NIS2 and DORA set a valuable floor – but no compliance framework has ever stopped a cyber attack. Two-thirds of European SMBs remain under-defended. The gap between filing a report and stopping a breach is where organisations get hurt.
Key takeaways
✓ Compliance creates reporting obligations; it does not prevent attacks
✓ Two-thirds of European SMBs are below the security poverty line
✓ One European energy company filed the same incident across 16 different reporting schemes
✓ MSPs that lead with capability – not checkbox compliance – win more and retain longer
The compliance trap
No cyber attack has ever been prevented by a compliance framework. That is not an argument against regulation – it is a clarification of what regulation is designed to do. Compliance sets minimum standards and creates accountability when things go wrong. It is retrospective and administrative, not preventive and operational.
The problem is that for many organisations, compliance has become the proxy for security. Complete the NIS2 gap assessment, submit incident reports on time, tick the audit boxes – and assume you are protected. You are compliant. Those are different things.
In the mid-market, where IT budgets are finite, compliance efforts consume a disproportionate share of security attention – weeks spent preparing regulatory documentation that could have been spent improving detection, reducing attack surface, or building response playbooks.
Europe’s real exposure
Around one-third of European SMBs have defences adequate for today’s threat environment. The other two-thirds are below the security poverty line: likely running legacy antivirus, not enforcing MFA, with no visibility into who holds admin rights or where their vulnerabilities sit.
The threat they face has not stood still. AI-powered attacks can scan the entire internet for exploitable vulnerabilities in under two hours. Attackers move from reconnaissance to compromise in six minutes in documented cases. Legacy tools and paper-based compliance are no match for that.
When compliance becomes a burden
A European energy company operating across multiple member states recently had to report a single security incident in 16 different formats – different portals, different time windows, different data requirements – due to fragmented national implementations of EU regulation.
That is administration, not security. Those staff hours are not spent investigating the incident or preventing the next one. Smarter regulation – harmonised, outcome-focused, designed by people with operational security experience – would serve organisations far better.
What capability actually looks like
Capability is an operational state: the ongoing ability to detect threats early, understand your exposure, and respond before damage occurs. Three things have to work together:
- Continuous exposure management – a live, prioritised picture of where you are vulnerable, updated as your environment changes.
- Intelligence-led detection – AI filtering that surfaces what matters. WithSecure generates ~50 actionable alerts per 1,000 seats per month, not thousands of false positives.
- 24/7 response – managed detection and response that acts at machine speed, without requiring every client to build their own SOC.
The MSP Opportunity
The MSPs who win long-term use the compliance conversation as a door into a capability conversation. One approach that works: ask the client to either upgrade their security posture or have their CEO sign a document explicitly declining adequate protection. It has never come back signed. The conversation moves to capability – and that is where the margin is.
| Challenge |
Common Response |
Better Approach |
| Alert fatigue |
Add more tools |
Consolidate to a unified platform with AI filtering |
| Compliance cost |
Dedicate staff to reporting |
Automate reporting; redirect effort to detection |
| Talent shortage |
Try to build a SOC |
Partner with MDR; manage 5,000+ seats with one professional |
Frequently Asked Questions
Q: Is NIS2 enough to protect my organisation?
No. NIS2 sets a governance and reporting floor. It does not guarantee you can detect or respond to a modern attack.
Q: How many alerts should a well-run security operation produce?
Around 50 actionable alerts per 1,000 seats per month, with effective AI filtering. Higher volumes indicate fragmented tooling, not better protection.
Q: Can a small IT team manage enterprise-grade security?
Yes – with a unified platform and MDR partner. MSPs can manage 5,000+ seats with a single IT professional instead of a nine-person SOC.
Compliance Is the Floor. Capability Is the Point.
Organisations that treat NIS2 as a destination remain exposed. The frameworks set the minimum. What happens above it – proactive detection, continuous visibility, 24/7 response – is what determines whether you survive an incident intact. Regulation helps. Capability is the goal.
This blog is based on Cyber Morning webinar Trust, Transparency, and Security: The European Way in May 2026. Watch the conversation: https://www.withsecure.com/en/resources-hub/webinars/cyber-morning-may-2026/.
