NIS2 for European SMEs

❓ What the law says (in simple words)

The NIS2 Directive states that every company must have a "cybersecurity policy" — a document explaining how the company protects its systems and data.

The policy can be brief, but must contain this information:

• (a) The company's approach to cybersecurity
• (b) How it aligns with business objectives
• (c) Specific security objectives
• (d) A commitment to continuous improvement
• (e) Resources assigned (person, budget, tools)
• (f) Who must know this policy
• (g) Roles and responsibilities
• (h) Documentation retention
• (i) List of specific policies (password, backup, etc.)
• (j) Indicators to measure effectiveness
• (k) Approval date by management

📝 What you must do (practical list)

• Write the policy — even 2-3 pages are fine if they cover everything
• Have it signed by management (CEO, CTO, or director)
• Communicate it to all employees (email, meeting, notice)
• Keep signatures of those who read and understood it
• Review it at least once a year

📋 Practical example for an SME

"Our company is committed to protecting customer data and IT systems through: monthly software updates, quarterly training on cyber risks, weekly backups of critical data, and annual security review. The responsible person is John Smith (security@company.com)."

❓ What the law says

You must assign specific roles for cybersecurity. Even a single person can be enough, but it must be clear who does what.

📝 What you must do

• Appoint a security manager — can be an external consultant
• Write the roles in the document
• This person must speak directly with management
• Everyone must know who to contact in case of a problem
• Appoint a deputy for continuity

📋 Minimum roles for an SME

❓ What the law says

You must carry out a risk assessment — understand what could go wrong (hacker attack, data loss, hardware failure) and how serious it is.

📝 What you must do

• Make a list of main risks — e.g., "Server without updates", "Weak passwords", "No backup"
• Give a score to each risk (low, medium, high)
• Decide what to do — avoid, reduce, transfer (insurance), or accept
• Management must approve the choices
• Review everything at least once a year

📋 Practical example

❓ What the law says

If a cyber incident occurs (attack, data breach), you must:

• Detect it — understand that it happened
• Contain it — limit the damage
• Report it — within 24 hours to the competent authority (your national CSIRT)

📝 What you must do

• Create an incident response plan — even simple, with 3-4 steps
• Keep a list of useful contacts (IT consultant, national CSIRT, suppliers)
• Document every incident — what happened, when, how you resolved it
• Within 24 hours — report serious incident to your national CSIRT
• Within 72 hours — send a detailed report

📋 Quick checklist for incidents

• □ Who discovered the incident?
• □ What exactly happened?
• □ Which systems/data are involved?
• □ Have you contained the incident?
• □ Who do you need to call? (Your national CSIRT)
• □ Have you documented everything?
• □ How do you prevent it from happening again?

❓ What the law says

You must have a plan to keep running if something serious happens (flood, fire, hacker attack).

📝 What you must do

• Do regular backups — at least weekly, kept in a safe place
• Backups must be tested — verify that they actually work
• Create a recovery plan — if the server dies, how do you restore it?
• Define RTO and RPO:
  • RTO = how long can you go without systems?
  • RPO = how much data can you afford to lose?

📋 Backup example for SMEs

❓ What the law says

Your suppliers (cloud provider, software house, hosting) are a risk. If a supplier is hacked, it can compromise you too.

📝 What you must do

• List critical suppliers — who has access to your data/systems?
• Verify reliability — ask for security attestations
• In contracts — include security clauses

❓ What the law says

When you buy software or IT services, you must verify that they are secure. Don't buy just because it's cheap.

📝 What you must do

• Before buying — ask if the software has certifications
• Patch management — always update everything
• Network segmentation — don't put everything on the same network

❓ What the law says

The human factor is the leading cause of incidents. You must train employees.

📝 What you must do

• Basic courses — at least annually for everyone
• Simulate phishing attacks — so you see who falls for it
• Basic rules: Strong passwords (min 12 chars), MFA, don't click on strange links

❓ What the law says

Sensitive data must be encrypted — both in transit (HTTPS) and at rest.

📝 What you must do

• HTTPS on all sites — no more HTTP
• Encrypted disks on laptops (BitLocker, FileVault)
• Encrypted backups — keys managed well

❓ What the law says

Employees are a risk — when they join and when they leave.

📝 What you must do

• On hiring — verify background, sign NDA
• Onboarding — immediate cybersecurity training
• During employment — periodic training, monitoring
• On exit — immediate access revocation, device return

❓ What the law says

Not everyone needs access to everything. Least privilege principle.

📝 What you must do

• Defined roles — who can do what
• MFA mandatory for admin accounts
• Quarterly review — who still has legitimate access?

❓ What the law says

You need to know what you have — hardware, software, data. You can't protect what you don't know.

📝 What you must do

• Inventory — servers, PCs, smartphones, software
• Classification — which is critical? which is sensitive?
• Removable media management — USB dangerous if infected

❓ What the law says

Servers in the garage with the door open are not acceptable.

📝 What you must do

• Protected servers — locked room, access only to those who need it
• Recorded physical access — know who enters data centres
• Environmental protection — fire, flood, temperature
• Secure disposal — destroy hard drives before throwing them away