Abstract
This dissertation examines the preparedness of mid-sized firms for emerging cyber incident reporting regulations, synthesising contemporary research from multiple jurisdictions. As regulatory frameworks such as the European Union’s Network and Information Security Directive 2 (NIS2) impose stricter reporting timelines and procedural requirements, organisations face unprecedented compliance challenges. Through systematic literature synthesis, this study analyses empirical evidence from the European Union, United States, and developing economies to assess current readiness levels among mid-sized enterprises. Findings reveal partial but uneven readiness, with significant gaps in incident detection capabilities, formal response planning, and awareness of reporting channels. Confidence levels in meeting mandated reporting timelines remain concerningly low, particularly among smaller enterprises within the mid-sized category. Resource constraints, limited cybersecurity expertise, and unclear regulatory mechanisms emerge as primary barriers to compliance. The analysis identifies targeted guidance, automation technologies, and capacity-building initiatives as critical enablers for improving readiness. This research contributes to academic discourse on regulatory compliance within cybersecurity governance and offers practical recommendations for policymakers and organisational leaders seeking to enhance incident reporting capabilities.
Introduction
The contemporary digital landscape presents organisations with an increasingly complex threat environment, wherein cyber incidents pose substantial risks to operational continuity, financial stability, and stakeholder trust. Recognising these escalating risks, regulatory bodies across multiple jurisdictions have introduced or strengthened mandatory cyber incident reporting requirements, fundamentally altering the compliance obligations facing organisations of all sizes. The European Union’s NIS2 Directive, the United States Securities and Exchange Commission’s cybersecurity disclosure rules, and similar frameworks in other jurisdictions collectively signal a paradigm shift toward mandatory, time-bound incident reporting with significant penalties for non-compliance.
Mid-sized firms occupy a particularly challenging position within this evolving regulatory landscape. Unlike large enterprises, which typically possess dedicated cybersecurity teams and substantial compliance resources, mid-sized organisations frequently operate with constrained budgets, limited specialist personnel, and competing operational priorities. Simultaneously, these firms often manage critical infrastructure, handle sensitive data, and maintain supply chain relationships that render them attractive targets for cyber adversaries and subjects of regulatory scrutiny.
The practical importance of examining mid-sized firm readiness extends beyond individual organisational compliance. These enterprises constitute a significant proportion of the economy across developed and developing nations, contribute substantially to employment, and frequently serve as critical nodes within broader supply chain ecosystems. Their collective cybersecurity posture, therefore, has systemic implications for national and international security, economic resilience, and public trust in digital infrastructure.
Academically, this topic intersects with several established research domains, including regulatory compliance theory, organisational resilience, information security governance, and small-to-medium enterprise management. The intersection of these fields provides fertile ground for scholarly inquiry, particularly as relatively limited research has specifically examined mid-sized firm preparedness for the newest generation of incident reporting requirements.
This dissertation addresses a timely and pressing question: whether mid-sized firms possess the capabilities, processes, and organisational readiness necessary to meet new regulatory expectations for cyber incident reporting. By synthesising contemporary empirical research across multiple jurisdictions, this study provides a comprehensive assessment of current readiness levels, identifies principal barriers to compliance, and proposes evidence-based pathways for improvement.
Aim and objectives
Aim
The primary aim of this dissertation is to critically evaluate the current state of cyber incident reporting readiness among mid-sized firms in the context of emerging and strengthening regulatory expectations across multiple jurisdictions.
Objectives
To achieve this aim, the following objectives guide the research:
1. To synthesise contemporary empirical evidence regarding current cybersecurity readiness levels among mid-sized and small-to-medium enterprises across different geographical contexts.
2. To examine specific challenges that mid-sized firms face in meeting cyber incident reporting obligations, including timeline compliance, procedural clarity, and resource allocation.
3. To identify factors that enhance or impede organisational readiness for incident reporting compliance.
4. To analyse the implications of current readiness gaps for regulatory compliance and to propose evidence-based recommendations for improvement.
5. To contribute to academic understanding of the intersection between cybersecurity governance, regulatory compliance, and organisational capacity within mid-sized enterprises.
