Skip to content
  • There are no suggestions because the search field is empty.

An SMEs guide to the main cyber regulations

Four key cybersecurity regulatory laws collectively represent the most significant shifts in cyber compliance obligations that SMEs on the island of Ireland have faced since GDPR. Find out what they are and what they mean for your business.

Small and medium-sized enterprises (SMEs) operating on the Isle of Ireland face an increasingly complex cybersecurity regulatory landscape shaped by both EU and UK legislation, creating unique challenges for cross-border operations.

Four key cybersecurity regulatory laws, the EU NIS2 Directive, the EU Cyber Resilience Act (CRA), the UK Product Security and Telecommunications Infrastructure Act 2022 (PSTI), and the UK Cyber Security and Resilience Bill 2025 (CSR Bill), together with the NCSC UK Cyber Resilience Audit Scheme collectively represent the most significant shifts in cyber compliance obligations that island-of-Ireland SMEs have faced since GDPR.

What do the cyber regulations mean for SMEs in Northern Ireland?

Northern Ireland occupies a legally unique position: it is part of the United Kingdom but, under the Windsor Framework, remains aligned to EU single-market rules for goods. The PSTI Regulations 2023, for example, explicitly recognise this duality by carving out certain products supplied in Northern Ireland that are subject to legislation listed in Annex 2 of the Windsor Framework.

For Ireland-based SMEs, EU law applies directly. The NIS2 Directive and the Cyber Resilience Act are EU instruments; Ireland is obliged to transpose or implement them. It is expected that in 2026 Ireland will transpose in law the NIS2 Directive.

Northern Ireland-based SMEs must simultaneously monitor UK legislation, including the Cyber Security and Resilience (Network and Information Systems) Bill introduced to Parliament on 12 November 2025, which extends to the whole of the UK.

The UK regulatory landscape

Following Brexit, the UK has developed its own cybersecurity regulatory framework, which while independent from EU regulations, shows significant alignment in objectives and increasingly in standards. The UK's approach focuses on proportionate regulation that protects consumers and critical infrastructure while promoting innovation.

The Product Security and Telecommunications Infrastructure Act (PSTI) currently addresses consumer connectable products, banning weak default passwords and requiring transparency on security update periods for IoT consumer devices. Following the regulatory trajectory set by the EU's Cyber Resilience Act, PSTI is expected to be broadened to cover more products in the future.

The Cyber Security and Resilience Bill represents the UK's expansion of its version of NIS1, with an approach similar to NIS2 in the EU. A notable difference from previous iterations is that regulators can now manually designate a small SME as a 'Critical Supplier' if they are identified as a vital link in a supply chain, moving away from the blanket exemption for micro-businesses that previously existed.

The shift of cybersecurity from IT to a product safety conformity driver

Cybersecurity has evolved from an IT concern to a product safety conformity requirement. In the EU, the introduction of the Commission Delegated Regulation (EU) 2022/30 under the Radio Equipment Directive marked the first time that explicit cybersecurity requirements became operational within the CE-marking framework for certain categories of radio equipment.

From 11 December 2027, this Delegated Regulation will be repealed and replaced by the broader Cyber Resilience Act, which introduces horizontal cybersecurity requirements for a wide range of digital products. Under the Windsor Framework, similar requirements apply in Northern Ireland through EU regulations [1]

Overview of key cybersecurity regulations for cross-border SMEs

Detailed guidance on each regulation is provided in separate articles, however cross-border SMEs should be aware of four key regulatory frameworks and their general applicability.

1. NIS2 Directive (EU)

Who does NIS2 (EU) affect? Essential and Important entities across multiple sectors. Small and micro entities (under 50 employees and €10 million revenue) are generally not directly regulated [2] but face indirect requirements through supply chains.

Why should SMEs care about NIS2 (EU)? Large organisations subject to NIS2 are required to ensure supply chain security. This means SME suppliers are increasingly being asked to demonstrate NIS2-level security capabilities as a condition of contracts and tenders. According to the SME MTU Cyber Resilience report, 78% of Irish SMEs currently fall into 'Low' or 'Very Low' cyber resilience categories [3].

What is the cross-border relevance of NIS2 (EU)? Applies to operations in EU member states. Irish businesses and NI businesses serving EU markets need to be aware of these requirements. When transposed in Irish Law, it will affect how businesses secure their operations and report incidents. 

Find out more about NIS2 (EU) here

2. Cyber Resilience Act (EU)

Who does the Cyber Resilience Act (EU) affect? Manufacturers and importers of products with digital elements (hardware and software) placed on the EU market.

Why should SMEs care about the Cyber Resilience Act (EU)? Products must achieve a CE mark for cybersecurity before being sold in the EU[4]. This affects manufacturing, software development, robotics, Industrial IoT, and similar sectors. Requirements include security by design, vulnerability management, and defined support periods.

