Who should read this: Small and medium-sized enterprises (SMEs), owners of SMEs, compliance managers, operations teams, IT directors.
A common misunderstanding about NIS2 is that only large essential and important entities need to pay attention. In reality, many SMEs lie outside the Directive’s direct scope but occupy a precarious middle ground: they are not large enough to be regulated as essential or important entities, yet they are increasingly targeted by cyber attacks and integrated into supply chains of much larger entities that are subject to NIS2 compliance. This post explains the SME landscape under NIS2 and why preparation matters even for businesses not directly regulated.
The NIS2 Directive defines “essential entities” and “important entities” based on sector, size and criticality. The thresholds are high. A manufacturer of network equipment might be an important entity because of the criticality of its products, regardless of size. A large energy company will always be essential. But most SMEs, the vast majority of European businesses, fall outside these categories. They have fewer than 250 employees or less than EUR 50 million in annual revenue. They operate in sectors not explicitly covered by NIS2. This creates the appearance of a free pass.
That appearance is misleading. The NIS2 Directive, through Article 7(2)(i) and Recital 56, establishes a national policy imperative to support SME cybersecurity readiness. More importantly, NIS2 creates cascading obligations that reach into SME supply chains. Every SME that supplies products, services or data to an essential or important entity becomes relevant to that larger entity’s cybersecurity risk management. This post explores these second-order effects and why SMEs should treat NIS2 as a business driver even without direct regulatory obligation.
The SME Challenge Under NIS2
Recital 56 identifies the specific cybersecurity challenges SMEs face: “low cyber-awareness, a lack of remote IT security, the high cost of cybersecurity solutions and an increased level of threat, such as ransomware, for which they should receive guidance and assistance.” These are not abstract problems. They describe the operating environment of most European SMEs.
Cyber-awareness in many SMEs is nascent. The owner knows cybersecurity matters, perhaps vaguely, but the organisation has no formal security policy or incident response plan. Remote IT security means that when the single IT person is on holiday, security monitoring stops. High costs are real: a comprehensive security overhaul can consume 5 to 10% of annual IT budgets, a significant investment for businesses with tight margins. Ransomware is a concrete, present threat. Between 2020 and 2023, attack rates on SMEs surged; many SMEs now receive ransom demands despite having minimal assets or intellectual property that seems worth extracting. Attackers use volume strategies: infect thousands of SMEs, see which ones pay.
Recital 56 also highlights a second crucial factor: “Small and medium-sized enterprises are increasingly becoming the target of supply chain attacks due to their less rigorous cybersecurity risk-management measures and attack management, and the fact that they have limited security resources. Such supply chain attacks not only have an impact on small and medium-sized enterprises and their operations in isolation but can also have a cascading effect on larger attacks on entities to which they provided supplies.”
This is the key insight. An SME that supplies cloud computing services, software updates, or data processing to a bank, energy company or hospital becomes part of that larger entity’s attack surface. If the SME is breached, the attacker gains a foothold inside the larger entity’s trusted supply chain. From there, the attacker can pivot laterally, exfiltrate data, or conduct sabotage. The larger entity, under NIS2, is now obligated to assess and manage supply chain risks. The SME, even if not regulated, becomes a compliance requirement for others.
SMEs Within Supply Chain Risk Management
Article 21 of the NIS2 Directive requires essential and important entities to “take appropriate measures to assess and mitigate supply chain risks.” When an essential or important entity reviews its suppliers, it will almost certainly find SMEs in its supply chain, especially in software, hardware manufacturing, managed services, or data processing. These entities will face questions: What is your cybersecurity posture? Can you demonstrate that you apply industry-standard security practices? What is your incident response capability?
The entity asking these questions is not trying to burden SMEs out of malice. It is trying to satisfy its own NIS2 obligations. It must document that it has assessed supply chain risks and taken proportionate measures to mitigate them. One of the simplest risk mitigation measures is ensuring that suppliers meet baseline security standards. For the SME on the receiving end, this means that maintaining NIS2 readiness is no longer optional; it is a condition of business.
What does NIS2 readiness look like for an SME? At a basic level, it includes measures outlined in Article 21 and elaborated in the Directive’s framework. These are not exotic requirements. They include:
- Asset management: knowing what hardware and software you own and operate.
- Access control: ensuring only authorised people can access systems and data, with multi-factor authentication for remote access.
- Encryption: using encryption for sensitive data in transit and at rest.
- Incident detection and response: having processes to spot when something is wrong and procedures to respond.
- Backup and recovery: regularly backing up critical data to a separate system so you can recover from ransomware or other data loss.
- Vulnerability management: keeping software and systems up to date, scanning for known security flaws, and fixing critical issues promptly.
- Staff training: ensuring employees understand phishing, social engineering, and their role in security.
