This research investigates the implementation of the NIS2 Directive in small and medium-sized enterprises (SMEs) categorised as part of critical infrastructure in Germany. The study examines regulatory requirements, compliance challenges, and the practical implications of cybersecurity obligations under NIS2, with particular emphasis on SMEs’ resource limitations and sector-specific vulnerabilities. A mixed-method approach was utilised, integrating qualitative analysis of legal frameworks, academic literature, and policy guidelines with quantitative survey data from SMEs operating in critical sectors. This methodological design facilitates a comprehensive assessment of both regulatory demands and real-world compliance barriers. The findings indicate that SMEs encounter substantial challenges in interpreting and implementing NIS2 requirements, with compliance scores exhibiting variation across company size and industry sector. While larger SMEs in telecommunications and energy demonstrate moderate preparedness (mean score 72.3), smaller enterprises in service-based sectors manifest lower compliance levels (mean score 48.5). Principal obstacles comprise financial constraints, limited cybersecurity expertise, and the complexity of mandatory risk management and reporting obligations. The study elucidates the disproportionate burden that NIS2 imposes on SMEs in comparison to larger enterprises. The absence of tailored cybersecurity frameworks and financial support mechanisms exacerbates compliance challenges, particularly in resource-limited sectors. Incident reporting obligations and supply chain security requirements introduce additional administrative and operational encumbrances, necessitating sector-specific guidance and targeted assistance. Ensuring SME compliance with NIS2 necessitates regulatory modifications, financial incentives, and pragmatic support measures. Policy recommendations encompass simplified compliance frameworks, government- supported cybersecurity advisory services, and enhanced funding for SME cybersecurity initiatives. The development of sector-specific guidelines, AI-driven compliance tools, and targeted training programmes could reduce administrative burdens while enhancing cybersecurity resilience. A risk-based approach, aligned with SMEs’ operational realities, is imperative to balance cybersecurity resilience with economic viability.