Emerging Privacy and Cyber Rules SMEs Can’t Ignore

The privacy regulation wave may feel distant—but it's hitting small and medium businesses faster than you think.

Privacy and cybersecurity regimes are evolving rapidly. In just the past week, several developments signal stronger pressure on SMEs—from surging data breach risk to new EU laws designed to lock down digital products and streamlined US patchwork laws reshaping how small businesses must comply.

Now's the time to understand what’s happening—and what your business should do to stay secure and compliant.

1. SMEs Suffer Majority of Data Breaches – Now Over 350 Million Records Leaked

According to a recent industry analysis, small to mid‑size businesses (1–249 employees) accounted for around 63 percent of all breaches in 2025, with about 352 million records leaked. Just since the start of 2026, at least 59 major incidents have exposed nearly 98 million additional records. Critical breaches—those involving passwords or financial data—affect SMEs most, making up over 60 percent of such events. SMEs also account for 60 percent of incidents involving more than 100,000 records.
Why this matters: Many SMEs lack the budgeting, training or resources to prepare for or recover from attacks; they remain high‑risk, low‑visibility targets.
Practical steps for your business:
- Enable two‑factor authentication across your systems
- Enforce strong password policies and regular updates
- Train employees to recognise phishing and social engineering
- Monitor credentials for compromise, especially on the dark web
- Implement basic logging to track unusual access or breaches

2. EU’s Cyber Resilience Act Means 'Security by Design' for Digital Products in 2027

A major new cybersecurity regulation in the European Union—the Cyber Resilience Act (CRA)—will apply from December 2027 to all products with digital components. That includes software and hardware offering data connectivity. The regulation mandates incident reporting, automatic security updates and embedded 'security by design'. Though it originates in the EU, the CRA affects SMEs both as customers and as integrators of digital supply chains. Many SMEs lack dedicated IT teams or compliance officers, making adaptation difficult without preparation.
Why this matters: If you're supplying software, devices or services to EU markets—or buying from them—you must meet these new cybersecurity standards or risk non‑compliance and market access issues.
Practical steps for your business:
- Conduct an audit of all digital products/services you use or provide
- Establish a roadmap for embedding security testing and automatic updates
- Train partners and suppliers in security practices consistent with CRA
- Incorporate security‑by‑design and incident‑response planning into development workflows
- Follow CRA guidance and tools for SMEs being developed by EU initiatives

3. Growing US Privacy Patchwork: States Tighten Rules, No Federal Law Yet

In the United States, SMEs face a growing patchwork of data privacy laws. States like Nebraska enacted comprehensive privacy regulation from January 1, 2025. Florida’s Digital Bill of Rights targets businesses earning over US‑$1 billion in ad revenue or operating smart‑speaker platforms. Without a federal law to harmonise standards, SMEs doing business in multiple states (or with EU customers) must manage a portfolio of rules. It complicates compliance and increases risk exposure if you don’t act proactively.
Why this matters: Divergent state requirements can create conflicts that lead to breach notifications, legal risk or market exclusion. SMEs must adapt policies and processes to remain compliant across jurisdictions.
Practical steps for your business:
- Map where you operate and which state privacy laws apply
- Appoint a privacy lead to monitor legal developments across states
- Standardise internal privacy policies to meet the strictest applicable law
- Inform customers and employees of their rights regarding data access, deletion and opt‑out
- Leverage frameworks like NIST or ISO for scalable privacy controls

4. EU Cybersecurity Certification Reform Aims to Simplify Compliance and Ransomware Reporting

The European Commission proposed updates to the 2019 Cybersecurity Act to improve how companies follow cybersecurity rules. Changes would simplify jurisdictional complexities and streamline data‑gathering on ransomware attacks. These reforms aim to make it easier for companies—including SMEs—to get cybersecurity certifications and comply with reporting norms.
Why this matters: Certified supply chain partners are increasingly preferred by enterprise buyers. Clearing certification requirements gives SMEs a competitive advantage and helps manage risk.
Practical steps for your business:
- Keep an eye on changes to EU certification rules that may reduce compliance burden
- Participate in training or read advisory updates from cybersecurity agencies or CERTs
- Consider pursuing cybersecurity certification to boost credibility with customers and partners

What This Means For Your Business

If there's one thing clear this week, it's that privacy regulations and cybersecurity expectations are advancing—fast. SMEs are at the sharp end of this movement, facing both elevated risks from attacks and growing demands from regulators.

But there’s opportunity too. By responding now, you can strengthen your resilience, reduce risk, and position your business ahead of compliance curves. Start with reviewable, achievable actions—2FA, password policies, employee awareness and simple audits around your digital tools.

Then build toward more advanced steps: mapping privacy obligations, prepping for CRA compliance, or gaining security certification. These moves don’t just protect your business—they show partners and customers you take security and privacy seriously.

Stay informed, prioritise investment where it matters most, and use this moment to transform risk into competitive strength.

Call Webwire on 08 9386 0053 or contact us at enquiries@webwire.com.au.