Europe's micro-enterprises are digitalizing unprotected

Europe's micro-enterprises are digitalizing unprotected

Digital adoption is outpacing cyber protection across the EU

Cybersecurity is one of the most foundational dimensions of micro-enterprise resilience in the EU. While micro-enterprises — businesses with fewer than 10 employees — are adopting digital tools to run their businesses, the cybersecurity tools that protect them have not followed: just 42% of micro-enterprises use any tools at all, and only 15% plan to adopt cybersecurity tools in the next 12 months. For a micro-enterprise, a cyberattack can be an extinction event. In a survey by the EU Agency for Cybersecurity (ENISA, Cybersecurity for MSEs 2021), 57% of SMEs said a cyberattack would most likely bankrupt or put them out of business.

The EU's regulatory response acknowledges the gravity of this situation. The NIS2 Directive requires regulated entities to ensure their suppliers, including micro-enterprises, meet baseline cybersecurity standards. The Cyber Resilience Act sets security requirements for all digital products sold in the EU. But regulation is moving faster than the evidence base behind it. Most existing research treats small- and medium-sized businesses as a single category — a grouping that obscures the distinct risks, decision-making patterns, vulnerabilities, and capacity constraints of the smallest firms.

This report draws on data from the Mastercard Strive EU program, building on a snapshot survey of 1,336 micro-enterprises across 23 EU countries, conducted in September 2025, alongside insights from three EU-based cybersecurity providers directly serving small businesses. These findings challenge assumptions that currently shape most cybersecurity support for micro-enterprises, and suggest that closing the gaps requires reaching the right businesses in the right way, not simply making protection more affordable or more visible.

Micro-enterprises are less protected than they appear

The most basic measure of cybersecurity protection is whether a micro-enterprise uses any dedicated cybersecurity tool. Across the EU snapshot survey, only 42% of micro-enterprises have some form of cyber protection in place. But adoption alone is a weak signal of protection: among those who have adopted, coverage is often partial, leaving significant gaps in the threats they are actually defended against.

The adoption gap: 58% of micro-enterprises have no protection at all

58% of micro-enterprises in our sample are entirely unprotected — no antivirus, no multi-factor authentication, no strong passwords, and no dedicated cybersecurity measures of any kind.

Among these non-adopters, only 26% say they plan to adopt a cybersecurity solution in the coming 12 months, and stated intent usually overstates actual adoption. Even if all followed through, the share of micro-enterprises with no protection would fall from 58% to 43%, leaving over two in five unprotected in 2026. Adoption treats protection as binary: you either have it or you don't. The next two layers reveal why that framing is insufficient.

The exposure gap: The most digitally active are not the most protected

Cyber risk varies by how and to whom a business sells. A micro-enterprise running an e-commerce site, processing digital payments, and storing customer data in the cloud can be attacked in more ways than a bakery with a single point-of-sale terminal. If protection followed exposure, the most digitally active businesses would be the best protected — but our findings show otherwise.

Cyber adoption rises as businesses adopt more channels. Only 31% of in-person-only businesses adopt cybersecurity, rising to 40% for online-only businesses, and 56% for those selling across both channels. But the online-only segment stands out. Online-only micro-enterprises use digital tools at roughly the same rate as multi-channel businesses. They have comparable usage levels across cloud storage, digital payments, and marketing platforms. Yet their cyber adoption is 16 percentage points lower. They carry the exposure of a digitally active business without the protection.

The visualization below segments the population by how the business sells: in-person only, online only, or across both channels. For each segment, it shows the digital tools the business actually uses (the exposure surface) and how the segment splits across cyber adoption decisions. The reference line on the toolbars shows the total population average.

Who a micro-enterprise sells to also maps onto its level of protection. The pathway to protection is better explained by pressure than by customer type: businesses facing obligations from more directions end up better protected. Hybrid businesses — serving both businesses and consumers — cite compliance or partner requirements as the most common motivator, at 62%, compared with 47% for B2B-only and 50% for B2C-only firms.

Cybersecurity adoption rate by channel and customer type. B2B in-person n=38, B2B online n=37 — interpret magnitudes cautiously.

