The Cybersecurity Act: What Smaller Companies Need to Know About Supply Chains and Cyber Hygiene
Published: January 1, 1970
Last Updated: July 12, 2026
The new Cybersecurity Act (based on EU legislation) has become a hot topic of conversation in the business world. The main purpose of the law is clear: to raise cybersecurity and incident readiness across society, while giving corporate management clearer ownership of security issues.
The focus lies on socially critical operations, such as government agencies, municipalities, energy companies, and food supply. So why is a law specifically targeting critical societal functions being discussed so broadly? The answer is the supply chain.
Requirements Inherited Down the Line
The legislation includes a strict requirement for covered organizations to ensure that their entire supply chain is secure. When a government agency or an energy company procures goods and services, they must vet their suppliers.
In practice, this means that regardless of whether you run a large or small company, you will face tough security questions in future procurements. The requirements are simply inherited down the line. A vulnerability in a sub-contractor several tiers down ultimately becomes a vulnerability for the socially critical organization.
Compliance Burden or Real Benefit?
It is easy to view new laws as mostly unnecessary administration. However, much of the work provides a tangible benefit, and if approached wisely, it does not have to be overly burdensome.
Information security is fundamentally about structure, and once you have those structures in place, it translates into security improvements that protect your business every single day. In an era of frequent cyberattacks and phishing attempts, good "cyber hygiene" is absolutely vital for any company.
Three Steps to Tackle the Project
For smaller organizations lacking a large IT budget or a dedicated compliance department, it is all about being concrete and narrowing the scope. The work can be boiled down to three central steps:
-
Get the technology right: Start with the low-hanging fruit. Implement two-factor authentication on all systems, ensure firewalls are enabled, and perform continuous security updates. Also, train your staff regularly so they recognize threats such as phishing (fraudulent emails) and vishing (phone scams).
-
Document: Conduct a simple inventory of your assets—what software, hardware, and networks do you use? Identify the risks associated with these and establish clear policies. For example, how do you manage "Shadow IT" (when employees use private phones or computers for work)? By documenting your processes, you will have ready-made answers when clients ask questions during a procurement.
-
Follow up: Cybersecurity is a moving target. At regular intervals, you must evaluate whether your routines align with reality, perform new risk assessments when purchasing new technology, and stay updated on emerging threats.
Do You Need ISO 27001 Certification?
Larger organizations often run heavy projects to get certified according to ISO 27001. For a smaller company—perhaps around 50 employees with a less complex operation—a formal certification is rarely necessary, unless explicitly required by your clients.
It is far more important that you actually do the right things and have them documented in a well-functioning information security management system that mirrors the structure of ISO 27001, rather than having the actual certificate on the wall.
Here at Lantero, we have developed ready-made, easy-to-understand templates and pre-filled examples to help you inventory your resources, conduct risk assessments, and establish the right structure from the start—without making the process heavier than it needs to be.