Methodology
This dissertation employs a systematic literature synthesis methodology to address the research aim and objectives. Literature synthesis represents an established approach within academic research for consolidating, analysing, and critically evaluating existing empirical and theoretical work on a defined topic (Snyder, 2019). This methodology proves particularly appropriate when seeking to understand complex phenomena examined across multiple studies, contexts, and jurisdictions.
Search strategy and source selection
The literature search strategy prioritised peer-reviewed academic journals, conference proceedings, and reports from reputable governmental and international organisations. Primary databases searched included Scopus, Web of Science, IEEE Xplore, and ACM Digital Library. Search terms encompassed combinations of keywords including “cyber incident reporting,” “NIS2 compliance,” “SME cybersecurity readiness,” “incident response,” and “regulatory compliance.”
Selection criteria required sources to be published within the past five years to ensure currency and relevance to contemporary regulatory frameworks. Sources were further evaluated for methodological rigour, relevance to mid-sized or small-to-medium enterprises, and direct applicability to incident reporting obligations.
Analytical approach
The analytical framework employed thematic synthesis, wherein extracted findings were organised according to recurring themes, patterns, and relationships identified across the literature. This approach enabled systematic comparison of findings from different geographical contexts, regulatory environments, and organisational settings.
The synthesis specifically examined: current readiness levels and gaps; specific challenges related to incident reporting obligations; factors enabling or inhibiting readiness; and implications for policy and practice. Throughout the analysis, attention was given to contextual factors that might influence findings, including regulatory environment, economic development level, and organisational characteristics.
Limitations
Several limitations warrant acknowledgement. First, the reliance on published literature means that findings may not capture the most recent developments in organisational practices or regulatory implementation. Second, definitional variations in what constitutes “mid-sized” firms across different jurisdictions introduce some heterogeneity in the populations studied. Third, publication bias may mean that organisations with particularly poor readiness levels are underrepresented in the literature if they declined to participate in research studies.
Despite these limitations, the systematic literature synthesis methodology provides a rigorous and transparent approach to consolidating current knowledge on mid-sized firm readiness for cyber incident reporting requirements.
Literature review
The evolving regulatory landscape for cyber incident reporting
The regulatory environment governing cyber incident reporting has undergone substantial transformation in recent years. The European Union’s NIS2 Directive, which entered into force in January 2023 and required transposition into member state legislation by October 2024, represents a significant strengthening of previous requirements under the original NIS Directive (European Commission, 2022). NIS2 expands the scope of covered entities, introduces stricter reporting timelines, and imposes substantial penalties for non-compliance.
Under NIS2, organisations in essential and important sectors must provide an early warning to competent authorities within 24 hours of becoming aware of a significant incident, followed by an incident notification within 72 hours and a final report within one month (Busetti and Scanni, 2025). These compressed timelines place considerable demands on organisational detection, assessment, and reporting capabilities.
Similar regulatory developments have emerged in other jurisdictions. In the United States, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 established mandatory reporting requirements for critical infrastructure entities, whilst the Securities and Exchange Commission introduced rules requiring publicly traded companies to disclose material cybersecurity incidents within four business days (U.S. Securities and Exchange Commission, 2023). These developments collectively signal a global trend toward mandatory, time-bound incident reporting with meaningful enforcement mechanisms.
Current readiness levels among mid-sized enterprises
Empirical studies consistently reveal gaps in incident detection, response capabilities, and formal planning across mid-sized and small-to-medium enterprises in multiple jurisdictions. Research encompassing European, American, and developing economy contexts demonstrates that many organisations lack the foundational capabilities necessary for effective incident reporting (Joswig and Kurz, 2025; Egwuatu, 2025; Ikuero and Zeng, 2022; Clark and Mujeye, 2025; Aldabjan et al., 2024; Neri, Niccolini and Martino, 2023).
Within the European Union context, empirical analysis of NIS2 adoption among German small-to-medium enterprises in critical sectors reveals moderate compliance at best, with smaller service firms scoring particularly low on requirements including incident reporting and risk management (Joswig and Kurz, 2025). This finding proves concerning given Germany’s status as one of the European Union’s largest economies with relatively advanced digital infrastructure.