The quality gap: some protection is not enough

A business that has installed antivirus software but never enabled multi-factor authentication has addressed one threat dimension while leaving itself exposed to credential attacks. Phishing alone accounts for 41% of cybersecurity incidents affecting small businesses (ENISA, Cybersecurity for SMEs 2021).

Among the 42% of EU micro-enterprises that have adopted at least one cybersecurity measure, only one quarter have all essential measures in place. Fewer than one in five are adequately covered. Strong protection, including periodic expert assessment, sits at 5%.

Protection is thinnest for measures that address human error and data breaches — employee training, web and email filtering, and data encryption. This dimension has the widest gap between partial and complete protection: 50 percentage points. Many adopters start here (30% use filtering, 27% use encryption), but employee training reaches only one in five micro-enterprises. Phishing accounts for 60% of all observed intrusion attempts across Europe (ENISA Threat Landscape, 2025). Without employee training, the most frequently used attack vector remains open.

Standard levers to change behavior do not work

For most micro-enterprises, deprioritising cybersecurity is a reasonable daily judgment. The bakery was not attacked yesterday. The accountant's client data has not been breached. Time and money spent on unfamiliar tools would come at a real cost to operations that are already running lean. The problem is not that these calculations are wrong on any given day; it is that they are systematically ill-suited to low-frequency, high-consequence risks. Optimism bias reflects an accurate reading of recent experience. Understanding why micro-enterprises do not act requires taking that experience seriously rather than dismissing it.

The gaps described in the previous section could have many explanations: cost, complexity, lack of access, or low awareness. However, our survey data challenges many of these expected explanations.

Non-adopters cite low risk and low priority at twice the rate of cost

Among the 43% of micro-enterprises that neither use nor plan to use cybersecurity tools, the dominant barriers to protection are belief-based. One in three (33%) cite low risk perception ("our business is low risk for cyber threats"), or that cybersecurity is a lower priority than other business needs (31%). Together, more than half of non-adopters cite at least one of these belief-based reasons. This is more than double the rate of the leading structural barrier, costs, at 23%.

Optimism bias keeps concern from becoming action

Nearly two-thirds (61%) of all micro-enterprise owners already report that privacy and security concerns are critical or highly influential in their digitalization decisions. If concern reliably drove protection, this group should be better protected than others. They are not.

Digital growers — the 46% of micro-enterprises that value digitalization and plan to increase digital investment — show a cyber adoption rate of just 27%. Among those who have adopted, fewer than one in ten have even basic technical protections in place. Their higher incident exposure rate relative to digital leaders is not a function of how the group is defined: it is an empirical finding that warrants attention. Among digital growers who rated privacy and security as "critical" concerns for their business, 82% are unprotected and have no plans to adopt cybersecurity tools.

The consequences show up in the incident data. Growers report significant or severe cybersecurity incidents at nearly double the rate of digital leaders (7.4% vs. 3.9%), a meaningful gap in relative terms, though both rates remain low in absolute terms.

General awareness of cyber threats and personal assessment of individual risk operate at different levels. Owners may recognise that cyberattacks are a real and growing problem while also believing their own business is unlikely to be targeted. Behavioural research describes this as optimism bias: the tendency to accurately assess risk in the aggregate while underestimating personal exposure (de Smidt & Botzen, 2018).

Cresco, a Belgian cybersecurity provider, observed this pattern directly. In a sample of 50 penetration tests with micro-enterprises, 66% of participants reported feeling "invisible to attackers" before the test. Cresco found that all had at least one exploitable vulnerability: mail authentication gaps (61%), leaked or reused credentials (53%), missing HTTP security headers (33%), or exposed legacy services or open ports (22%). The micro-enterprise owners in Cresco's sample did not lack knowledge of cyber threats. They knew attacks happened. What they lacked was the belief that attacks could happen to them. General statistics about EU-wide incident rates did not change that belief. But for Cresco's 50 micro-enterprises, a vulnerability scan showing a specific, exploitable weakness on their own systems did. Cresco's sample is small and is used to illustrate the mechanism rather than to estimate its prevalence.

Direct experience of cyber incidents does not reliably improve protection

Direct experience might seem like the next option to overcome optimism bias. The Snapshot data suggests this, too, falls short.