What is the cross-border relevance of the Cyber Resilience Act (EU)?  Any SME (regardless of location) making their products with digital elements available on the EU market must comply with the CRA. Under the Windsor Framework, most NI-manufactured CE-marked goods can access Great Britain without requiring a separate UKCA mark - but this relies on the goods meeting the legal definition of ‘qualifying Northern Ireland goods’, which has specific conditions and excludes goods imported into NI from outside the UK for re-export. In almost all cases NI manufacturers who meet EU/CRA standards will gain access to both the NI/EU and GB markets through a single CE mark, though businesses should verify their specific goods meet the qualifying definition. UK-based manufacturers selling to the EU will need to meet CRA requirements. 

Find out more about the Cyber Resilience Act (EU) here

3. Product Security and Telecommunications Infrastructure Act (UK)

Who does the Product Security and Telecommunications Infrastructure Act (UK)(PSTI) affect? Manufacturers of consumer connectable products (currently IoT devices) sold in the UK market.

Why should SMEs care about the Product Security and Telecommunications Infrastructure Act (UK)? Bans weak default passwords and requires transparency on security update periods. Expected to expand to cover more products in future, aligning with CRA scope.

What is the cross-border relevance of the Product Security and Telecommunications Infrastructure Act (UK)? Irish SMEs selling IoT products to Great Britain must comply with PSTI’s security requirements, including banning weak default passwords and providing transparency on security update periods. However, following the Product Safety and Metrology etc. (Amendment) Regulations 2024, CE marking is now accepted indefinitely in Great Britain for most regulated product categories - SMEs in Ireland do not need a separate UKCA mark for GB market access.

It is important to note that CE marking and PSTI compliance are separate obligations: holding a CE mark does not constitute PSTI compliance. That said, businesses that have aligned to the CRA will have addressed most of the underlying PSTI requirements, since both regimes share common foundations - banning weak default passwords, mandating vulnerability disclosure contacts, and setting minimum security update periods. The recommended approach for cross-border SMEs is therefore to use CRA as the baseline, which substantially reduces the additional effort needed to evidence PSTI compliance. Looking ahead, there is a possibility of a future UK–EU Mutual Recognition Agreement (MRA) if PSTI and CRA continue to converge, which could allow CRA conformity to satisfy PSTI obligations formally - however this has not been agreed and SMEs should not rely on it at this stage.

NI manufacturers targeting the GB market must similarly meet PSTI’s security requirements, while those targeting NI/EU markets must meet CRA requirements. Importantly, most NI-manufactured goods bearing CE marking can access Great Britain under the Windsor Framework and UK Internal Market Act without a separate UKCA mark - but this applies only to goods that meet the legal definition of ‘qualifying Northern Ireland goods’. This definition has specific conditions and excludes, for example, goods imported into NI from outside the UK and then re-exported to GB. In almost all cases NI manufacturers will meet this definition, but businesses should verify their specific situation rather than assuming it applies automatically. 

Find out more about the Product Security and Telecommunications Infrastructure Act (UK) here

4. Cyber Security and Resilience Bill (UK)

Who does the Cyber Security and Resilience Bill (UK) affect? Critical infrastructure and, notably, allows designation of small SMEs as 'Critical Suppliers' if they are vital links in supply chains.

Why should SMEs care about the Cyber Security and Resilience Bill (UK)?  Represents a shift where size no longer automatically exempts businesses from regulation. SMEs playing critical roles in UK supply chains may be designated regardless of employee count or revenue.

What is the cross-border relevance of the Cyber Security and Resilience Bill (UK) ?  Irish or NI SMEs supplying critical infrastructure in the UK could potentially be designated as critical suppliers, bringing them under UK regulatory oversight for those activities.

Find out more about the Cyber Security and Resilience Bill (UK) here

Note: The above provides a high-level overview only. SMEs should consult a qualified legal or regulatory professional to determine whether and how these regulations apply to their specific products, business model, and markets before taking compliance decisions. UK-based manufacturers selling to the EU will need to meet cyber security obligations. Contact the Trade Hub for fully funded consultancy support to help your business navigate these regulations.

How are these cyber security regulations different?

While the various regulations differ in scope and specific requirements, several clear patterns emerge that indicate which regulations set the highest standards and present the most demanding compliance challenges for SMEs.

NIS2's Comprehensive Approach

The NIS2 Directive represents perhaps the most comprehensive approach to cybersecurity regulation currently in force. It requires organisations to implement risk management measures covering systems security, incident handling, business continuity, supply chain security, and human resources security[2]. Critically, NIS2 mandates management accountability, the management body must approve cybersecurity measures, oversee their implementation, and can be held liable for infringements[5].

While most SMEs are not directly regulated under NIS2, the directive's influence extends through supply chains. Essential and Important entities must ensure their suppliers meet adequate security standards. This creates a cascade effect where SME suppliers must demonstrate NIS2-level capabilities to maintain business relationships with regulated entities. 

The Cyber Resilience Act's Novel Approach

The Cyber Resilience Act introduces a fundamentally different regulatory approach by focusing on product security throughout its lifecycle. Unlike NIS2's organisational focus, the CRA regulates products with digital elements. Manufacturers must ensure security by design, maintain products with security updates for a defined period, and provide clear information about security support duration.

The CRA's requirements for vulnerability handling, security updates, and lifecycle support periods impose ongoing obligations that extend far beyond a product's initial sale. For SME manufacturers, this represents a significant shift requiring sustainable business models that can support long-term security commitments.

