The European Commission has proposed a targeted adjustment to NIS2, the directive governing cybersecurity for businesses operating in the EU. The goal is not to lower the bar, but to make the rule clearer, more proportionate, and less costly to implement. In the process, around 28,700 companies would be affected by this simplification, including 6,200 smaller organizations. For an SME, the message is straightforward: compliance remains serious, but it becomes far more manageable.
The SME Opportunity
For founders and leaders of small and mid-sized businesses selling to enterprise accounts or regulated sectors — energy, healthcare, finance, manufacturing, digital services — this is good news. Why? Because a more readable compliance path keeps NIS2 from turning into a bureaucratic maze. It is now easier to understand who is in scope, which incidents must be reported, and which risk-management measures need to be in place. The result: less time spent interpreting the law, more time spent securing what actually matters.
In practice, this makes it possible to embed NIS2 into a realistic cybersecurity governance model, alongside ISO 27001 or the ANSSI Cybersecurity Framework in France. For an SME, it is also a commercial lever: an organization that can demonstrate NIS2 maturity reassures enterprise buyers, reduces friction in supplier audits, and becomes more credible in RFPs. In other words: less friction, more chances to win and retain the contract.
The real opportunity is that compliance is no longer just a defensive cost. Handled well, it becomes a business accelerator. Mapping critical assets, incident response procedures, third-party security controls, clean documentation: these are building blocks that strengthen both resilience and sales.
The Watchouts
That said, do not confuse simplification with relaxation. NIS2 remains a demanding directive, with potentially heavy penalties and clear board-level accountability. The proposed text still has to be negotiated, adopted, and transposed into national law. In plain English: the rules can still change, and they will not necessarily be identical from one country to another.
Another classic trap is getting the category wrong. Between essential entities, important entities, and critical service providers, the boundaries can be blurry. For an SME sitting in the supply chain of a major customer, a misread of the scope can lead to underestimating the real effort required. And when that happens, costs escalate fast: urgent remediation, additional audits, tougher contractual clauses, or even the loss of a deal.
One final point to monitor: reporting obligations, especially in the event of ransomware. Greater transparency is better for collective security, but it requires solid processes to avoid legal, insurance, or reputational setbacks.
The Compliance View
At a deeper level, NIS2 does not operate in a silo. For an SME, improving risk management, access controls, logging, and incident response also strengthens the GDPR baseline and, for Swiss or international companies, the Swiss Data Protection Act. If you are also deploying AI in a critical environment, these requirements will need to be aligned with the AI Act to avoid duplication and keep governance coherent.
Conclusion & Cohesium Support
The right takeaway is simple: NIS2 is becoming less intimidating, but it remains a structural framework. For ambitious SMEs, now is the time to turn a regulatory constraint into a competitive advantage.
Instead of improvising, Cohesium AI can support you with an SME-focused NIS2 package: a positioning audit across NIS2/GDPR/Swiss Data Protection Act, sovereign hosting advisory, and, where needed, automation of operational obligations plus AI assistants for monitoring, evidence collection, and audits. Contact us