Across all micro-enterprises in the sample, businesses that have experienced only minor incidents show the highest cybersecurity engagement at 62%. Among those that have experienced more severe incidents, engagement is lower, not higher — falling to 39% after severe incidents. Businesses that have been hit hardest are, on average, the least protected.

Among non-adopters, belief-based reasoning persists even after direct experience. After a minor incident, 31% still cite low risk as a reason for non-adoption. After a moderate incident, the figure shifts only slightly to 30%. Only after a severe incident does it drop to 19% — and even then, nearly one in five still believe their business is low risk. Behavioural economists call this pattern prospect theory (Kahneman & Tversky, 1979).

Micro-enterprises are willing to adopt cybersecurity solutions, but are stalled on capacity

For a substantial share of micro-enterprises, the decision to adopt cybersecurity tools may never reach the stage of conscious rejection. Micro-enterprise owners operate under constant scarcity of time, attention, and expertise. Cybersecurity competes against sales, payroll, supply management, regulatory compliance, and daily operations. Without immediate consequences or visible returns, it gets deferred.

Among non-adopters in our sample, 32% cite at least one capacity-related barrier: insufficient expertise or time (20%) or tool complexity (15%). By comparison, 17% cite cost as a barrier. When directly asked why they have not adopted cybersecurity, these businesses cite capacity nearly twice as often as cost.

Among those currently using or planning to adopt cybersecurity tools, the same pattern appears. When asked what support they need to adopt cybersecurity tools, the most reported needs are tools and solutions tailored to their size and business model (37%), ongoing expertise and support (32%), training programs (27%), and integration support (27%). Finance or subsidies are cited by only 23%. Even businesses willing to adopt cybersecurity are asking for a reduction in the operational burden associated with it, not for funding.

Three independent sources in this study point to the same specific barrier: micro-enterprises do not recognise the terminology used by the cybersecurity industry. Multi-factor authentication, VPN, data encryption, web filtering — these terms are accurate but alienating to owners who do not consider themselves to be running "sophisticated digital businesses." The survey itself acknowledges that respondents may have under-reported their cybersecurity measures because they did not recognise the terms in the questionnaire.

Cresco's qualitative interviews with micro-enterprises surfaced the same finding. A family wine shop owner asked for fewer IT phrases and to be spoken to "like shop owners, not experts." The same interviewee valued Cresco's AI chat function because it allowed simple questions, like "what's an SSL?" to be asked without judgment.

Lupasafe, a Dutch provider of affordable cyber monitoring and compliance tools for small teams, arrived at the same finding through a different route. Their direct sales channel underperformed, and user interviews revealed that terminology was suppressing conversion. The company redesigned its product around language used in everyday conversation and built a chat assistant that delivers security guidance in simple, everyday terminology.

Four things actually shift micro-enterprise behavior

The previous section identified the barriers that keep micro-enterprises from adopting cybersecurity: the belief that they are not at risk, the failure of awareness and direct experience to dislodge that belief, and the scarcity of time, expertise, and accessible language needed to act. Three EU-based cybersecurity providers and the EU's NIS2 regulatory framework offer evidence on mechanisms that gain traction against these barriers. None of the providers claims to have solved the protection gap, but each has found a way to address a specific dimension of it.

Vulnerability scans can make cyber threats personal and specific

Cresco, a Belgian provider, identifies specific vulnerabilities in micro-enterprises' own systems through penetration tests — structured scans that identify exploitable weaknesses, from mail authentication gaps to leaked credentials to exposed legacy services.

Across 50 penetration tests conducted with micro-enterprises, two-thirds of participants reported feeling "invisible to attackers" before the test. Every business had at least one exploitable vulnerability. What matters for intervention design is what happened after owners saw their specific results.

Follow-up interviews with nine of these micro-enterprises exposed a consistent pattern. Those who had rated their risk lowest were the ones who changed their behaviour most. A family-owned wine shop had reasonably assumed that small shops were not targeted, until the scan discovered a vulnerability in their checkout connection. A primary school that assumed it would not attract attention from cyber attackers discovered weak staff login credentials and exposed student lists. A GDPR consultancy that considered itself well-protected discovered a sub-domain takeover risk it had not known about.

