NIS2 for SMEs: Practical Guide

Many SME owners believe NIS2 is "only for big companies." This is a dangerous misconception. Whether you're directly in scope or not, cybersecurity requirements will reach you through your customers and supply chains. The good news? Belgium's CyberFundamentals framework has a level designed specifically for SMEs—and it's free.

SME business owner reviewing cybersecurity
Cybersecurity is achievable and affordable for SMEs

The "This Doesn't Apply to Me" Misconception

We hear it constantly from SME owners: "We're too small for NIS2" or "We're not in a critical sector." Here's the reality — and it's changing fast:

Direct scope is narrower, but expanding

NIS2 directly targets companies with 50+ employees in specific sectors. But in January 2026, the EU proposed a new "small mid-cap" category (<750 employees, <€150M turnover) with simplified obligations. The scope keeps growing.

Supply chain pressure is real and growing

Around 2,000 entities in Belgium are now registered with the CCB. They must secure their supply chains. If you're a supplier to a hospital, bank, or manufacturer, they will require proof of your cybersecurity.

Insurance requirements

Cyber insurance providers increasingly require basic cybersecurity measures. No compliance = no coverage or higher premiums.

Customer expectations

Tenders and contracts increasingly include cybersecurity requirements. No certification = lost business.

Why SMEs Should Care

Cybercriminals don't care about your company size. In fact, SMEs are often easier targets:

Less security investment

Attackers know SMEs often lack dedicated IT security staff

Gateway to bigger targets

Hackers use small suppliers to reach larger companies

Devastating impact

60% of SMEs close within 6 months of a major cyberattack

Reputation damage

One breach can destroy years of customer trust

Supply chain cybersecurity illustration
NIS2 requirements flow through the entire supply chain

What Large Companies Do vs. What SMEs Should Focus On

NIS2 requirements scale to your organization size
AspectLarge EnterpriseSME Focus
Dedicated security team Yes, full-time CISO + team IT partner or managed service
Budget €100K+ annually €0-5K to start
Framework level Important or Essential Small (7 controls)
Timeline 6-12 months 2-4 weeks for basics
Complexity Complex policies, audits Practical checklists
Certification Full audit required Self-assessment OK

How SMEs Can Comply Without Breaking the Bank

The CyberFundamentals "Small" level was designed with SMEs in mind. Here's your practical roadmap:

1

Start with what you have

You're probably already doing some of this: antivirus, regular backups, password policies. Document what exists.

2

Use the free Small assessment

CyberFundamentals Small has only 7 controls. Many are things like "use strong passwords" and "keep software updated."

3

Involve your IT partner

If you have an IT provider, ask them about CyberFundamentals. Good partners already know it.

4

Document as you go

Keep simple records of what you implement. A spreadsheet is fine to start.

5

Get visible proof

Once compliant, get the Small level badge. Use it in proposals and on your website.

SME Quick Wins Checklist

These 10 actions cover most of the Small level requirements and significantly reduce your risk:

  • 1 Enable MFA (multi-factor authentication) on all accounts
  • 2 Ensure all devices have updated antivirus/antimalware
  • 3 Set up automatic software updates
  • 4 Implement automatic daily backups (test restores quarterly)
  • 5 Use a password manager for the team
  • 6 Create a simple inventory of your IT assets
  • 7 Define who has access to what systems
  • 8 Brief employees on phishing awareness
  • 9 Have a basic incident response plan (who to call)
  • 10 Review and document your current security measures

Cost Comparison: Your Options

Estimated costs for achieving CyberFundamentals Small compliance
ApproachEstimated CostBest ForConsiderations
DIY with free tools €0-500 Very small businesses Requires time and basic IT knowledge
Platform (Easy Cyber Protection) Free (Small) SMEs wanting guidance Guided process, evidence collection
IT partner implementation €2,000-5,000 No internal IT capacity One-time cost, ongoing support extra
Consultant audit €5,000-15,000 Higher assurance levels Overkill for Small level

Working with Your IT Partner

Your IT provider can be your greatest ally in this process. Here's how to work together effectively:

Ask the right question

"Are you familiar with CyberFundamentals?" Good partners know it.

Share responsibilities

Some controls are technical (they handle), others are organizational (you handle).

Request documentation

Ask them to document what security measures they've implemented for you.

Consider shared platforms

Tools like Easy Cyber Protection let you collaborate with your IT partner.

Why Easy Cyber Protection for SMEs?

We built Easy Cyber Protection specifically for SMEs who want to take cybersecurity seriously without hiring consultants or reading 200-page manuals.

Free Small tier — Complete CyberFundamentals Small—7 controls—at no cost. Forever.
One task at a time — No overwhelm. We tell you exactly what to do next, in plain language.
Evidence collection — As you complete tasks, you're automatically building your compliance documentation.
IT partner portal — Share tasks with your IT provider. They see what needs technical implementation.
Dutch, French, English — Full support for Belgian businesses in your preferred language.

Free forever for CyberFundamentals Small

Frequently Asked Questions

Is my small business really at risk of cyberattacks?

Yes. 43% of cyberattacks target small businesses precisely because they often have weaker security. Attackers use automated tools that don't discriminate by company size. Ransomware, phishing, and invoice fraud affect SMEs daily.

What if I'm not in a NIS2 sector?

Even outside NIS2 sectors, you'll likely face cybersecurity requirements from customers, insurance providers, or business partners who ARE in scope. Starting with CyberFundamentals Small prepares you for these requests.

Can I really achieve compliance for free?

Yes. CyberFundamentals Small is designed for this. With free tools like Easy Cyber Protection, a password manager, and your existing IT setup, you can achieve meaningful security at minimal cost.

How long does it take for an SME to comply?

For CyberFundamentals Small, most SMEs can complete the 7 controls in 2-4 weeks of part-time effort. Many controls are things you might already be doing—you just need to document them.

Do I need to hire a consultant?

Not for the Small level. CyberFundamentals Small is designed for self-assessment. A platform like Easy Cyber Protection guides you through each step. Consultants make sense only if you're targeting higher assurance levels.

Sources

  1. NIS2 Directive (EU) 2022/2555 — Official Journal of the European Union
  2. CyberFundamentals Framework — Centre for Cybersecurity Belgium (CCB)
  3. NIS2 Directive Resources — ENISA (European Union Agency for Cybersecurity)
  4. NIS2 Directive Overview — European Commission Digital Strategy

Related Articles