Research examining African small-to-medium enterprises identifies reliance on ad-hoc tools, limited training provision, and absence of formal incident response mechanisms (Egwuatu, 2025). These findings suggest that organisational readiness falls significantly below established international benchmarks such as the National Institute of Standards and Technology Cybersecurity Framework and ISO 27001 standards.
In the United States, despite widespread adoption of Industry 4.0 technologies, small-to-medium enterprises demonstrate limited incident detection and response systems alongside weak policy awareness at all organisational levels (Clark and Mujeye, 2025). This gap between technological adoption and security capability raises particular concerns regarding the expanding attack surface that advanced technologies introduce.
Challenges specific to incident reporting obligations
Beyond general cybersecurity readiness, research identifies specific challenges that organisations face in meeting incident reporting obligations. Under NIS2, small-to-medium enterprises in critical sectors rate incident reporting as one of the most challenging obligations, primarily due to strict timelines, unclear mechanisms, and small cybersecurity teams (Joswig and Kurz, 2025).
Quantitative assessment of confidence levels reveals concerning patterns. Average confidence in meeting NIS2 reporting timelines reaches only 54.8 out of 100, with substantial variation based on organisational size. Small firms report confidence levels ranging from 20 to 60, whilst larger small-to-medium enterprises demonstrate higher confidence levels between 75 and 100 (Joswig and Kurz, 2025). This size-based disparity suggests that resource constraints significantly influence perceived ability to comply with reporting requirements.
Awareness of reporting channels and procedures presents additional barriers. Research examining Nigerian micro and small enterprises found that 72 to 75 percent were unaware of appropriate reporting channels, whilst 85 percent did not report incidents at all (Ikuero and Zeng, 2022). Although this research examined a developing economy context, awareness gaps may exist to varying degrees across all jurisdictions.
Broader evaluations highlight capacity gaps and reluctance to report, particularly among organisations with limited cybersecurity capability (Busetti and Scanni, 2025; Ebert et al., 2025). Reluctance may stem from concerns about reputational damage, regulatory scrutiny, or simply uncertainty about reporting processes.
Factors influencing organisational readiness
Research identifies several factors that enhance organisational readiness for incident reporting and broader cybersecurity resilience. Clear role definitions, recovery plans, and systematic learning from past incidents improve organisational resilience among small-to-medium enterprises (Neri, Niccolini and Martino, 2023; Falowo, Koshoedo and Ozer, 2023). These findings suggest that governance structures and organisational learning capabilities play crucial roles in building readiness.
Integration of security frameworks into governance, risk, and compliance tools and development of structured playbooks can support faster, more compliant reporting (Gurabi et al., 2024; Faruq, 2025; Odozor et al., 2025). However, small-to-medium enterprises face resource and skills barriers to adopting such sophisticated approaches. The cost of implementing comprehensive governance platforms, combined with the specialist expertise required for their effective operation, may place these solutions beyond the reach of resource-constrained organisations.
Incident response playbooks specifically designed for small-to-medium enterprises offer potential for improving readiness by providing structured guidance tailored to resource constraints (Odozor et al., 2025). Such playbooks can reduce reliance on specialist expertise by providing step-by-step procedures for incident detection, assessment, and reporting.
The role of external support, including industry associations, government guidance, and managed security service providers, emerges as potentially significant. Organisations unable to develop internal capabilities may benefit from accessing shared resources or outsourced services, although research on the effectiveness of such approaches within mid-sized enterprises remains limited.
Theoretical perspectives on compliance readiness
Understanding organisational readiness for regulatory compliance benefits from established theoretical frameworks. Institutional theory suggests that organisations respond to regulatory pressures through various mechanisms, including coercive compliance, mimetic adoption of peer practices, and normative adherence to professional standards (DiMaggio and Powell, 1983). Applied to cyber incident reporting, this theory suggests that enforcement actions, industry benchmarking, and professional guidance may all influence organisational behaviour.
