A Practical Guide to Cybersecurity Spending for SMBs in 2025

Written By Paolo Carner

Introduction

Small and medium-sized businesses (SMBs) are the backbone of the European economy, but their increasing reliance on digital technologies has made them a prime target for cybercriminals. With cyberattacks growing in sophistication and frequency, the question for SMBs is no longer if they will be targeted, but when. A staggering 31% of SMBs have already fallen victim to cyberattacks, facing average costs of €250,000 and, in some cases, as high as €7 million [1].

This article provides a comprehensive guide for European SMBs to navigate the complex landscape of cybersecurity spending in 2025. We will explore recommended budget benchmarks, effective allocation strategies, and the significant impact of new regulations, such as the NIS2 Directive. By understanding these key considerations, SMBs can build a robust defense against cyber threats and ensure their long-term resilience.

The Escalating Threat Landscape

The digital world is a double-edged sword. While it offers unprecedented opportunities for growth and innovation, it also exposes businesses to a host of cyber threats. The rise of artificial intelligence (AI) has further complicated the situation, with 83% of SMBs believing that AI has increased the cybersecurity threat level [2]. Cybercriminals are now leveraging AI to launch more sophisticated and scalable attacks, making it increasingly difficult for businesses to defend themselves.

Losses by Threat Type

This table summarizes the most common and costly cyber threats facing SMBs today

These statistics paint a grim picture, with 61% of SMBs now fearing that a single serious cyberattack could put them out of business [2]. This highlights the crucial need for a proactive and adequately funded cybersecurity strategy.

Recommended Cybersecurity Spending for SMBs

Determining the right amount to invest in cybersecurity can be a daunting task for SMBs. While there is no one-size-fits-all answer, industry benchmarks and regulatory guidelines provide a solid starting point. For most European SMBs, a realistic cybersecurity budget falls between 0.5% and 2% of annual revenue [3, 4]. However, this figure can rise to 2-3% for businesses in regulated sectors or those with a higher risk profile [3, 4].

A recent report from the European Union Agency for Cybersecurity (ENISA) reveals that information security now accounts for 9% of total IT investments in the EU, a significant increase from previous years [5]. This trend underscores the increasing awareness among businesses of the vital importance of cybersecurity.

The following text provides a breakdown of recommended cybersecurity spending based on an SMB’s risk profile:

Sector/Risk Level: % of Revenue (Annual)/ Typical Uses

  • Non-critical SMB: 0.5 – 1.2%/ Cyber hygiene, awareness, basic technical controls [3, 4]

  • Moderate/Compliance-driven: 1.2 – 2%/ Policy, advanced protection, monitoring, response, audits [3, 4]

  • Critical/Regulated/NIS2 exposed: 2 – 3%/ Full baseline + incident response + external reviews [3, 4]

Note: Please be aware that these figures serve as a guide only. The actual amount an SMB needs to spend on cybersecurity will depend on several factors, including its size, industry, risk tolerance, and regulatory obligations. For micro-enterprises, a minimum annual investment of €8,500–€20,000 is often required to establish a basic level of security [3].

The NIS2 Directive: A New Era of Cybersecurity for Europe

The European cybersecurity landscape is undergoing a significant transformation with the introduction of the NIS2 Directive. This new legislation expands the scope of the original NIS Directive to include a broader range of sectors and entities, placing a greater emphasis on cybersecurity risk management and incident reporting. As a result, many SMBs that were previously not subject to these regulations will now need to step up their cybersecurity game.

A recent ENISA report found that while 92% of in-scope entities are aware of the NIS2 Directive, a significant number of organizations, particularly SMEs, are struggling to prepare for compliance [5]. The report highlights the following key challenges:

  • Budgetary Constraints: A concerning 34% of SMEs report that they will not be able to secure the additional budget required for NIS2 compliance [5].

  • Workforce Shortages: The cybersecurity skills gap remains a significant obstacle, with 59% of SMEs struggling to fill crucial cybersecurity roles [5]. This is particularly alarming given that 89% of organizations expect to need additional staff to comply with the new directive.

Despite these challenges, the NIS2 Directive also presents an opportunity for SMBs to strengthen their security posture and gain a competitive advantage. By embracing the principles of the directive, businesses can not only reduce their risk of cyberattacks but also build trust with customers and partners.

Conclusion: A Proactive Approach to Cybersecurity

In our current world, cybersecurity is not just an IT issue; it is a fundamental cornerstone of any business. For SMBs, the financial and reputational consequences of a cyberattack can be devastating. By taking a proactive and strategic approach to cybersecurity spending, businesses can significantly reduce their risk and build a more resilient organization.

The key takeaways for SMBs are:

  • Acknowledge the Risk: Understand that no business is too small to be a target.

  • Budget Accordingly: Allocate a realistic portion of your revenue to cybersecurity, using the benchmarks provided in this article as a guide.

  • Prioritize Spending: Focus on the most critical areas, such as data protection, employee training, and incident response.

  • Embrace Regulation: View the NIS2 Directive not as a burden, but as an opportunity to improve your security posture.

  • Seek Expertise: Don’t hesitate to engage with managed service providers (MSPs) or cybersecurity consultants to supplement your in-house capabilities.

By investing in cybersecurity today, SMBs can safeguard their future and continue to thrive in an increasingly digital world.

References

[1] Microsoft, “7 cybersecurity trends for small and medium businesses,” Microsoft Security Blog, October 31, 2024. [Online]. Available: https://www.microsoft.com/en-us/security/blog/2024/10/31/7-cybersecurity-trends-and-tips-for-small-and-medium-businesses-to-stay-protected/

[2] ConnectWise, “SMB cybersecurity statistics and trends in 2025,” ConnectWise Blog, July 8, 2025. [Online]. Available: https://www.connectwise.com/blog/smb-cybersecurity-statistics-and-trends

[3] Business.com, “How Much Should Your SMB Budget for Cybersecurity?” [Online]. Available: https://www.business.com/articles/smb-budget-for-cybersecurity/

[4] TotalAssure, “Cost of Cybersecurity for Small Businesses in 2025,” [Online]. Available: https://totalassure.com/blog/Cost-of-Cybersecurity-for-Small-Businesses-in-2025

[5] ENISA, “Navigating cybersecurity investments in the time of NIS 2,” November 22, 2024. [Online]. Available: https://www.enisa.europa.eu/news/navigating-cybersecurity-investments-in-the-time-of-nis-2

Paolo Carner
Next

Better Cybersecurity: 10 Steps to Wisdom