Emerging Trends: Regulatory convergence and its challenges

Despite differences in jurisdiction and specific requirements, a clear trend towards regulatory convergence is evident across the cybersecurity landscape. Both EU and UK regulations increasingly emphasise similar core principles: security by design, supply chain security, management accountability, and lifecycle security management. This convergence reflects a shared understanding that cybersecurity weaknesses anywhere create vulnerabilities everywhere.

The European Commission is working towards harmonised implementation of NIS2 across member states. According to the NCSC conference materials[5], milestones included publication of the EU-wide cross-border entities security measures and incident notification implementing act in October 2024, with the cross-border entities list sent to ENISA in January 2025. However, differences in national implementation, sectoral exclusions, and conflicting methodologies persist.

For cross-border SMEs, the practical reality is that perfect harmonisation is unlikely in the near term. The strategic approach is to focus on building security capabilities that address the common requirements across frameworks while maintaining awareness of specific differences that require tailored responses.

Supply Chain Security as a Focus

Supply chain security has emerged as a central theme across regulatory frameworks globally. The recognition that security is only as strong as the weakest link in the chain has led to regulations explicitly requiring large organisations to ensure the security of their suppliers. This trend shows no signs of reversing; rather, it is likely to intensify as regulators gain experience with implementing and enforcing supply chain security requirements.

For SMEs, this means that demonstrable security capabilities are increasingly becoming a prerequisite for participating in supply chains serving regulated entities or critical infrastructure. The shift towards designating 'critical suppliers' regardless of size, as seen in the UK's Cyber Security and Resilience Bill, exemplifies this trend.

Product Security Lifecycle Requirements

Another significant trend is the focus on security throughout the product lifecycle. The Cyber Resilience Act's requirements for security by design, ongoing vulnerability management, and defined support periods represent a fundamental shift from viewing security as a one-time consideration to treating it as a continuous obligation. Similar requirements are emerging in other jurisdictions and for other product types.

This trend has profound implications for SME business models, particularly for those in manufacturing and software development. Products must be designed with security from inception, maintained with security updates throughout their operational life, and eventually retired with consideration for the security implications of end-of-life.

Management Accountability and Governance

The emphasis on management accountability represents a maturation of cybersecurity regulation. Rather than treating security as purely a technical issue, regulations increasingly recognise it as a governance and risk management concern requiring board-level oversight. NIS2's requirement that management bodies approve cybersecurity measures, oversee implementation, and face potential liability for infringements sets a clear precedent that is likely to be followed in other regulatory frameworks.

This trend elevates cybersecurity within organisational hierarchies and budgets, which ultimately benefits security outcomes. However, it also means that SME leadership must develop cybersecurity literacy and actively engage with security governance, moving beyond delegation to technical teams. 

Conclusion

The cybersecurity regulatory landscape facing cross-border SMEs is undeniably complex and evolving. Regulations like NIS2, the Cyber Resilience Act, PSTI, and the emerging Cyber Security and Resilience Bill create overlapping requirements that vary by country, sector, and business model. For SMEs operating between the EU and UK, this complexity is amplified by the need to navigate multiple regulatory regimes simultaneously.

However, beneath this complexity lie consistent themes that represent the future direction of cybersecurity regulation globally. SMEs that embrace these principles position themselves not just for compliance but for competitive advantage in an increasingly security-conscious marketplace.

The trajectory is clear: security standards will continue to rise, supply chain requirements will intensify, and cross-border harmonisation will progress albeit imperfectly. The most successful approach for SMEs is not to treat each regulation as an isolated compliance exercise but to build foundational security capabilities that address common requirements across frameworks while positioning the organisation for future regulatory developments.

For cross-border SMEs, cybersecurity is no longer optional or purely a technical concern, it has become a fundamental business requirement that enables market access, protects operational continuity, and increasingly differentiates successful organisations from those left behind.

Further Information

For more detailed information on specific regulations and practical implementation guidance, the following resources are recommended:

Do you need further help or advice?

 

Article reviewed by the InterTradeIreland Trade Hub Team: March 2026

 

References

  1. UK Government (2025). Radio Equipment (Amendment) (Northern Ireland) Regulations 2025 available at https://www.gov.uk/government/publications/radio-equipment-regulations-2017/radio-equipment-amendment-northern-ireland-regulations-2025
  2. National Cyber Security Centre Ireland (2024). NIS2: A Quick Reference Guide. Department of the Environment, Climate and Communications.
    https://www.ncsc.gov.ie/pdfs/NCSC_NIS2_Guide.pdf
  3. SME Cyber Resilience (2025). State of the Sector 2025.
    https://cyberresilience.ie/state-of-the-sector-report-2025/
  4. European Union (2024). Regulation (EU) 2024/2847 on Cyber Resilience Act (CRA). https://eur-lex.europa.eu/eli/reg/2024/2847/oj/eng
  5. National Cyber Security Centre Ireland (2024). The NIS2 Directive Conference Presentation Slides.
    https://www.ncsc.gov.ie/pdfs/NIS2_NCSC_Conference_2024_Slides.pdf