Resource-based theory emphasises the importance of organisational resources and capabilities in achieving strategic objectives (Barney, 1991). From this perspective, gaps in mid-sized firm readiness reflect underlying resource constraints, including financial capital, human expertise, and technological infrastructure. Addressing readiness gaps therefore requires either building internal resources or accessing external resources through partnerships, outsourcing, or shared services.
Organisational resilience frameworks provide additional analytical lenses for understanding readiness (Duchek, 2020). These frameworks emphasise anticipation, coping, and adaptation capabilities, each of which relates to different aspects of incident reporting readiness. Anticipation capabilities enable early detection; coping capabilities support immediate response and reporting; adaptation capabilities facilitate learning and improvement following incidents.
Discussion
Interpreting the evidence on readiness gaps
The synthesised evidence presents a consistent picture of partial but uneven readiness among mid-sized firms for new cyber incident reporting requirements. This finding carries significant implications for regulatory objectives, organisational risk, and the broader digital ecosystem.
The moderate compliance levels observed in German NIS2-critical small-to-medium enterprises, despite Germany’s advanced economy and well-developed regulatory infrastructure, suggest that readiness challenges are not confined to less-developed contexts. Rather, these challenges appear to reflect structural characteristics of mid-sized organisations, including resource constraints, competing priorities, and limited specialist expertise.
The substantial variation in confidence levels based on organisational size within the small-to-medium enterprise category warrants particular attention. The finding that smaller firms report confidence levels as low as 20 out of 100 whilst larger firms report levels up to 100 suggests a possible threshold effect, wherein organisations below certain size or resource levels face qualitatively different challenges. This pattern has implications for regulatory design, as uniform requirements may impose disproportionate burdens on smaller entities within regulated categories.
The extremely low incident reporting rates observed in some contexts, exemplified by the 85 percent non-reporting rate among Nigerian small enterprises, raise fundamental questions about regulatory effectiveness. Regulations that organisations cannot or do not comply with fail to achieve their protective objectives and may create perverse incentives, including concealment of incidents to avoid perceived compliance failures.
Barriers to compliance: a multi-dimensional challenge
The barriers to incident reporting compliance identified in the literature operate across multiple dimensions: temporal, informational, technical, and organisational.
Temporal barriers relate to the compressed timelines mandated by regulations such as NIS2. The requirement to provide an early warning within 24 hours assumes that organisations can detect incidents rapidly, assess their significance, and communicate with authorities within this timeframe. For organisations lacking continuous monitoring capabilities or 24/7 security operations, these timelines may prove unachievable.
Informational barriers encompass both awareness of reporting requirements and knowledge of reporting procedures. The finding that substantial proportions of organisations do not know where or how to report incidents suggests that regulatory communication has not effectively reached all covered entities. This gap may reflect limitations in regulatory outreach, language barriers, or simple information overload among time-pressed managers.
Technical barriers include absence of appropriate detection and monitoring tools, lack of automated alerting capabilities, and insufficient technical expertise to assess incident significance. These barriers interact with temporal constraints, as manual detection and assessment processes require more time than automated alternatives.
Organisational barriers encompass resource constraints, competing priorities, and governance gaps. Mid-sized firms frequently lack dedicated cybersecurity personnel, instead relying on IT generalists or external providers who may not possess specialist incident response expertise. Additionally, absence of clear internal roles and responsibilities for incident response can delay decision-making when incidents occur.
Enablers of readiness: towards actionable pathways
The literature identifies several factors that can enhance readiness, suggesting actionable pathways for improvement. These enablers operate at organisational, sectoral, and regulatory levels.
At the organisational level, development of clear roles, recovery plans, and learning mechanisms emerges as foundational. Organisations that have documented their incident response procedures, assigned responsibilities, and established mechanisms for post-incident review demonstrate improved resilience. Importantly, these organisational capabilities do not necessarily require substantial financial investment, making them accessible to resource-constrained firms.
Integration of security frameworks into governance, risk, and compliance platforms offers efficiency benefits for organisations with sufficient scale and technical capability. Such integration enables automated compliance monitoring, streamlined reporting, and consistent application of security controls across organisational processes.
