Guide helps SMEs navigate EU cybersecurity requirements

In 2023, Danish companies were subjected to an average of 2,521 cyberattacks per week. According to a new report from PwC, the number of attacks targeting Danish businesses increased by 49% in just one year. These attacks affect organisations across a wide range of industries and are no longer limited to companies with a strong focus on IT.

This development is likely linked to the increasing digitalisation of businesses, regardless of size. For SMEs, cyber threats can no longer be ignored – even if their core activities do not involve IT or data management.

Despite this, many SMEs still lack the resources and expertise required to manage cyber risks, particularly in light of new EU legislation. To address this challenge, the Alexandra Institute, Force Technology, and Danish Standards have developed a guide designed to make it easier for SMEs to understand and comply with the new requirements.

“Many SMEs are aware that new legislation is being introduced to strengthen cybersecurity. However, there are also many misconceptions about what these requirements actually involve. The purpose of the guide is to provide a consolidated overview of the different regulations, helping companies understand where to focus their efforts and offering practical suggestions for how to get started in a sensible way,” says Michael Bladt Stausholm, Principal Security Architect at the Alexandra Institute.

Navigating multiple cybersecurity requirements

Over the past few years, the European Union has strengthened cybersecurity legislation aimed at creating a secure digital Europe and increasing the resilience of European businesses.

“For small and medium-sized enterprises, cyberattacks can be highly disruptive. EU legislation provides valuable guidance on implementing fundamental security measures – but only if companies are able to comply with the requirements. The guide is intended as a helping hand, making it easier for businesses to follow the legislation and strengthen their protection against cyber threats,” says Jeppe Pilgaard Bjerre, Specialist at Force Technology.

Two new EU regulations in particular will have a significant impact on many Danish companies in the years ahead. The first is the NIS2 Directive, which requires organisations operating in critical sectors and their suppliers to strengthen their cybersecurity. The second is the Cyber Resilience Act, which introduces cybersecurity requirements for digital products, including both hardware and software.

“We developed the guide to make cybersecurity more manageable for SMEs. It provides an overview of the requirements and practical tools for structuring cybersecurity efforts, enabling companies to take action in time, regardless of whether they are directly affected by the legislation,” says Berit Aadal, Senior Consultant at Danish Standards.

Practical support for SMEs

Even SMEs that are not directly covered by the legislation may still face cybersecurity requirements from customers and business partners. The new guide provides SMEs with:

• An overview of the relevant legislation and its implications
• Tools to help organisations get started and inspiration for developing a cybersecurity strategy
• Practical examples based on 3 fictional companies, demonstrating how the requirements can be addressed in practice.

The guide is freely available and can also be used by larger organisations seeking a concise overview of the regulatory landscape. In addition to NIS2 and the Cyber Resilience Act, the guide introduces relevant standards and CE marking requirements.

Download the guide here (in Danish)