• In a new position paper, DIGITAL SME provides concrete suggestions to ensure that cybersecurity standards, which may serve as the basis for EU-wide certification schemes under the EU Cybersecurity Act, are “usable” for SMEs

• The certification schemes, if done well, could significantly elevate the levels of cybersecurity across Europe, especially for consumers and SMEs with limited technical literacy

• At the same time, there is a need to develop cybersecurity solutions tailored to different types of SMEs

Brussels, 16 January 2020 (DIGITAL SME). Cybersecurity is a make-or-break issue in the digital economy. Although there is growing recognition that building cyber resilience is crucial, adoption of the extant cybersecurity standards is severely lacking—especially among SMEs. This is partially due to the fragmented nature of cybersecurity certifications in Europe; there are no well-known and universally accepted certificates with a high level of adoption. Among other goals, the EU Cybersecurity Act (CSA) set out to eliminate this fragmentation through the introduction of a harmonised framework for cybersecurity certification. In a new position paper, DIGITAL SME provides concrete suggestions to make sure SMEs can adopt and benefit from the new cybersecurity certification schemes.

EU-wide harmonisation of cybersecurity certifications

If a high rate of adoption is achieved, the voluntary certification schemes could significantly elevate cybersecurity throughout Europe. SME cybersecurity expert Fabio Guasconi called the EU Cybersecurity Act a “game-changer” at the SBS ICT Forum last year, adding that it could “allow all consumers, also with less technical competences, to be able to make [safe] choices” based on trusted certificates. This will become even more important as disruptive new technologies like artificial intelligence, 5G and quantum computing move whole supply chains and their vulnerabilities from the physical to the digital space. 

But how do we get there? The CSA introduces a framework for certification schemes, not the schemes themselves. The development of these certification schemes will be a complex process and it could run the risk of producing schemes that are too complicated and too hard to adopt. 

The schemes will most likely be developed in reference to existing and future cybersecurity standards, i.e. official documents by European and international standardisation organisations. Standards are voluntary, industry-driven agreements that aim at harmonisation and interoperability of products, services and solutions to boost compatibility and trade. If cybersecurity standards are the base layer for trusted certification schemes, they must be easy to access, understand and implement—especially for smaller companies with a low level of technical literacy.

DIGITAL SME position paper proposes concrete options to increase cybersecurity-standards adoption

In DIGITAL SME’s new position paper “The EU Cybersecurity Act and the role of standards for SMEs”, we outline “four A”-challenges of standards-adoption for SMEs: affordability (most SMEs simply can’t afford paid-for standards), adaptation (most standards are not tailored to different types and needs of SMEs), awareness (ask your friend who works in a small consultancy firm if they can name a single cybersecurity standard), and access to standardisation organisations (SMEs often don’t get to participate in the standards-making process, putting them at a decisive disadvantage). 

Put simply: We need standards that are more accessible, affordable and adapted to SMEs, and they need to be aware of their existence. To solve this conundrum and move forward, we propose four concrete options to increase SME-adoption of cybersecurity standards. Learn more about these options in the position paper.

Besides standardisation, cyber resilience in Europe could also greatly improve through the development of lightweight and easy-to-use cybersecurity guides, and even more by pooling such practical guides in a trusted European online platform like.

Read the position paper here!