Structured playbooks designed specifically for small-to-medium enterprises represent a promising approach for organisations unable to implement comprehensive governance platforms. By providing step-by-step guidance tailored to resource constraints, these playbooks can reduce dependence on specialist expertise whilst ensuring consistent, compliant responses to incidents.
Automation technologies offer potential to address both temporal and resource barriers. Automated detection, alerting, and reporting capabilities can reduce the time and expertise required to meet reporting timelines. However, implementation of such technologies requires initial investment and ongoing maintenance, potentially creating barriers for the most resource-constrained organisations.
Implications for regulatory policy and design
The evidence on readiness gaps carries implications for regulatory policy and design. Regulations that impose requirements organisations cannot meet fail to achieve their protective objectives and may generate unintended consequences. Several design considerations emerge from the analysis.
First, proportionality in regulatory requirements deserves consideration. Size-based thresholds for compliance timelines or reporting detail might reduce burden on smaller entities whilst maintaining coverage of larger organisations with greater systemic importance. The European Union’s existing distinctions between essential and important entities under NIS2 provide a foundation, but additional granularity within categories might improve achievability.
Second, clarity in regulatory guidance appears essential. The finding that many organisations lack awareness of reporting channels suggests need for enhanced communication efforts. Clear, accessible guidance in multiple languages, distributed through channels that reach mid-sized enterprises, could address informational barriers.
Third, support for capability development warrants policy attention. Regulatory bodies might consider providing template playbooks, training resources, or subsidised access to compliance tools. Such support could help organisations develop readiness without requiring them to create capabilities from scratch.
Fourth, enforcement approaches might incorporate supportive elements alongside punitive measures. Recognising that many organisations face genuine capability gaps, enforcement strategies that provide opportunities for remediation and improvement might prove more effective than purely punitive approaches in building sector-wide readiness.
Addressing the objectives
Returning to the stated objectives, the analysis provides clear responses. Contemporary evidence demonstrates substantial gaps in readiness among mid-sized enterprises, with variation across organisational size and geographical context. Specific challenges include compressed timelines, unclear reporting mechanisms, and limited cybersecurity teams. Factors enhancing readiness include clear governance structures, structured playbooks, automation, and external support. The implications suggest need for multi-level interventions spanning organisational capability development, sectoral support mechanisms, and regulatory design refinement.
Conclusions
This dissertation has examined cyber incident reporting readiness among mid-sized firms, synthesising contemporary empirical evidence to assess preparedness for emerging regulatory requirements. The analysis reveals that many mid-sized firms, particularly smaller or resource-constrained organisations within this category, are not yet fully prepared for new, stricter cyber incident reporting expectations.
The evidence demonstrates consistent patterns across multiple jurisdictions, including the European Union, United States, and developing economies. Gaps in incident detection, formal response planning, and awareness of reporting procedures are widespread. Confidence in meeting mandated reporting timelines remains concerningly low, particularly among smaller enterprises. These findings suggest that without targeted intervention, significant compliance gaps will persist as new regulations take effect.
The research objectives established for this study have been systematically addressed. The synthesis of contemporary empirical evidence has characterised current readiness levels, identified specific challenges related to incident reporting obligations, examined factors influencing readiness, and analysed implications for regulatory compliance. The findings contribute to academic understanding of the intersection between cybersecurity governance, regulatory compliance, and organisational capacity.
The practical significance of these findings extends to multiple stakeholder groups. Organisational leaders in mid-sized firms should prioritise development of clear incident response procedures, role definitions, and learning mechanisms. Industry associations and sectoral bodies might develop shared resources, including playbooks and training materials, tailored to mid-sized enterprise constraints. Policymakers and regulators should consider proportionality in requirements, clarity in guidance, and supportive enforcement approaches.
Several avenues for future research emerge from this analysis. Longitudinal studies tracking readiness evolution as new regulations mature would provide valuable insights into compliance trajectories. Comparative research examining effectiveness of different support mechanisms could inform policy design. Investigation of automation technologies specifically designed for resource-constrained organisations might identify practical solutions for capability gaps. Additionally, research examining supply chain implications of mid-sized firm readiness could illuminate systemic risks arising from compliance gaps.
