EU Cybersecurity Act and the role of standards for SMEs

EU Cybersecurity Act and the role of standards for SMEs

Executive summary

• The EU Cybersecurity Act (CSA) introduces a comprehensive, EU-wide framework for the certification of Information and Communication Technologies (ICT) products, services and

• Standards and technical specifications will likely play an important role in defining the requirements in the EU-wide certification schemes under the CSA. However, the burdensome
certification requirement for the ICT SMEs might add to their inability to scale up. Thus, there is a need to think about SME-compatible standards and solutions within the framework of the EU Cybersecurity Act: SBS suggests that the standards should be accessible, affordable and adapted to SMEs.

• The category of ‘small and medium-sized enterprises’ is not homogenous. There is a need for greater distinction between different types and sizes of SMEs and their role in the digital ecosystem in order to make sure that cybersecurity solutions are tailored to them. SBS provides four options to build on existing standards in the area of cybersecurity, and make sure they are adapted to SMEs.

• SBS proposes a simple platform which would be a ‘one-stop-shop’ for practical guides on cybersecurity for SMEs. The long-term goal is to increase the overall level of cybersecurity assurance among companies in Europe and a mix of both raising awareness and providing practical solutions is needed.


Views and opinions expressed are those of Small Business Standards (SBS) only and do not necessarily reflect those of the European Union or EFTA. Neither the European Union nor EFTA can be held responsible for them.