European small and medium-sized businesses (SMEs) are facing a new cybersecurity landscape. The NIS2 Directive, an updated EU cybersecurity law, is expanding its reach beyond large corporations and critical infrastructure, now encompassing many SMEs. If your business has over 50 employees or an annual turnover exceeding €10 million, you may now be subject to significant cybersecurity compliance obligations.

Understanding NIS2

NIS2 (Network and Information Systems Directive 2) represents the European Union’s latest effort to strengthen digital security across the bloc. This directive replaces the 2016 NIS Directive with a more stringent framework, covering additional sectors and companies with more comprehensive rules.

Businesses in sectors such as energy, healthcare, finance, food, digital services, manufacturing, or even public administration might now be categorized as “essential” or “important” entities under NIS2. Furthermore, even smaller suppliers can be indirectly impacted, especially if they are part of the supply chain for larger companies that require robust security across their operations.

Implications for SMEs

The directive mandates that businesses promptly enhance their cybersecurity measures. New obligations include:

• Implementing cybersecurity risk management plans.
• Utilizing multi-factor authentication (MFA).
• Encrypting sensitive data.
• Continuously monitoring networks.
• Reporting cyber incidents within 24 hours, with full details provided within 72 hours.

Non-compliance can result in substantial penalties, including fines of up to €10 million or 2% of global turnover. This poses a considerable challenge for many SMEs already operating with limited resources. According to ENISA, the EU’s cybersecurity agency, 59% of SMEs struggle to fill cyber-related positions, and over one-third cannot afford investments in new tools or staff.

EU Support Through the Digital Europe Programme

Recognizing these challenges, the EU is providing significant financial support through the Digital Europe Programme to assist SMEs in meeting the new cybersecurity demands. This initiative aims to make cybersecurity more accessible and affordable, particularly for SMEs lacking the necessary budget or expertise. As Margrethe Vestager stated, “The Digital Europe Programme is key for pooling EU and national funding to achieve ambitious digital projects that no Member State can do alone. It is crucial that Europe continues to support our digital decade targets with enhanced focus on digital skills, excellence in artificial intelligence, and cybersecurity“.

Key initiatives under this program include:

• Co-funded Security Operation Centres (SOCs) for SMEs, such as the GR-SME-SEC project.
• Provision of free cyber readiness assessments, training platforms, and toolkits.
• Facilitation of access to shared infrastructure and expertise through national and cross-border projects.

An illustrative example is the CYSSDE project, where organizations like FundingBox manage open calls offering up to €200,000 in funding to help companies improve their cybersecurity posture. The final CYSSDE Open Call is anticipated to launch in January 2026, presenting another funding opportunity for SMEs and service providers.

Beyond direct funding, several free tools and platforms are available to support SMEs in their compliance journey:

• CYSSDE platform – supports EU member states by providing practical tooling, penetration testing scenarios, best-practice documentation, and country-specific connection points. It helps organisations strengthen their cybersecurity readiness through guidance on pentesting, vulnerability assessments, regulatory compliance (NIS2, CERT), and by fostering knowledge sharing via open calls, webinars, and community engagement.
• NIS2Resources.eu – Free Compliance Kits: Offers a variety of downloadable materials, including:
• An ISO 27001:2022 alignment guide.
• A cheatsheet with per-article requirements.
• A practical implementation guide.
• A compliance assessment tool for MSPs.
• Audit templates in PDF and Excel.
• ENISA (EU Agency for Cybersecurity) — guidance, toolkits, reports (NIS2 guidance, templates, threat reports). Very useful official EU resource
• CERT‑EU — the EU Institutions’ CERT — official service with alerts, mitigation guidance and reports relevant to the EU ecosystem. 
• Thales – NIS2 Self-Assessment Tool: Allows for a quick assessment aligned with NIS2 requirements, identifying vulnerabilities and offering clear recommendations to enhance your security posture.

Looking Ahead

While EU member states were tasked with transposing the directive into national law by October 17, 2024, some countries are still in the process as of mid-2025. Although enforcement may vary initially, businesses should not rely on potential delays. Experts emphasize that proactive companies will not only avoid penalties but also gain a competitive advantage in a digital economy that increasingly prioritizes trust and resilience.

The bottom line

The NIS2 Directive is significantly reshaping the cybersecurity landscape for European SMEs. It introduces strict and complex requirements, which can be costly. However, with EU funding and various free tools now on the table, businesses that act now will be well-positioned to succeed in the coming years.

References:

NIS2 Directive- https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32022L2555

2024 REPORT ON THE STATE OF CYBERSECURITY IN THE UNION (Enisa) – https://www.enisa.europa.eu/sites/default/files/2024-11/2024%20Report%20on%20the%20State%20of%20the%20Cybersecurity%20in%20the%20Union.pdf

European Cybersecurity Competence Centre and Network (ECCC) https://cybersecurity-centre.europa.eu/index_en

Digital Europe Programme: https://digital-strategy.ec.europa.eu/en/activities/digital-programme