The Digital Frontier: Why SMEs in the Western Balkans must prioritise cybersecurity – from supply chains to national security

For the Western Balkans to truly become cyber-resilient, the strategic approach can’t rely solely on public sector actions.

If governments focus only on their own services while SMEs – which account for over 90% of businesses in the region – remain vulnerable, the entire economy remains at risk. The backbone of the economies could be severely affected.

As the region moves closer to the European Union, aligning with international cybersecurity standards is no longer just a technical choice – it is a prerequisite for economic survival and regional integration.

Why cybersecurity is critical for SMEs

For many SMEs, the prevailing myth is that they are “too small to be targeted”. The bad actors often view smaller firms as the “soft underbelly” of global supply chains.

• Financial survival. 46% of SMEs have experienced a cyberattack, and nearly 1 in 5 (approximately 19%) of those victims reported that the attack led directly to filing for bankruptcy or closing their business, according to Mastercard’s Small Business Cybersecurity Survey.

Astra Security survey found that 75% of SMEs would be unable to continue operating if subjected to a ransomware attack, often leading to insolvency shortly after. Both surveys highlight that the reasons for this are more nuanced.

Businesses fail due to a combination of immediate revenue loss (downtime), the high cost of recovery and the fact that 55% of customers report that they would stop doing business with a small firm after a breach.

• The “domino effect” in supply chains. Larger EU and UK corporations now vet their partners’ security. A breach in a small Balkan supplier can provide a “backdoor” into a multinational network, leading to the termination of lucrative contracts.
• Trust and reputation. In a competitive market, customer trust is currency. A data leak involving personal data can permanently damage a brand’s reputation.

Policy alignments for SMEs: examples from the EU and the UK

The Western Balkans are increasingly aligning with high-level frameworks to ensure cyber-interoperability with their neighbours.

NIS2 applies to more sectors and more entities overall than the original NIS Directive. Additionally, the Cyber Resilience Act (CRA), which entered into force recently, requires that any hardware or software sold in the EU must have “security by design,” directly affecting Balkan tech exporters.

Similarly, the UK has shifted from voluntary guidance to strict statutory requirements that affect any SMEs interacting with the UK market. The newly introduced Cyber Security and Resilience Bill, which modernises the UK’s old NIS regulations.

It specifically brings Managed Service Providers (MSPs) – the very companies SMEs often outsource their IT to – under direct regulation for the first time. Additionally, the Bill allows the UK government to designate “critical suppliers”.

If a Balkan SME is a key supplier to a regulated UK firm (like a hospital or utility), they may be legally required to meet the same high security standards as their larger clients.

From a practical point of view, to improve the cyber resilience of SMEs, the UK’s “Cyber Essentials” certification scheme remains the best entry point into cybersecurity. It focuses on five basic controls: firewalls, secure configuration, user access control, malware protection and patch management.

This scheme is a good example of an initiative that bridges policy goals with practical, user-friendly implementation opportunities.

Government support vital for progress

While the compliance needs are increasing, governments must ensure that SMEs aren’t left to navigate these on their own. Resilience is a shared responsibility.

• Beyond infrastructure. Governments should shift their focus from only protecting government digital infrastructure and critical infrastructure entities to supporting the wider business ecosystem.
• NGO and civil society partnerships. Funding NGOs to aid with local businesses and fellow NGOs can bridge the gap between high-level politicians and everyday implementation.
• Grant schemes. Transitioning to new cyber standards is costly. National “cyber vouchers” schemes can help SMEs pay for the audits and certifications required to maintain international trade and boost national economies.

With support from the European Union through “KnowCyber” grants under the Cyber Balkans project, the SMEs were also the main target audience for grantees in Albania and Montenegro.

Both grant applicants identified current cybersecurity gaps and priorities for SMEs and provided training and assistance to address them. Based on the project results, the trends are very similar.

In addition, in Albania, the “Enhancing Cybersecurity for SMEs in Albania through Cyber Hygiene and The “Cyber Principles” project by the Independent Forum for Albanian Women also developed Cyber Security Principles, a set of accessible, practical minimum-security requirements designed to guide SMEs in implementing essential cybersecurity measures.

This could work as preparation for a future certification mechanism for SME cybersecurity levels. Albania’s experience showed that more than 70% of SMEs lacked formal cybersecurity policies prior to participating in the project. Underscoring the need for more training and awareness raising.

In addition to low readiness, both projects reported low awareness or understanding of why cybersecurity should be seen as a management issue, not just an IT issue. Showing the need to raise the general awareness levels of both the benefits that cyber resilience brings, as well as the realistic risks to businesses.

NGO “Secure” project “Raising awareness and cyber hygiene in SME” in Montenegro also conducted an SME survey that overall noted:

• Low awareness of cyber hygiene. Most respondents (76,5%) are not familiar with the concept of cyber hygiene, indicating a profound lack of basic knowledge of digital security. This issue is particularly visible among micro and small enterprises.
• Insufficient implementation of cybersecurity measures. Although most respondents have a moderate level of cyber hygiene (53,3%), only 1,7% achieve a high level of protection. A large share of employees are not using key tools such as two-factor authentication, password managers, or data encryption, which increases the risk of cyberattacks.
• Weak policies and incident reporting. Although 76.5% of companies have some form of cyber hygiene policies in place, these polices are not sufficiently clear nor consistently enforced. 34,4% of employees are not familiar with cybersecurity incident reporting procedures.
• Insufficient investment in cybersecurity. Only 23.2% companies allocate adequate resources to cybersecurity, while 13,9% invest far less than necessary. The lack of qualified personnel (31,8%) and limited management support (20.9%) further hinder efforts to improve cyber hygiene.

Summary

Ultimately, cybersecurity for SMEs in the Western Balkans has evolved from a technical option to a fundamental prerequisite for economic survival and regional integration.

The increasing complexity of EU and UK regulations presents a significant challenge; it also offers a pathway for local firms to secure their place in global supply chains.

By shifting government focus to the broader business ecosystem and leveraging NGO partnerships to provide practical training and “cyber vouchers,” the region can transform its “soft underbelly” into a resilient digital frontier.