SME Cybersecurity 2026: the essential guide

Chapter 1 — Mapping cyber risks in an SME in 2026

In 2026, a French SME receives on average more than 1,200 suspicious emails per month for 50 employees, and 78% of incidents stem from phishing compromise or stolen credentials. The 4 principal risks to map before any other investment:

• Ransomware: file encryption + double extortion (data publication). Average cost 250k€ for a 30-seat SME.
• Email compromise (BEC): wire fraud via executive mailbox hijacking.
• Data theft: silent exfiltration, GDPR triggers CNIL notification within 72 hours.
• Unavailability: outage, fire, RaaS attacking backups — how many days without IT can you survive?

Chapter 2 — NIS2 compliance: what really applies

The NIS2 directive (transposed into French law in 2024-2025) massively expands the scope compared to NIS1. Concretely, you are subject to it if:

• You have more than 50 employees OR more than 10M€ in revenue AND you operate in a listed sector (energy, transport, banking, healthcare, water, digital, agrifood, manufacturing, postal services, space…).
• You provide essential digital services (DNS, datacenter, MSP, cloud).

Key obligations: documented cyber governance, risk management, incident notification within 24 hours, secure supply chain, ongoing training. Penalties up to 10M€ or 2% of global turnover.

Chapter 3 — 3-2-1 backup + immutability (anti-ransomware)

The timeless 3-2-1 rule, 2026 enhanced version:

• 3 data copies (1 production + 2 backups)
• 2 different media (local NAS + object cloud for example)
• 1 copy off-site geographically
• + 1 immutable (S3 Object Lock, hardened repository Veeam, LTO tapes)
• + 0 errors on monthly restore tests

2024-2026 ransomware primarily targets backups. An untested backup is a missing backup.

Chapter 4 — Choosing EDR/XDR without getting fooled

EDR (Endpoint Detection & Response) replaces traditional antivirus. Realistic selection criteria for SMEs:

• Automatic rollback on encryption (Bitdefender, Sophos)
• Cloud console + mobile alert (fractional CISO)
• Optional 24/7 MDR (you don't have an internal SOC, don't pretend you do)
• Transparent pricing < 100€/seat/year for SME EDR + MDR suite
• Native integration with your firewall and identities (M365 / AD)

Beware of "XDR" that is just rebranded EDR. Ask for the source list (endpoint, network, cloud, identity, mail) before signature.

Chapter 5 — MFA, passwords, AD hardening

Zero-cost measures that block 95% of opportunistic attacks:

• MFA mandatory on all admin accounts (M365, AD, VPN, cloud console) — TOTP or FIDO2, not SMS
• Bitwarden / 1Password in centralized management (never in plain text in a shared Excel)
• Password policy: passphrase 16+ characters, no stupid forced rotation
• AD tier model (Tier 0 admin, Tier 1 servers, Tier 2 workstations)
• Microsoft LAPS for unique local admin passwords per workstation
• Disable SMBv1, NTLMv1, old legacy protocols

Chapter 6 — Prioritized 90-day action plan

Month 1 — Stabilize

• Enable MFA everywhere possible
• Audit backups: when was the last restore test?
• Disable inactive accounts (unrevoked departures = open door)
• Patch: Windows + Office + browser + VPN up to date within 7 days

Month 2 — Reinforce

• Deploy modern EDR (Bitdefender, Sophos, Defender P2)
• Implement immutable backup (Wasabi, Veeam Hardened)
• 30-minute phishing training for all employees
• Document minimal BCP/DRP (who calls whom in incident)

Month 3 — Operationalize

• External audit (light pentest or configuration audit)
• Subscribe to cyber insurance (nearly mandatory 2026)
• Crisis communication plan (legal, press, customers)
• 24/7 MDR engagement if you lack internal on-call

Going further

This guide remains a general framework. Every SME has its context (size, sector, regulatory constraints, budget). If you want a personalized audit of your infrastructure, KOLOSALTech offers a 30-minute session — no commitment.

→ Request an SME cybersecurity audit

© 2026 KOLOSALTech — Rennes, France · contact@kolosaltech.com · kolosaltech.com