Eight of nine participants changed at least one security practice after seeing their report. These samples are small and illustrate the mechanism rather than estimating the extent of the effect. But the direction is consistent: a scan that returns a specific, exploitable weakness in the owner's own systems reaches a level of decision-making that general statistics cannot.

"Two espressos per employee" makes the cost of protection concrete

Redamp.io addresses the abstract financial case by making both sides visible and specific. Its company plan costs €5.99 per user per month — "two espressos per employee." For a ten-person micro-enterprise, that totals approximately €720 a year, set against €7,700, the median cost of a single cybersecurity incident. Annual protection costs less than 10% of the cost of one incident.

Where Cresco's scan makes the probability of an incident personal, Redamp.io's pricing makes the financial magnitude concrete: "Could it happen to me?" and "What would it cost if it did?"

Compliance obligations open paths to adoption without changing beliefs

The EU's NIS2 Directive creates a compliance-driven pathway that bypasses belief entirely. For a micro-enterprise in a regulated supply chain, the motivation to adopt is not "I might be attacked" — it is "my client requires this." Among micro-enterprises that use or plan to use cybersecurity tools, 53% cite at least one external pressure as an adoption driver: compliance (35%) or requirements from business partners (32%). External pressure does not require the owner to recalibrate their risk beliefs. The cost of inaction is a present obligation, not a hypothetical future loss.

Intermediaries turn the decision to adopt tools into a managed service

Lupasafe, a Dutch provider of affordable cyber monitoring and compliance tools for small teams, found that simplifying product language improved direct sales — but the more significant shift was to a new channel entirely. By building a network of managed service providers (MSPs), Lupasafe found a route to scale that direct sales could not match.

An MSP handles the entire tool adoption process on an owner's behalf. The MSP selects the appropriate product, installs and configures it, continuously monitors it, and translates compliance requirements into actions that businesses can follow. The owner does not evaluate vendors, learn technical systems, or maintain anything.

This MSP-led channel, which includes over 60 partner MSPs across the Netherlands, Spain, and nine countries across Latin America, became Lupasafe's primary path to scale. Each MSP onboarded approximately 17 new small business clients per month. According to Lupasafe data, 74% of micro-enterprises onboarded through MSPs maintained active adoption for at least 60 days.

These four mechanisms differ in their approaches but share a common feature: making cybersecurity concrete and proximate for micro-enterprises. A penetration test turns "cyber threats exist" into "your checkout process has a weakness." A pricing comparison turns "protection is an investment" into "it costs less than one incident." A compliance requirement turns "you should protect yourself" into "your client requires this." An intermediary turns "evaluate these tools" into "someone already handles it for you." The barriers identified earlier — beliefs, the failure of awareness, and capacity constraints — are real and stable. These four mechanisms gain traction because they meet those barriers on their own terms.

Closing the gaps means reaching the right micro-enterprises where they already stand

The previous section identified four mechanisms that can shift behavior. But not all micro-enterprises face the same barriers, and not all mechanisms will work equally across the range. A vulnerability scan is the right tool for a business that believes it is not at risk. It is the wrong tool for a business that already knows it is at risk and cannot find the time to act. Matching the intervention to the relevant barrier is what closes the protection gap.

The data points to four micro-enterprise segments. Each is defined by where a business currently sits on cybersecurity adoption and where it intends to go.

Unprotected with no plans to change: Meet owners with diagnostic evidence to illustrate value

This is the largest segment, at 43% of micro-enterprises, and the hardest to reach. The barrier for this segment is belief. As the data in the previous sections showed, 33% cite low risk, and 31% cite lower priority as their reasons for not adopting, and raising general concern does not shift risk perceptions. This group needs personalized evidence that cannot be dismissed, not more generalized information about the scale of the problem.

Vulnerability scans, benchmarking against peers in the same sector, and platform-level checks delivered by trusted intermediaries all work by replacing general concern with specific, observable weaknesses within the owner's own systems. The intervention design principle is the same across all three: make the threat local, rather than global.

Planning but not yet adopting: Lower the purchase threshold through bundles and plain language

Fourteen percent of micro-enterprises plan to adopt cybersecurity measures but have not yet done so. For this segment, belief is no longer a barrier. Instead, bandwidth, language, and cost asymmetries block them from adoption. They intend to act, but cannot follow through.

