Proportionate Cybersecurity for Micro-SMEs: A Governance Design Model under NIS2

TL;DR

This paper proposes a governance design model for proportionate cybersecurity in micro-SMEs, emphasizing awareness and risk reduction, aligned with EU regulations like NIS2, to enhance practical cyber resilience.

Contribution

It introduces a seven-dimension preventive architecture tailored for micro-SMEs, integrating awareness-first logic with EU regulatory frameworks for proportionate cybersecurity.

Findings

Awareness is a key lever for increasing cyber-risk sensitivity.

The model clarifies regulatory scope and limits under EU directives.

Proportionate governance enhances SME cyber resilience without excessive burden.

Abstract

Micro and small enterprises (SMEs) remain structurally vulnerable to cyber threats while facing capacity constraints that make formal compliance burdensome. This article develops a governance design model for proportionate SME cybersecurity, grounded in an awareness-first logic and informed by the EU Squad 2025 experience. Using a qualitative policy-analysis and conceptual policy-design approach, we reconstruct a seven-dimension preventive architecture: awareness and visibility, human behaviour, access control, system hygiene, data protection, detection and response, and continuous review, and justify each dimension's contribution to proportionality and risk reduction. We then map the model's regulatory scope and limits against the NIS2 Directive, Commission Implementing Regulation (EU) 2024/2690, the Digital Operational Resilience Act (DORA), the Cyber Resilience Act (CRA), and the EU Action Plan on Cybersecurity for Hospitals, clarifying which obligations are supported and which require complementary governance (e.g. role accountability, incident timelines, statements of applicability, sector-specific testing and procurement). The analysis argues that raising awareness is the fastest, scalable lever to increase cyber-risk sensitivity in micro-SMEs and complements, rather than replaces, formal compliance. We conclude with policy implications for EU and national programmes seeking practical, proportionate pathways to SME cyber resilience under NIS2.