What’s happening? Small and medium enterprises (SMEs) face a wave of new cybersecurity legislation from both the EU and UK in 2025, requiring immediate preparation for Compliance with regulations that could significantly impact business operations and costs.
Key Cybersecurity Laws SMEs Must Prepare For:
EU Regulations (Already Adopted):
โข NIS2 Directive – Updated Network and Information Systems security requirements
โข DORA – Digital Operational Resilience Act for financial services
โข CRA – Cyber Resilience Act for connected products
โข AI Act – Comprehensive artificial intelligence regulation
UK Legislation (Upcoming):
โข Cyber Security and Resilience Bill – UK’s response to NIS2
โข AI Bill – Focus on frontier AI model regulation
What Is the NIS2 Directive?
The Network and Information Systems Directive 2 (NIS2) is the EU’s updated cybersecurity framework requiring organizations to:
โข Implement robust cybersecurity risk management measures
โข Report significant cyber incidents within 24 hours
โขย Ensure supply chain security assessments
โข Conduct regular security audits and vulnerability assessments
โข Maintain business continuity and crisis management procedures
Who must comply: Essential and important entities including energy, transport, banking, financial market infrastructures, health, drinking water, waste water, digital infrastructure, ICT service management, public administration, and space sectors.
How Will DORA Affect SMEs?
The Digital Operational Resilience Act (DORA) specifically targets financial services firms and their suppliers, requiring:
โข ICT risk management frameworks
โข Incident reporting within strict timeframes
โข Operational resilience testing including threat-led penetration testing
โข Third-party risk management for all ICT service providers
โข Information sharing arrangements for cyber threat intelligence
SME impact: Any SME providing services to financial institutions must comply with DORA requirements.
What Is the Cyber Resilience Act (CRA)?
The Cyber Resilience Act (CRA) introduces cybersecurity requirements for products with digital elements:
โข Mandatory security standards for connected devices
โข Vulnerability disclosure processes
โข Security updates throughout product lifecycle
โข CE marking requirements with cybersecurity declarations
โข Market surveillance and compliance monitoring
Who’s affected: SMEs manufacturing or importing IoT devices, smart appliances, industrial equipment, or software products sold in the EU.
What Will the UK’s Cyber Security and Resilience Bill Include?
The UK’s Cyber Security and Resilience Bill represents Britain’s response to the EU’s NIS2 directive. While full details remain limited, expected provisions include:
โข Equivalent security requirements to NIS2 for critical sectors
โข Incident reporting obligations for cyber attacks
โข Supply chain security mandates
โข Regular security assessments and audits
โข Penalties for non-compliance
Timeline: Specific implementation dates not yet announced by UK government.
How Will the UK AI Bill Differ from EU AI Act?
EU AI Act focus:
โข Comprehensive regulation across all AI applications
โข Risk-based approach with prohibited and high-risk categories
โข Compliance requirements for AI system providers and deployers
UK AI Bill (expected focus):
โข Frontier AI models – Advanced AI systems with significant capabilities
โข Safety and security standards for cutting-edge AI development
โข Innovation-friendly approach balancing regulation with growth
โข International cooperation on AI governance
What Should SMEs Do Now?
Immediate compliance steps:
1. Assess current exposure – Determine which regulations apply to your business
2. Conduct security gap analysis – Identify areas requiring improvement
3. Implement incident response procedures – Prepare for mandatory reporting requirements
4. Review third-party contracts – Ensure suppliers meet new security standards
5. Budget for compliance costs – Factor in audit, training, and system upgrade expenses
Which SMEs Are Most at Risk?
High-priority sectors for immediate action:
โข Financial services providers and their suppliers (DORA)
โข Technology manufacturers and importers (CRA)
โข Critical infrastructure suppliers (NIS2/UK Bill)
โข AI system developers and deployers (AI Act/UK AI Bill)
โข Cross-border service providers (multiple jurisdictions)
What Are the Penalties for Non-Compliance?
EU regulation penalties:
โข NIS2: Up to โฌ10 million or 2% of annual worldwide turnover
โข DORA: Up to โฌ1 million or 1% of annual net turnover for smaller firms
โข CRA: Up to โฌ15 million or 2.5% of annual worldwide turnover
โข AI Act: Up to โฌ35 million or 7% of annual worldwide turnover
UK penalties: Expected to mirror EU levels but specific amounts not yet confirmed.
When Do These Laws Take Effect?
Implementation timeline:
โข NIS2: EU member states must transpose by October 2024 (enforcement beginning)
โข DORA: January 17, 2025 (full application)
โข CRA: Phased implementation from 2025-2027
โข AI Act: Phased implementation 2025-2027
โข UK Bills: Timeline to be announced
How Can SMEs Prepare for Multiple Jurisdictions?
Best practice approach:
1. Map regulatory overlap – Identify common requirements across jurisdictions
2. Implement highest standards – Meet most stringent requirements to ensure broad compliance
3. Seek professional guidance – Engage cybersecurity and legal experts
4. Join industry associations – Access sector-specific compliance guidance
5. Monitor regulatory updates – Stay informed of implementation details
What Support Is Available?
Resources for SMEs:
โข Government guidance – Watch for official implementation guidance
โข Industry bodies – Sector-specific compliance support
โข Cybersecurity frameworks – ISO 27001, NIST, and other established standards
โข Professional services – Legal and cybersecurity consultancies
โข Peer networks – Industry forums and compliance communities
Why This Matters for UK SMEs
The convergence of EU and UK cybersecurity legislation creates a complex compliance landscape. SMEs operating across borders or serving regulated sectors face particular challenges, as they must navigate multiple regulatory requirements simultaneously.
However, early preparation and strategic compliance planning can turn regulatory burden into competitive advantage, demonstrating to customers and partners that your business takes cybersecurity seriously in an increasingly digital economy.
