What’s happening? Small and medium enterprises (SMEs) face a wave of new cybersecurity legislation from both the EU and UK in 2025, requiring immediate preparation for Compliance with regulations that could significantly impact business operations and costs.
Key Cybersecurity Laws SMEs Must Prepare For:
EU Regulations (Already Adopted):
• NIS2 Directive – Updated Network and Information Systems security requirements
• DORA – Digital Operational Resilience Act for financial services
• CRA – Cyber Resilience Act for connected products
• AI Act – Comprehensive artificial intelligence regulation
UK Legislation (Upcoming):
• Cyber Security and Resilience Bill – UK’s response to NIS2
• AI Bill – Focus on frontier AI model regulation
What Is the NIS2 Directive?
The Network and Information Systems Directive 2 (NIS2) is the EU’s updated cybersecurity framework requiring organizations to:
• Implement robust cybersecurity risk management measures
• Report significant cyber incidents within 24 hours
• Ensure supply chain security assessments
• Conduct regular security audits and vulnerability assessments
• Maintain business continuity and crisis management procedures
Who must comply: Essential and important entities including energy, transport, banking, financial market infrastructures, health, drinking water, waste water, digital infrastructure, ICT service management, public administration, and space sectors.
How Will DORA Affect SMEs?
The Digital Operational Resilience Act (DORA) specifically targets financial services firms and their suppliers, requiring:
• ICT risk management frameworks
• Incident reporting within strict timeframes
• Operational resilience testing including threat-led penetration testing
• Third-party risk management for all ICT service providers
• Information sharing arrangements for cyber threat intelligence
SME impact: Any SME providing services to financial institutions must comply with DORA requirements.
What Is the Cyber Resilience Act (CRA)?
The Cyber Resilience Act (CRA) introduces cybersecurity requirements for products with digital elements:
• Mandatory security standards for connected devices
• Vulnerability disclosure processes
• Security updates throughout product lifecycle
• CE marking requirements with cybersecurity declarations
• Market surveillance and compliance monitoring
Who’s affected: SMEs manufacturing or importing IoT devices, smart appliances, industrial equipment, or software products sold in the EU.
What Will the UK’s Cyber Security and Resilience Bill Include?
The UK’s Cyber Security and Resilience Bill represents Britain’s response to the EU’s NIS2 directive. While full details remain limited, expected provisions include:
• Equivalent security requirements to NIS2 for critical sectors
• Incident reporting obligations for cyber attacks
• Supply chain security mandates
• Regular security assessments and audits
• Penalties for non-compliance
Timeline: Specific implementation dates not yet announced by UK government.
How Will the UK AI Bill Differ from EU AI Act?
EU AI Act focus:
• Comprehensive regulation across all AI applications
• Risk-based approach with prohibited and high-risk categories
• Compliance requirements for AI system providers and deployers
UK AI Bill (expected focus):
• Frontier AI models – Advanced AI systems with significant capabilities
• Safety and security standards for cutting-edge AI development
• Innovation-friendly approach balancing regulation with growth
• International cooperation on AI governance
What Should SMEs Do Now?
Immediate compliance steps:
1. Assess current exposure – Determine which regulations apply to your business
2. Conduct security gap analysis – Identify areas requiring improvement
3. Implement incident response procedures – Prepare for mandatory reporting requirements
4. Review third-party contracts – Ensure suppliers meet new security standards
5. Budget for compliance costs – Factor in audit, training, and system upgrade expenses
Which SMEs Are Most at Risk?
High-priority sectors for immediate action:
• Financial services providers and their suppliers (DORA)
• Technology manufacturers and importers (CRA)
• Critical infrastructure suppliers (NIS2/UK Bill)
• AI system developers and deployers (AI Act/UK AI Bill)
• Cross-border service providers (multiple jurisdictions)
What Are the Penalties for Non-Compliance?
EU regulation penalties:
• NIS2: Up to €10 million or 2% of annual worldwide turnover
• DORA: Up to €1 million or 1% of annual net turnover for smaller firms
• CRA: Up to €15 million or 2.5% of annual worldwide turnover
• AI Act: Up to €35 million or 7% of annual worldwide turnover
UK penalties: Expected to mirror EU levels but specific amounts not yet confirmed.
When Do These Laws Take Effect?
Implementation timeline:
• NIS2: EU member states must transpose by October 2024 (enforcement beginning)
• DORA: January 17, 2025 (full application)
• CRA: Phased implementation from 2025-2027
• AI Act: Phased implementation 2025-2027
• UK Bills: Timeline to be announced
How Can SMEs Prepare for Multiple Jurisdictions?
Best practice approach:
1. Map regulatory overlap – Identify common requirements across jurisdictions
2. Implement highest standards – Meet most stringent requirements to ensure broad compliance
3. Seek professional guidance – Engage cybersecurity and legal experts
4. Join industry associations – Access sector-specific compliance guidance
5. Monitor regulatory updates – Stay informed of implementation details
What Support Is Available?
Resources for SMEs:
• Government guidance – Watch for official implementation guidance
• Industry bodies – Sector-specific compliance support
• Cybersecurity frameworks – ISO 27001, NIST, and other established standards
• Professional services – Legal and cybersecurity consultancies
• Peer networks – Industry forums and compliance communities
Why This Matters for UK SMEs
The convergence of EU and UK cybersecurity legislation creates a complex compliance landscape. SMEs operating across borders or serving regulated sectors face particular challenges, as they must navigate multiple regulatory requirements simultaneously.
However, early preparation and strategic compliance planning can turn regulatory burden into competitive advantage, demonstrating to customers and partners that your business takes cybersecurity seriously in an increasingly digital economy.
