SME representatives discussed the EU Cybersecurity Act’s certification framework with experts from the EU Commission and the European Cybersecurity Agency ENISA

“SMEs, standards, and the EU Cybersecurity Act” was the title of this year’s SBS ICT Forum, and its topic could have been described similarly: SMEs need to make cybersecurity the standard. The forum discussed the role of standards in making sure that SMEs all along the supply chain meet the right level of cybersecurity assurance.

In his opening remarks in front of 50 interested participants, DIGITAL SME Secretary-General Sebastiano Toffaletti painted a dire picture: “Statistics show that 60% of SMEs who suffer a major cyberattack never recover from it, meaning that they have to shut down”. Adopting adequate cybersecurity solutions is still uncommon for most European user SMEs, for a number of reasons; a lack of time, money and skills are at the top of the list. Many small businesses don’t have cybersecurity on their radar at all.  As entrepreneur and cybersecurity expert Iñaki Eguía put it: “The problem is that many SMEs don’t see cybersecurity as a potential industry enabler, but as a burden, a constraint”. 

Digital SMEs as “hidden champions”

On the other hand, Europe also has many “hidden champions” in cybersecurity. Some digital SMEs are at the forefront of developing cybersecurity solutions or advising other SMEs on how to optimise processes and make their operations more secure. 

Going digital is a major game-changer for industrial processes, and moves the vulnerability from the physical to the online space. SMEs up and down the supply chain need to be taken into consideration when proposing measures aimed at a higher level of cybersecurity assurance. One way to address this issue is to propose standards and certification frameworks. However, some of the current standards are highly technical and do not provide practical solutions to SMEs. “Therefore, there is a need to think about SME friendly standards and solutions within the framework of the EU Cybersecurity Act,” said Sebastiano Toffaletti in the aftermath of the event. 

The European institutions are aware of this need and have assured their commitment to finding solutions that enable SMEs: “We will be reaching out publicly to understand the needs of communities and SMEs. We want to identify market means where intervention from us can make your life easier”, as Aristotelis Tzafalias, Policy Officer for the Commission’s DG CONNECT put it. 

The new certification framework could be a “game-changer”

The EU Cybersecurity Act was introduced as a comprehensive framework to increase the level and quality of cybersecurity in Europe and to harmonise its standards, as ENISA expert Prokopios Drogkaris explained in his presentation of the Act. SBS expert Fabio Guasconi affirmed that “it could be a game-changer. Depending on the schemes that will be adopted within it, certification could facilitate cybersecurity to a point where even untrained personnel can make safe choices”. However, the framework also contains potential pitfalls: if the certification schemes are too complex and the adoption lacking, the Cybersecurity Act could be at risk to become just another piece of legislation SMEs don’t even know about. 

Regardless of the “how”, the experts agreed that cybersecurity will have to be “built into SMEs’ digital solutions from the ground up”. SBS and DIGITAL SME were happy to provide a forum that drew so much interest from experts and interested individuals about a topic that is often overlooked in talks about cyber resilience, and we are looking forward to an ongoing conversation about the Cybersecurity Act’s implementation. In the meantime, we will keep working on practical solutions to empower SMEs and help them comply with cybersecurity standards, such as ISO/IEC 27001 for which we developed a handy guide for SMEs.