Is Your Business Ready for New EU Cyber Rules?

Stop Data Breaches Before They Stop You

Imagine this: your cash register freezes mid-sale, your customer database is locked, or your online shop vanishes overnight. For a small business, these aren’t just technical glitches—they’re emergencies that can shut you down. New EU rules are coming to help prevent exactly this, and if you run a shop, clinic, restaurant, or any business that relies on digital tools, you need to be ready.

What’s Changing: The New EU Cyber Rules

The European Union’s Cyber Resilience Act (CRA) is a new set of rules that shifts the focus from how businesses protect themselves to the safety of the digital products they use. Think of it like car safety standards—it’s not enough to drive carefully; the car itself needs to be built to protect you.

This applies to everything connected to the internet: your point-of-sale system, smart thermostat, website, or even the software running your inventory. The CRA isn’t just for big tech companies—it affects anyone who makes, sells, or uses digital products, even if you’re a small business relying on off-the-shelf software.

Key dates to know:

If a security flaw is actively being exploited, businesses must report it within 24 hours.
A full report must follow within three days.
These rules take effect on September 11, 2026.

Why This Matters to Your Business

1. Faster Reporting = Less Risk for You

The CRA forces companies to quickly identify and report security vulnerabilities. If a supplier fails to do this, your business could be left exposed. For example:

If your webshop’s payment system has a security flaw, you might not find out until it’s too late.
If your clinic’s patient records software isn’t updated, hackers could steal sensitive data.

2. Your Supply Chain is Now Your Responsibility

You might not build software, but you do rely on it. The CRA makes you responsible for the security of the digital tools you use—what’s called your “software supply chain.” This includes:

The apps running your business (like your accounting software or website).
The devices connected to your network (like smart security cameras or Wi-Fi routers).
Even the firmware (the built-in software) in your hardware.

3. Software Bills of Materials (SBOMs): The New Must-Have

You may hear about “SBOMs”—these are like ingredient lists for software, detailing every component and potential vulnerability. Right now, only 25% of companies automatically create these, but the CRA will make them essential. Why?

If a security flaw is found in one component, you’ll know exactly where it is.
Without an SBOM, you’re flying blind—like trying to fix a car without knowing what’s under the hood.

4. This Isn’t Just a Tech Problem—It’s a Business Problem

The CRA isn’t something your IT person can “fix” alone. It requires a shift in how digital products are designed, built, and maintained. For example:

If you run a bakery with an online ordering system, you’ll need to ensure it’s secure.
If you’re a freelance designer using cloud tools, you’ll need to confirm they meet these standards.
If you’re a logistics company tracking shipments digitally, your software suppliers must comply.

What You Can Do Right Now: A Simple Checklist

You don’t need to become a cybersecurity expert, but you do need to take action. Here’s a practical checklist to get started:

1. Know What You’re Using

Make a list of all digital tools your business relies on (e.g., website, POS system, email, cloud storage).
Include any connected devices (smart thermostats, security cameras, Wi-Fi routers).
Ask your suppliers: “Does this product comply with the EU Cyber Resilience Act?“

2. Ask for an SBOM (Software Bill of Materials)

If a supplier can’t provide one, that’s a red flag.
Example: If you use a custom-built website, ask your developer for an SBOM of the software components.

3. Update Everything

Enable automatic updates for all software and devices.
Patch vulnerabilities immediately—don’t wait for “later.”
Example: If your POS system releases a security update, install it right away.

4. Strengthen Your Passwords and Authentication

Use strong, unique passwords for every account.
Enable two-factor authentication (2FA)—an extra security step, like a code sent to your phone.
Example: If your email is hacked, 2FA can stop the attacker from accessing other accounts.

5. Back Up Your Data

Regularly back up critical data (customer records, financial files, website content).
Store backups offline or in a secure cloud service.
Example: If ransomware locks your files, you can restore them from a backup.

6. Train Your Team

Teach employees how to spot phishing emails (fake emails tricking them into clicking malicious links).
Example: A fake “invoice” email could install malware on your network.

7. Have a Plan for When Things Go Wrong

Know who to call if you’re hacked (your IT support, cybersecurity insurance provider, or a trusted expert).
Example: If your website is attacked, you’ll need a plan to restore it quickly.

FAQ: What Dutch Business Owners Are Asking

Q: Does this apply to my small business, or just big companies?

A: The CRA applies to any business using digital products, whether you’re a solo freelancer, a local shop, or a growing company. If you rely on software, apps, or connected devices, you’re affected.

Q: What happens if I ignore this?

A: Ignoring these rules could leave your business vulnerable to:

Fines (though enforcement for small businesses is likely to focus on guidance first).
Data breaches (losing customer trust or facing legal trouble).
Business disruption (if a key system is hacked or fails).

Q: Where do I start if this feels overwhelming?

A: Start with the checklist above. Focus on:

Knowing what digital tools you use.
Asking suppliers about compliance.
Enabling automatic updates and strong passwords. If you’re unsure, reach out to a trusted IT advisor (like us!) for help.

IT Move NL

Whether you run a bakery, a dental clinic, or a logistics company, these new rules affect how you do business online. You don’t need to figure it all out alone—we help business owners and IT teams navigate changes like this every day. Let’s talk about what this means for your business—no jargon, no sales pitch, just practical advice.

Sources: