What “Proportionate” Cyber Risk Looks Like for SMEs Under the New Bill
One word appears repeatedly in the Cyber Security and Resilience Bill: proportionate.
For many SMEs, it sounds reassuring.
For others, it sounds dangerously undefined.
Both reactions miss the point.
Under the new regime, proportionate does not mean light-touch.
It means risk is judged relative to impact and dependency — not organisational size.
Why “proportionate” worries SMEs
SMEs hear “appropriate and proportionate measures” and immediately ask:
-
Proportionate to what?
-
Who decides?
-
After an incident, or before?
Those are the right questions.
Because the Bill does not define proportionate in isolation.
It defines it in context.
Proportionate to dependency, not headcount
Under the Bill:
-
a small firm supporting a critical service can face higher expectations than a larger firm in a non-critical role,
-
a niche supplier can be more important than a diversified enterprise,
-
and a single access pathway can matter more than revenue.
Proportionality is assessed against:
-
the essential activity you support,
-
the scale of disruption your failure would cause,
-
and how many others depend on you.
This is designation-by-dependency in practice.
What proportionate does not mean
It does not mean:
-
“best effort” without evidence,
-
“we’re too small” as a defence,
-
or generic policies copied from templates.
After an incident, proportionality is judged by decisions made under pressure, not by intentions.
What proportionate looks like in reality for SMEs
For most SMEs, proportionate cyber risk management is not enterprise security.
It is focused, disciplined readiness.
In practice, that means:
Clear scope awareness
Knowing whether you support regulated customers, MSPs or essential services — and how.
Defensible incident response
Being able to detect, assess and report incidents within regulatory timelines, even if execution relies on partners.
Controlled access
Understanding and limiting privileged access pathways, especially shared or persistent ones.
Customer-aware response
Knowing which customers would be affected by an incident and how they would be informed.
Evidence of judgement
Being able to explain why decisions were made, not just what controls exist.
None of this requires a SOC or a compliance department.
It requires clarity.
Where SMEs get caught out
Most SMEs fail proportionality tests not because they lack controls, but because:
-
responsibilities are informal,
-
decisions rely on individuals rather than process,
-
and assumptions go untested.
When an incident happens, uncertainty becomes visible — and regulators notice.
Why proportionality still works in SMEs’ favour
Done properly, proportionality protects SMEs:
-
it avoids imposing enterprise-scale burdens,
-
it allows shared services and external support,
-
and it focuses effort where it actually matters.
But it only works if SMEs engage deliberately — not reactively.
The practical takeaway
If you cannot clearly articulate:
-
what you are critical to,
-
how your failure would affect others,
-
and how you would respond under time pressure,
then your risk posture is not proportionate — it is opaque.
Call to action
If you are unsure what “appropriate and proportionate” means for your role in the supply chain, now is the time to define it — not during a live incident or regulatory enquiry.
Contact Cyber Tzar to assess your dependency-driven risk profile and establish proportionate, defensible cyber resilience aligned with the new Bill.
