Hi,
This post is for small mid-cap companies operating in or with the EU
If your company is not a global giant, but also not a small startup,
you may fall into a new category the European Union is starting to define: small mid-cap.
In general, this can include companies with hundreds to a few thousand employees, meaningful EU operations, and real cyber exposure.
The exact definition is not final yet, but the direction is clear.
So what is the EU trying to change?
• Add proportionality to NIS2, instead of treating mid-sized companies like national critical infrastructure
• Simplify compliance, reporting, and supervision, so teams can focus on security, not paperwork
• Move toward a more risk-based approach for companies with limited enterprise-level resources
Why does this matter?
Many small mid-cap companies sit in the middle:
they adopt AI quickly, rely on third parties, and face real threats, but struggle with heavy regulatory burden.
In a way, this shift is not new.
What the EU is now trying to do with small mid-cap companies, the US has been doing for years through materiality-based regulation rather than size-based rules.
The legislation is still evolving, but it is worth paying attention to these changes now.
Read this article for more info.
What is currently harder for your organization under NIS2:
understanding what really applies to you, or how far you’re expected to go?
Stay safe and proactive