The data points to a specific intervention window. The largest single increase in cybersecurity adoption in the sample occurs at the transition from one to two digital tools, where adoption nearly triples. This is the moment when a business moves from opportunistic use of digital tools to something more deliberate, and when cybersecurity is most likely to enter the frame.

Bundling is a primary lever for this segment. By packaging cybersecurity alongside another digital tool a business adopts (such as cloud storage, financial management software, or marketing and CRM platforms), it removes the evaluation decision. The owner does not choose cybersecurity; it arrives with a tool they have already decided to buy. Where bundling is not possible, routing through intermediaries, such as MSPs, achieves a similar outcome. Communications to this segment should follow plain-language principles and make the cost of inaction concrete, as Redamp.io's pricing approach does.

Using but not increasing: Close the quality gap by showing what 'enough' looks like

Twenty-four percent of micro-enterprises currently use some cybersecurity tools, but have no plans to increase their use. They are past the initial adoption barriers, but have stalled before building adequate protection. The gap is in the depth of protection, rather than adoption.

Measures addressing endpoint, network, and credential protection are in place across most of this segment. Antivirus software, system updates, password management, and multi-factor authentication appear at relatively high rates. What lags at every level of digital maturity is the human-and-data-risk threat dimension: employee training, web and email filtering, and data encryption. These measures do not arrive on their own with maturity. They require active, ongoing effort from the business, and they are exactly what an owner running every business function alone is most likely to defer.

The interventions here are clear: sector-specific training programs that address the training gap directly. MSP-delivered assessments that identify which human-and-data-risk measures are missing and prioritize them. Platform partnerships that make filtering and encryption default settings address the scarcity of attention that keeps these measures perpetually deferred by owners in this segment.

Using and increasing: Use intermediaries' trusted relationship to build capacity

The smallest segment, at 19%, is also the most engaged. These micro-enterprises are current cybersecurity adopters and plan to increase their use. For this segment, external pressure, from compliance requirements and partner obligations, is the most common motivation. They are not waiting to be persuaded.

The lever here is "translation infrastructure." Micro-enterprises need intermediaries who can translate compliance requirements or supply-chain security questionnaires into specific operational steps a micro-enterprise owner can follow. Subsidising MSP capacity building, training trade associations to provide cyber-compliant guidance, and equipping accountants and digital agencies with diagnostic tools all act on the same constraint.

For the most digitally mature businesses within this segment, the message can shift further still. More than half of digital leaders in this segment (54%) are motivated by the desire to gain a competitive edge, 19 percentage points above digital growers. For this segment, cybersecurity has shifted from loss avoidance to strategic positioning. Messaging that leads with a competitive advantage rather than risk mitigation is better matched to this segment.

Four segments, four different barriers, four different levers. Across all of them, the interventions that work are those designed around the specific constraint a business actually faces, not the constraint that policy or product design has historically assumed.

The interventions described above are those the data directly licenses, not exhaustive recommendations. Each segment's lever reflects the dominant barrier or driver identified in the analysis.

The gaps will not close on their own

The findings in this report point to insights that should change how resources are directed. The cybersecurity protection gap among EU micro-enterprises is not primarily an awareness, technology, or cost problem. It is a design problem, and it is becoming more urgent.

Digital growers have the lowest cybersecurity adoption rate of any group in this study, despite representing the 46% of EU small businesses that are planning to increase their investment in digitalization. These are the businesses Europe most wants to bring further into the digital economy, and the ones currently most exposed to cyber threats.

The Snapshot Study data points to a striking association: businesses that use cybersecurity tools are significantly more likely to plan AI adoption. 54% of cyber users plan to adopt AI in the next 12 months, against 36% of those with no cyber tools in place. Whether cybersecurity enables AI readiness or whether both reflect a broader digital maturity is a question this cross-sectional data cannot answer. But the pattern is clear: the businesses least protected are also among the least prepared for the next wave of digital adoption. Accelerating digital transformation without building protection first may actively limit their ability to take the next step. The gap between digitalization and protection is actively widening for these micro-enterprises.

Four groups need to act as a system.

Methodology