The BIG Q&A: Cybersecurity Measures & Strategy with a Small Budget, EU Regulations, NIS2, DORA and Certifications
Photo: Cyttraction, Matthias Rüby

The BIG Q&A: Cybersecurity Measures & Strategy with a Small Budget, EU Regulations, NIS2, DORA and Certifications

I have more than 25 of you on my follow-up list with all your questions around cybersecurity measures & strategy with a small budget, EU regulations, NIS2, DORA, CRA, AI Act and certifications.

So: much easier for me to write one new newsletter article and send you the link. :-D


1. What the hell is going on? Why are we discussing EU cybersecurity regulations on business events and why are corporate clients sending around compliance questionnaires like wild?

The European Data Protection Regulation GDPR might have been the first one with big effects on digital businesses all over the world. Just recently, in February 2024, the Digital Markets Act came into effect. Cybersecurity regulation gets upgraded with NIS2 for critical infrastructure companies (and their supply chain) in October and DORA Digital Operational Resilience Act for the financial sector (and their supply chain) in January 2025. And these are not the only additional or upgraded technology regulations companies have to deal with.

150.000❗️companies in the EU are directly affected by stricter EU cybersecurity regulation NIS2 - and they are forwarding the higher cybersecurity and business continuity to their international business partners already.

Parallely, other production, industry and ESG regulations follow the same supply chain logic: strict measures for medium and big companies - and everybody who wants to work with them has to follow.

Especially for small companies, this can become a chicken-egg-problem: how to score a project, when the corporate answers a first request for co-operation with their minimum compliance standards?

And even those who have already concluded contracts can no longer be sure that they will not loose them again. Because who does not force suppliers to comply, has the liability risk on their own side.

In the past, vendor management was often organized using questionnaires and spreadsheets. Now there are more and more tools that make the whole thing quicker and easier - but also leave less room for suppliers.


Example for Vendor Management Platform: KSV CyberRisk Manager


2. What is an Information Security Management System?

The globally standardized way to manage your company's cybersecurity level, match regulations and answer client compliance requests, is building up an Information Security Management System with at least an eye on International Organization for Standardization's ISO27001.

ISO logic in short:

  • Management gives company and business model overview as well as the order to fulfill ISO-standard
  • Project manager or team takes on the operational part, makes sure standards and requirements are implemented and controls can be fulfilled. You can get an idea of the ToDo list when looking at the Cyttraction Cybersecurity Project Guide curriculum.
  • Management reviews.
  • In case of a certification with an annual audit, the internal and then external auditor checks and challenges the strategy and documentation as well before issueing the label.

This does not mean that a company will never be attacked, but that it is in a much better position, can keep many easy attacks away from its systems and is still able to act and react in the event of a successful cyber attack.

Great additional benefit: once a company knows how to structure, align and document risk management processes, they can manage them all using the same tools and patterns, what leads to lots of synergy effects, data sharing and cost reduction.

For everybody e.g. creating digital products or producing hardware, there are lots of additional options to proof security and (re-)build trust with clients.

3. Who is taking care of this ISMS setup and how long does it take?

To avoid making your company permanently dependent on external consultants, I always recommend choosing someone from your existing team: Team assistant, project manager, somebody who is curious about cybersecurity and/ or further education, no specific IT or security experience necessary.

Just keep in mind that it needs time to analyse the status quo, build up the ISMS, implement the work, tech and communication processes, test, adjust and document them. For a small company, 6 months is a good project timeline.

4. Do I need an ISO-certification to proof my cyber readiness?

Not necessarily.

First: you should know how this bubble works and all the keywords to show your competence and not answer a compliance questionnaire with something like "No. We don't have any cybersecurity measures in place."

Second: Every ISMS needs a solid foundation and acceptance within your team.

Third: Then we choose if you need an ISMS tiny house or skyscraper, depending on your business and growth model as well as your (target) client's requirements.

Fourth: Now it's time to analyse, update, build and maintain. Don't underestimate this process. This is where cybersecurity really "happens". Do it, document it.

Fifth: If 1-4 work well, you can already proof your cyber readiness.

If you have a client who makes it mandatory for you to get certified, because otherwise you would loose a contract, then you still have to follow the steps above BUT with the concrete goal to get ISO-certified.

5. How much does it cost?

It's not mandatory to implement a specific software to setup and maintain your ISMS. The lowest level is a word booklet or an Excel spreadsheet. If you already use a project management or ticket tool, you can use these too.

Defining cybersecurity budgets very much depends on your business and industry. You might here numbers like 10% of the IT budget or 3 to 14% of the annual revenue. If you need help with calculations for your business, feel free to write me and schedule a 1:1 session.

From my experience, you also have options to cut IT costs by "cleaning up" your infrastructure first, but then also have to invest in additional security solutions. My personal entrepreneurial cybersecurity approach includes patterns like leading by example and creating new secure products and services. So my clients cover additional cybersecurity costs by supporting their own clients with matching regulations.

The CyberTrust Europe silver label comes with a self-assessment and feedback round, costs EUR 1390+VAT initially and EUR 1190+VAT for every following year.

An ISO-certification requires regular internal and external audits. You might also like to hire an external consultant to help with the annual audit preparation to avoid blind spots in your strategy. Daily cybersecurity consulting rates in Europe start at EUR 1500+VAT. Certification companies charge for the audit and label. Depending if you choose a local onsite audit or a virtual audit with an international expert, prices might vary a lot.

Next to company certifications, there are also personal certifications to help e.g. your cybersecurity project manager proof the new skills.

Cyttraction online course attendees get their certificate after 6 months working with the course, confirmation of implementation required.

Hope I could answer the most important questions. Feel free to comment or send me a message for more info. And don't forget to subscribe for this newsletter!



Dr. Philipe REINISCH

Driving Growth. Piloting the Future. | Founder SILKROAD 4.0 | Growth Management for B2B Tech Companies as a Service. | Serial Tech Entrepreneur and Creative Trouble Shooter. | World Explorer.

6mo

The rise of AI-powered cyber threats underscores that regulatory compliance alone is insufficient for robust cybersecurity. While the 150,000 companies impacted by NIS2 must adhere to stricter regulations, a proactive cybersecurity posture extending beyond mere compliance is vital. Have these organizations genuinely bolstered their defenses against the rapidly evolving threat landscape, or are they solely focused on checking regulatory boxes? Well. I assume time will tell who did ones' homework properly... 😊 #cyberattacks

Carolin Desirée Toepfer

Chief Information Security Officer | Founder @Cyttraction | Global Learning Communities & Events | Keynote Speaker | Digital projects since 2004

6mo
Like
Reply

To view or add a comment, sign in

More articles by Carolin Desirée Toepfer

Insights from the community

Others also viewed

Explore topics