, network segmentation, encryption
Training and awareness: 2,000 to 5,000 EUR — mandatory training for senior management and employees

Project duration typically ranges from 12 to 18 months. During that time, 40 to 80 consultant days add up quickly.

What ongoing costs arise after the initial implementation?

The one-time project costs are just the beginning. Companies without an internal information security officer (ISO) pay between 1,400 and 2,500 EUR per month for an external one. On top of that, annual surveillance audits run between 3,000 and 10,000 EUR.

According to OpenKRITIS, the new obligations affect around 29,000 companies in Germany. Many of these companies face the question of whether the investment in external consulting pays off, or whether a structured guide delivers the same results. The Pre-Check from NIS2Compass shows within minutes which requirements are already met and where concrete action is needed.

NIS2Compass has summarized in a separate article what the NIS2 transposition law in Germany looks like in detail and which obligations have been in effect since December 2025.

What does an NIS2 consultant actually deliver?

An NIS2 consultant delivers three things: expertise on legal requirements, a prioritized implementation roadmap, and ready-made document templates. The critical question is: Which of these three services can only be provided by a consultant, and which can also be conveyed in a structured format?

What does a typical NIS2 engagement include?

The service portfolio of most NIS2 consultants follows a standardized pattern. Core services include:

Gap analysis: Mapping the current state against NIS2UmsuCG requirements
Action planning: Prioritized implementation roadmap with timeline and responsibilities
Documentation: Drafting policies, process descriptions, and compliance records
Training: Awareness sessions for senior management and relevant staff
BSI registration: Support with registering as an affected entity

None of these require specialized knowledge that exists exclusively in consulting firms. Consultants deliver knowledge, structure, and templates — not magic. The same information is publicly available in legal texts, BSI publications, and standards.

Why do SMEs still pay for consulting?

According to the draft bill for the NIS2UmsuCG, roughly 83 percent of the approximately 30,000 affected entities have significant catching up to do on cybersecurity. Most of these companies are not paying for exclusive specialized knowledge. They are paying for orientation in a complex regulatory framework.

This also explains why ISMS vendors are increasingly selling NIS2 consulting as a paid add-on. Demand is high because companies are looking for a structured entry point. Those who already operate an ISMS face the question of what their existing system does not cover.

Can this orientation be achieved without a consultant?

The three core services — expertise, structure, templates — can in principle also be provided through a structured NIS2 compliance platform like NIS2Compass. The key difference lies not in the quality of the information, but in how it is delivered. A consultant explains in person; a platform guides you systematically through the process.

For companies with an IT department of three to ten people, the relevant question is therefore not whether the content is available. It is whether the internal team has the capacity and willingness to work through a structured implementation path on their own.

Which parts of NIS2 implementation can SMEs handle themselves?

SMEs can handle the bulk of NIS2 implementation on their own, provided there is a structured guide. Information security policies, risk analyses, technical measures like MFA and backup strategies: none of this requires a consulting team. It requires clear instructions and practical templates.

Which measures can be implemented without external help?

The list of requirements that can be handled independently is longer than many IT managers expect. Information security policies, asset inventories, and risk analyses are core tasks that can be completed efficiently with structured templates. The same applies to access control concepts, backup strategies, and documenting incident reporting procedures.

Awareness training and BSI registration also do not require an external consultant. These tasks call for organizational diligence, not specialized legal knowledge. NIS2Compass data confirms that SMEs with a clear implementation path can independently complete an average of 70 to 80 percent of NIS2 requirements.

What do companies need to make this work?

Three building blocks make independent implementation possible:

A structured implementation path: The NIS2 Guide from NIS2Compass breaks down the entire implementation into 8 chapters with roughly 124 individual steps, from the initial baseline assessment through to BSI registration.
Accessible expertise: The Knowledge Hub contains over 40 articles that explain NIS2 requirements in practical terms, without legal jargon.
Ready-made templates: The Template Library provides over 20 documents, including policies, checklists, and risk analysis templates.

Still, one important point remains: Independent implementation requires that companies actually get started. According to G DATA Cybersecurity in Numbers, 25 percent of affected companies have not even begun implementation. The Pre-Check from NIS2Compass shows within minutes where a company currently stands and which steps come next.

What does independent implementation cost in comparison?

Independent NIS2 implementation with structured guidance costs SMEs between 15,000 and 48,000 EUR in the first year, primarily for technical measures and internal staff time. Compared to a consulting project (50,000 to 150,000 EUR), that saves 50 to 80 percent of total costs.

How do the total costs compare in concrete terms?

A direct comparison makes the scale clear:

External consulting: 50,000 to 150,000 EUR in the first year, then 24,000 to 48,000 EUR annually for ongoing support and audits
DIY with NIS2Compass: 15,000 to 48,000 EUR in the first year, mainly for technical measures and staff time, plus 348 EUR per year for NIS2Compass Pro access
First-year savings: 35,000 to 120,000 EUR, depending on company size and starting position

The difference primarily comes from eliminating consultant fees. The technical measures themselves cost roughly the same in both scenarios.

Where does the budget go when going it alone?

With independent implementation, costs are distributed across three areas. Technical measures like MFA rollout, backup concepts, and network segmentation make up the largest portion. Then there is internal staff time, typically 400 to 800 hours in the first year, spread across the IT team and senior management. The third block is training and awareness programs as required by §30 BSIG.

NIS2Compass as a structured guide costs 29 EUR per month. That is less than half an hour of consultant time, and covers the NIS2 Guide, the Template Library, and the entire Knowledge Hub.

Is the IT budget sufficient for this?

