Luca Mancino, Innovation Manager – Fondazione Piemonte Innova
Federica Lombardi, Compliance Consultant – Fondazione Piemonte Innova
“Human error is responsible for 49% of cyber incidents, with some estimates reaching up to 70%.”
– Clusit Report 2025
In an increasingly interconnected world, cybersecurity has become a strategic imperative – not only for large corporations, but especially for micro, small, and medium-sized enterprises (SMEs). These businesses often underestimate their vulnerability, assuming their modest scale makes them less attractive to cybercriminals. Yet, the data tells a different story.
In Italy, the 2025 edition of the Clusit Report on ICT Security – the country’s most authoritative annual publication on the topic – reveals a 23% increase in cyberattacks compared to the previous year. Healthcare remains the most targeted sector, but manufacturing and supply chain actors are increasingly in the crosshairs.
This trend is mirrored across Central and Eastern Europe. According to the 2024 ENISA Threat Landscape report, cyber threats have grown in volume, sophistication, and impact throughout the EU. The report notes a steady rise in ransomware incidents, phishing campaigns, and attacks on critical infrastructure also in countries like Slovenia, Poland, Slovakia, and the Czech Republic. SMEs are particularly exposed due to limited internal expertise and often outdated digital infrastructures.
A European Perspective: Regulation and Responsibility
“Cybersecurity must be understood as a shared public-private responsibility across the European digital economy.”
– EU Digital Compass, 2030
Cybersecurity is not merely a technical issue; it is a key component of Corporate Digital Responsibility (CDR). This broader concept includes ethical data governance, environmental sustainability in digital transformation, and safeguarding digital rights. Within this framework, the role of cybersecurity is twofold: it protects not only the company’s assets but also its stakeholders, partners, and the broader digital ecosystem.
The European Union is taking decisive steps to bolster collective resilience. The NIS2 Directive – set to be transposed into national legislation by October 2024 – extends cybersecurity obligations to a wider range of entities, including medium-sized enterprises across critical sectors. It mandates risk management practices, incident reporting, and supply chain security, with significant penalties for non-compliance.
In addition, the EU Cyber Resilience Act (CRA), currently in advanced stages of legislative approval, will introduce essential requirements for the cybersecurity of digital products and connected devices, affecting both manufacturers and service providers across Europe.
For SMEs in EU countries, aligning with these frameworks is not just about compliance – it’s about competitiveness. Governments and business associations across these regions are beginning to offer dedicated support programs, from funding schemes to awareness campaigns.
The Local Dimension: A Case from Piedmont
Zooming in on the Piedmont region – home to the Metropolitan City of Turin – a recent Cyber Index PMI survey shows that 79% of SMEs use digital tools in their operations, yet 8% reported security breaches in the recent years. Particularly vulnerable are companies operating within the supply chains of multinational corporations or working with public sector clients.
Encouragingly, Piedmontese SMEs demonstrate above-average awareness of digital risks. According to the same report, 72% of local businesses actively engage with cybersecurity issues, and 65% plan to invest in digital protection in the near future. Some 54% have internal security teams, while 26% rely on external partners – a balanced approach that reflects growing maturity in this domain.
Best Practices for Building Cyber Resilience
While no one-size-fits-all solution exists, there are universal principles that SMEs can adopt to strengthen their digital defences:
- Keep systems and software up to date with the latest security patches.
- Perform frequent backups to ensure operational continuity.
- Implement a robust incident response plan to act quickly in the event of a breach.
- Invest in employee training, as human error accounts for up to 70% of security incidents, Clusit.
- Conduct regular penetration tests and vulnerability assessments.
Importantly, cybersecurity should be seen as a growth enabler, not as a cost centre. In an era where data is the new oil, securing business information is vital to preserving customer trust, brand reputation, and operational integrity. A cyberattack can result in immediate financial loss—but the longer-term reputational damage can be even more costly.
Cybersecurity as a Strategic Investment
For SMEs, investing in cybersecurity is no longer optional – it’s essential for survival and sustainable growth. As digitalisation accelerates, so too does the attack surface. Those who neglect cybersecurity risk being excluded from value chains, losing public contracts, or facing legal liabilities under EU regulation.
On the other hand, those who integrate cybersecurity into their broader digital responsibility agenda position themselves as trustworthy partners in an increasingly scrutinised digital economy.
In this context, European projects like Interreg Central Europe COEUS provide a valuable platform for knowledge exchange, capacity building, and innovation on cross-border cybersecurity strategies. Municipalities, businesses, and institutions have a shared interest in creating resilient, digitally responsible regions – where security is not a barrier, but a catalyst for progress.
Sitography
1. Clusit Report 2025 – Rapporto sulla sicurezza ICT in Italia
clusit.it/rapporto-clusit/
Cyber Index PMI – Edizione Piemonte (2024)
ui.torino.it/unione-per-te/innovazione/notizia/97801/report-cyber-index-pmi-avvio-seconda-edizione/
ENISA Threat Landscape Report 2024
enisa.europa.eu/topics/threat-risk-management/threats-and-trends/enisa-threat-landscape
EU Digital Compass 2030
digital-strategy.ec.europa.eu/en/policies/europes-digital-decade
NIS2 Directive (EU 2022/2555)
eur-lex.europa.eu/eli/dir/2022/2555/oj
EU Cyber Resilience Act – Proposal
eur-lex.europa.eu/eli/reg/2024/2847/oj/eng