New EU Cyber Laws Explained: What Every Small Business Must Know

Government, Law & Justice / By /

Last year, a small online retailer in Italy was hit with a ransomware attack.

They survived the hack—but not the fine.

Because they didn’t report the breach within the new required time frame, regulators fined them over €30,000.

This wasn’t a big corporation with a cybersecurity department. It was a five-person team with a Shopify store. And what happened to them? It could happen to any small business in the EU.

The Rising Threat: Why the EU Is Cracking Down on Cybercrime

Cyberattacks are no longer just targeting banks or governments. They’re hitting small cafés in Vienna, logistics firms in Poland, wedding planners in Portugal.

And here’s the hard truth: Most small businesses aren’t prepared.

In response, the EU has introduced two major laws:

  • NIS2 Directive
  • Cyber Resilience Act (CRA)

Think of these as Europe’s way of saying:

“If you’re connected to the internet, you need to take cybersecurity seriously—no excuses.”

Why now?

Because damage from cyberattacks is rising fast. A single data breach can cripple operations, destroy customer trust, and now — even trigger legal consequences.

So whether you run a small online shop, manage client data, or use third-party vendors, these laws will likely apply to you. If you’re unfamiliar with how cyberattacks happen or what makes small businesses such easy targets, this real-world breakdown of common online threats and scams offers a simple starting point.

And ignoring them? Not a good idea.

Introducing the CRA & NIS2 — What’s Changing in 2025

Okay, let’s break them down—without the jargon.

The Cyber Resilience Act (CRA)

This law focuses on products with digital elements—think software, smart devices, cloud tools, even routers you install in your office.

If you make, sell, or even use these products, CRA wants them to be:

  • Secure by design
  • Regularly updated
  • Free from known vulnerabilities

CRA also expects transparency. If there’s a serious issue with a device or software you rely on, it must be disclosed.

Even if you’re not a manufacturer, if your business sells or integrates digital tools into what you offer—CRA will touch you.

For example, if your site offers age-restricted content or services, you’re expected to implement responsible digital safeguards. This includes practices like secure and legally compliant age verification to help protect minors and stay aligned with CRA expectations.

The NIS2 Directive

This one’s about network and information systems security. It’s a stricter version of a 2016 law (NIS1), now extended to more sectors and smaller entities.

Here’s the big update:
Under NIS2, many SMEs are no longer exempt.

If you run a business in sectors like:

  • Digital services
  • Health
  • Transport
  • Manufacturing
  • Utilities
  • Online retail


… you may now fall under “important entity” status—even if you’re under 50 employees.

That means you’ll be expected to:

  • Identify risks
  • Secure systems
  • Report incidents
  • Manage third-party vendors

And this isn’t a suggestion. It’s a legal obligation.

What This Means for Small Business Owners

Let’s keep it simple. Here’s what’s changing for you as a business owner:

1. You’ll need a basic cybersecurity plan

No more winging it. Regulators expect a documented strategy—what threats you face, how you’re prepared, and what you’ll do if something goes wrong.

2. You can’t ignore software updates

Ever clicked “remind me later” on a system update? Under CRA, that delay might expose you to liability if an incident occurs through known vulnerabilities.

3. You’re responsible for your supply chain

If your cloud storage provider, shipping platform, or payment system gets hacked—and that affects your customers—you could be held partially liable. NIS2 demands that businesses evaluate vendor risks, even if you’re not the one writing code.

4. You’ll have to report serious incidents fast

Under NIS2, if a breach occurs, you’ll typically need to report it within 24 to 72 hours—not to customers, but to national authorities. And yes, failing to report is itself a violation.

Why Ignoring This Could Cost You More Than a Fine

You might be thinking,

“Okay, but I’m just a small operation—will anyone really come after me?”

Here’s the thing:
Regulators won’t be checking every business. But if something happens, you can be audited.

Let’s say you suffer a breach and your customers’ data leaks. Investigators will ask:

  • Did you follow NIS2 guidelines?
  • Was your software up to date?
  • Did you perform a risk assessment?

If not, they can issue fines of up to €10 million or 2% of annual turnover under CRA, and similar under NIS2.

But it’s not just about money. Failing to comply could:

  • Trigger reputation loss
  • Invite civil lawsuits
  • Lead to terminated contracts with EU-based partners

And worst of all?
Loss of customer trust — which no amount of marketing can buy back.

5 Things You Must Do Before the Deadlines

You don’t need a legal team or cybersecurity firm to get started. Just take action on these five essentials:

1. Run a Cyber Risk Assessment

Ask yourself:

  • What data do I store?
  • Where is it stored?
  • Who has access?
  • What happens if it’s lost or stolen?

This forms the foundation of your compliance plan.

2. Update Your Software and Devices

Make a list of every app, tool, and device your team uses. Then ensure:

  • Automatic updates are enabled
  • Default passwords are changed
  • Known vulnerabilities are patched quickly

3. Vet Your Third-Party Providers

If you rely on cloud services, payment processors, or logistics apps, check their security policies.
Ask:

  • Do they comply with NIS2 or CRA?
  • How do they handle incident reporting?

4. Create a Basic Incident Response Plan

What will you do if your site gets hacked or customer data is leaked?
Your team should know:

  • Who to notify
  • How to isolate the issue
  • What to document for regulators

Even a one-page plan is better than chaos.

5. Train Your Team (Even If It’s Just You and a Laptop)

Cybersecurity isn’t just IT’s job—it’s everyone’s job.
Teach your team (or yourself) how to:

  • Spot phishing emails
  • Use strong passwords
  • Report suspicious activity

No jargon. Just good habits.

Is Compliance a Nightmare? Not If You Start Now

Still overwhelmed?

Here’s some good news:
You’re not alone, and help is out there.

The EU’s cybersecurity agency, ENISA, offers:

  • Free guidelines
  • Sector-specific templates
  • Toolkits for SMEs

You can also talk to consultants—many offer affordable audits and basic compliance roadmaps tailored to small businesses.

Want proof this is doable?

A florist chain in France (5 locations, 22 employees) recently became CRA-ready. They:

  • Documented basic risks
  • Switched to a more secure point-of-sale system
  • Got a checklist from a local IT consultant
  • Trained staff during morning briefings

That’s it. No enterprise software. No law firms. Just commitment.

Compliance Is Security — and Smart Business

Here’s the real takeaway:

These new laws aren’t here to punish you—they’re here to protect you.

Because when you lose customer data, face a ransomware lockout, or watch your website vanish…
You don’t just lose money.
You lose trust. And in today’s world, trust is your most valuable asset.

So start now.

Make a plan.
Ask for help if you need it.
And remember: you don’t need to be a cybersecurity expert to protect your business—just a smart, prepared one.