Prediction: what will change in cybersecurity for mid-sized companies before year end

The cybersecurity context for mid-sized companies in Spain is changing on three simultaneous fronts: regulatory pressure from NIS2, attackers operating with increasingly accessible AI tools and insurers redefining what it means to be insurable. These are not changes that are coming: they are already here.

Insurers have spent two years tightening cyber risk policy conditions. What was previously a 'nice to have' — MFA on all privileged access, EDR on all endpoints, documented patch management — is becoming a coverage requirement. Companies that do not meet these basic controls will see premiums rise significantly or lose coverage entirely. We are already seeing this in policy renewals: underwriting questionnaires are becoming increasingly technical and specific.

The cost of launching a sophisticated, personalised phishing attack has fallen dramatically with the democratisation of language models. An attacker without advanced technical skills can now generate phishing emails in correct Spanish, adapted to the sector and the recipient's role, at scale. The perimeter of who can be targeted by a well-crafted attack has expanded significantly. Companies that thought they were too small or uninteresting to be targeted are mistaken.

NIS2 as transposed in Spain is raising security obligations for sectors that were previously off the regulatory radar. Beyond classic critical sectors, logistics, manufacturing, digital services and supply chain companies are coming into scope. Obligations include documented risk management, incident notification within 24-72 hours and board-level accountability. The preparation window before the first inspections arrive is closing.

The number of small managed security providers that cannot invest in the capabilities today's market demands — AI-based detection, updated threat intelligence, NIS2 compliance — will shrink. For client companies, this means some of their current security suppliers may not be able to deliver the service they will need in the next 12-18 months. It is worth evaluating now whether your current provider has the capacity to keep pace.

• MFA enabled on all critical system access and remote access
• EDR deployed on all endpoints, including remote work equipment
• Patch management process documented and executed at least monthly
• Third-party access review: close everything without verified active use
• Backup restoration test documented and run within the last 90 days
• Updated systems inventory with assigned business criticality
• Assessment of whether your company falls within NIS2 scope and what obligations that implies
• Review of the cyber insurance renewal questionnaire to identify gaps before renewal arrives

None of these changes requires extraordinary investment for companies starting from a reasonable baseline. Most are hygiene measures that should already be in place. The problem is that for many mid-sized companies they are not, and the window to catch up before consequences arrive is closing.