These practices are not novel. They reflect decades of security best practice. But many SMEs have implemented them inconsistently or not at all. An SME that wants to remain a supplier to regulated entities needs to demonstrate that these practices are in place and working.
National Support for SMEs
Recognising this burden, Recital 56 calls on Member States to provide support: “Member States should, through their national cybersecurity strategies, help small and medium-sized enterprises to address the challenges faced in their supply chains. Member States should have a point of contact for small and medium-sized enterprises at national or regional level, which either provides guidance and assistance to small and medium-sized enterprises or directs them to the appropriate bodies for guidance and assistance with regard to cybersecurity related issues. Member States are also encouraged to offer services such as website configuration and logging enabling to microenterprises and small enterprises that lack those capabilities.”
This is a significant commitment. By the time the NIS2 Directive is fully implemented in Member States (between October 2024 and October 2027), each Member State should have established a point of contact (a person, office, or website) where SMEs can ask for guidance on cybersecurity. Some Member States have already done this; others are building their infrastructure now. These resources are not mandatory for SMEs to use, but they represent a signal from government that SME cybersecurity is a policy priority.
Additionally, some Member States are funding or subsidising cybersecurity services for SMEs. Programmes range from subsidised security audits to free vulnerability scanning tools to training grants. SMEs should explore what their Member State offers. These programmes exist precisely because governments recognise that SMEs face barriers that larger entities do not.
Ransomware: The Catalyst for SME Action
Recital 56 emphasises ransomware because it is statistically the greatest threat most SMEs face. Ransomware is not sophisticated. It does not require advanced persistent threat capabilities or nation-state funding. It is a volume business. An attacker sends phishing emails to thousands of organisations. Some emails are opened. Some users click links or download attachments. The malware installs and spreads. The attacker encrypts the victim’s files and demands payment.
Why do SMEs get hit? Often by accident, because they are simply in the list of organisations the attacker email scanner found. But some attacks are deliberate, targeting SMEs in specific sectors known to have valuable data (healthcare, finance, legal services). The ransom demands are often modest, in the range of EUR 5,000 to EUR 50,000, small enough that some SMEs pay rather than spend time and money recovering from backups.
NIS2 does not eliminate ransomware risk. But it creates a framework in which SMEs can demonstrate that they have taken reasonable precautions. Regular backups mean you can recover without paying. Access controls mean the attacker has a harder time spreading. Incident detection means you catch infections sooner. Staff training means fewer phishing emails successfully exploit users. Together, these reduce both the likelihood and the impact of ransomware.
Preparing Your SME for NIS2
If you are an SME owner or manager, NIS2 preparation is not a one-time project; it is an evolution of your cybersecurity practice. Start with basics:
Conduct a self-assessment. Do you have a cybersecurity policy? Does it cover access control, password practices, incident response? Do employees know it exists? Many SMEs have no formal policy; writing one is free and surprisingly useful. It forces you to articulate what you believe should happen.
Identify your critical assets. What systems, data or infrastructure would cause operational disruption if breached or destroyed? These are your priority for protection. You cannot protect everything equally, so focus on what matters most.
Scan for vulnerabilities and apply patches. Many SMEs do not have a patch management process. Set a policy: critical security updates within 48 hours, other updates within 30 days. Use automated patching where possible. Many attacks succeed because attackers exploit patches that have existed for months or years.
Enable multi-factor authentication for remote access. If any of your staff access systems remotely (increasingly common post-pandemic), multi-factor authentication is non-negotiable. It blocks the vast majority of phishing-based attacks.
Back up your data. Automated, offsite, regular backups. Test your recovery process at least once per year. Ransomware becomes a minor inconvenience if you can recover from backups in hours.
Train your staff. Cybersecurity is not just an IT problem. It is a collective responsibility. Teach employees to spot phishing, to use passwords securely, to report suspicious activity. Many organisations find that even basic training reduces security incidents by 30 to 50%.
Document your practices. When a larger customer asks “What is your cybersecurity posture?”, you should be able to provide a one-page summary. This is far easier if you have documented what you do.
If you have resources, consider a paid security assessment from a trusted consultant. Even a half-day engagement can identify your biggest risks. If your budget is extremely tight, explore the free resources or subsidised assessments offered by your Member State.
Key Takeaways
- SMEs are not directly subject to NIS2 requirements, but supply chain obligations mean many SMEs must prepare regardless.
- Essential and important entities must assess and manage supply chain risks, creating practical pressure on SME suppliers to demonstrate cybersecurity readiness.
- SME-specific challenges, including low awareness, limited resources, high cost of solutions and ransomware targeting, are recognised in NIS2 policy and should be addressed through a combination of self-help, peer learning and government support.
- Member States are obliged to establish points of contact and provide guidance to SMEs on cybersecurity, recognising the resource gap between SMEs and large entities.
- Practical SME preparation involves basic security hygiene: asset management, patching, access control, encryption, incident response, backups and staff training.