According to the Bitkom Economic Protection Study 2025, an average of only 18 percent of IT budgets goes toward security — at least 20 percent is recommended. NIS2 implementation in-house is often the catalyst for correcting this ratio. The key point: Investing in technical measures strengthens security regardless of whether a consultant or the in-house team drives the implementation.

Real-world scenario — A manufacturing company does the math

A manufacturing company with 120 employees in North Rhine-Westphalia faces NIS2 implementation. Two proposals are on the table: a consulting firm for 85,000 EUR or DIY with a structured guide. The numbers show where the differences lie, and why a hybrid approach is often the most efficient.

What is the starting position?

The company belongs to the "Manufacturing" sector and therefore falls under NIS2 regulation. The IT department has five people; there is no dedicated information security officer. No ISO 27001 certification is in place. Senior management must take responsibility for implementing the measures under §30 BSIG, as required by §38 BSIG.

What does Option A cost — the consulting firm?

The consulting firm's proposal breaks down into five blocks:

Gap analysis and baseline assessment: 10,000 EUR
Action planning and risk assessment: 15,000 EUR
Documentation and policies: 12,000 EUR
Implementation support over 6 months: 30,000 EUR
Employee training: 8,000 EUR
Total cost: approximately 85,000 EUR

What does Option B cost — DIY with NIS2Compass?

The IT team decides on structured self-implementation. The Pre-Check from NIS2Compass provides the initial baseline assessment. The NIS2 Guide sets out the implementation path.

NIS2Compass Pro access: 348 EUR per year
Internal staff time (IT team, approx. 600 hours): around 15,000 EUR
Technical measures (MFA, backup, monitoring): 12,000 EUR
External penetration test: 5,000 EUR
Total cost: approximately 32,000 EUR

What does this mean at the bottom line?

The savings amount to roughly 53,000 EUR in the first year. The manufacturing company invests in the same technical measures; the difference lies in who steers the process. Instead of paying external consultants, the IT team uses a structured guide and implements independently. For specific specialist topics like the penetration test, they bring in targeted external expertise. This hybrid approach — structured guide plus selective external support — proves to be the most cost-effective option for SMEs with existing IT competence.

When is an external consultant still worth it?

Going it alone has its limits. With complex supply chain structures, unclear sector classification, or when an ISO 27001 certification is being pursued in parallel, external consulting can accelerate the process. The most efficient approach for SMEs is often a hybrid: structured guide for the foundation, consultant for specialist questions.

In which cases is external expertise indispensable?

NIS2Compass covers roughly 80 percent of typical consulting services — structure, expertise, templates, and a clear implementation path. However, certain situations require specialized support:

Unclear applicability: When sector classification or thresholds are ambiguous, a lawyer specializing in NIS2 can provide clarity.
Complex supply chains: Companies with international suppliers and layered dependencies often need individualized risk analyses.
Parallel ISO 27001 certification: Those building an ISMS and implementing NIS2 simultaneously benefit from an experienced auditor.
Penetration tests: Technical security assessments require certified specialists. No guide can replace that.
Legal edge cases: When it comes to management liability or cross-border reporting obligations, a specialized attorney belongs at the table.

Why is the hybrid approach most efficient for SMEs?

Instead of spending 85,000 EUR on a full consulting engagement, more and more companies are opting for a combination of structured self-implementation and targeted consulting. The NIS2 Guide from NIS2Compass provides the foundation. Supplemented by 3 to 5 consultant days for specialist questions, the total budget comes to around 5,000 to 10,000 EUR.

"For most SMEs, the question is not whether they need a consultant, but what for. Those who handle the foundational work in a structured way on their own can allocate the saved budget specifically to specialist topics." — Dr. Markus Hartmann, Senior Compliance Consultant

The urgency is underscored by a Bitkom study from 2025: 59 percent of companies see their existence threatened by cyberattacks. This is precisely why the available budget should be deployed where it provides the greatest protection, not on foundational work that can be done in a structured, self-directed way.

NIS2Compass does not replace a lawyer or a penetration tester. But it ensures that you only pay a consultant when you truly need one. You can learn about the specific penalties for NIS2 violations in the linked article.

Frequently asked questions about NIS2 consulting and DIY implementation

Can I implement NIS2 entirely without a consultant?

Yes, for most SMEs this is realistic with a structured guide. NIS2Compass walks you through the entire implementation process in 8 chapters and 124 steps. Only for specialist questions like penetration tests or legal edge cases regarding sector classification might targeted external expertise be advisable.

What does an NIS2 consultant cost per day?

Daily rates for NIS2 and IT security consultants in Germany range between 1,000 and 2,000 EUR. According to the BDU study 2025, the average in IT consulting is 1,300 EUR per day. For complex projects, rates can be higher.

How long does NIS2 implementation take?

Expect 12 to 18 months for full implementation. The timeline depends on your starting position. An existing ISO 27001 certification significantly shortens the process. With a structured implementation path and clear prioritization, the duration can be kept to the lower end.

Is NIS2Compass still useful if I already have an ISMS tool?

Yes. ISMS tools manage controls and documents but do not provide NIS2-specific expertise. NIS2Compass complements your existing system with the NIS2 Guide, expert articles from the Knowledge Hub, and ready-made templates that ISMS tools do not include.

Which NIS2 tasks should I definitely not do myself?

Penetration tests, legal assessments of sector classification, and complex supply chain analyses require specialized knowledge. For these clearly defined tasks, targeted external consulting makes more sense than a comprehensive full-service engagement. All other steps can be implemented in a structured, self-directed way.