In conclusion, targeted guidance, automation technologies, and capacity-building initiatives emerge as critical to closing the readiness gap among mid-sized enterprises. As cyber threats continue to evolve and regulatory expectations strengthen, building organisational capabilities for incident detection, response, and reporting represents an urgent priority for organisations, sectors, and policymakers alike.
References
Aldabjan, A., Furnell, S., Carpent, X. and Papadaki, M., 2024. Cybersecurity incident response readiness in organisations. *Proceedings of the International Conference on Information Systems Security and Privacy*, pp. 262-269. https://doi.org/10.5220/0012487600003648
Barney, J., 1991. Firm resources and sustained competitive advantage. *Journal of Management*, 17(1), pp. 99-120.
Busetti, S. and Scanni, F., 2025. Evaluating incident reporting in cybersecurity: from threat detection to policy learning. *Government Information Quarterly*, 42, pp. 102000. https://doi.org/10.1016/j.giq.2024.102000
Clark, A. and Mujeye, S., 2025. A critical analysis of SME cybersecurity policies and practices. *Proceedings of the 2025 8th International Conference on Software Engineering and Information Management*. https://doi.org/10.1145/3725899.3725926
DiMaggio, P.J. and Powell, W.W., 1983. The iron cage revisited: institutional isomorphism and collective rationality in organizational fields. *American Sociological Review*, 48(2), pp. 147-160.
Duchek, S., 2020. Organizational resilience: a capability-based conceptualization. *Business Research*, 13(1), pp. 215-246.
Ebert, N., Schaltegger, T., Ambuehl, B., Geppert, T., Trammell, A., Knieps, M. and Zimmermann, V., 2025. Learning from safety science: designing incident reporting systems in cybersecurity. *Journal of Cybersecurity*, 11. https://doi.org/10.1093/cybsec/tyaf019
Egwuatu, O., 2025. Cybersecurity readiness in developing countries’ enterprises: a comparative multi-case analysis. *Magna Scientia Advanced Research and Reviews*. https://doi.org/10.30574/msarr.2025.15.1.0110
European Commission, 2022. *Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union*. Brussels: European Commission.
Falowo, O., Koshoedo, K. and Ozer, M., 2023. An assessment of capabilities required for effective cybersecurity incident management: a systematic literature review. *2023 International Conference on Data Security and Privacy Protection (DSPP)*, pp. 1-11. https://doi.org/10.1109/dspp58763.2023.10404318
Faruq, M., 2025. A meta-analysis of cybersecurity framework integration in GRC platforms: evidence from U.S. enterprise audits. *Journal of Sustainable Development and Policy*. https://doi.org/10.63125/kwhkmb57
Gurabi, M., Nitz, L., Bregar, A., Popanda, J., Siemers, C., Matzutt, R. and Mandal, A., 2024. Requirements for playbook-assisted cyber incident response, reporting and automation. *Digital Threats: Research and Practice*, 5, pp. 1-11. https://doi.org/10.1145/3688810
Ikuero, F. and Zeng, W., 2022. Improving cybersecurity incidents reporting in Nigeria: micro and small enterprises perspectives. *Nigerian Journal of Technology*. https://doi.org/10.4314/njt.v41i3.10
Joswig, T. and Kurz, W., 2025. Empirical analysis of NIS2 adoption in EU SMEs: challenges for critical infrastructure in Germany. *Journal of Next-Generation Research 5.0*. https://doi.org/10.70792/jngr5.0.v1i3.99
Neri, M., Niccolini, F. and Martino, L., 2023. Organizational cybersecurity readiness in the ICT sector: a quanti-qualitative assessment. *Information and Computer Security*, 32, pp. 38-52. https://doi.org/10.1108/ics-05-2023-0084
Odozor, L., Omini, L., Berko, S., Precious, U., Nitzan, Y. and Idowu, K., 2025. An incident response playbook guide for small and medium enterprises (SMEs). *International Journal of Scientific and Management Research*. https://doi.org/10.37502/ijsmr.2025.8712
Snyder, H., 2019. Literature review as a research methodology: an overview and guidelines. *Journal of Business Research*, 104, pp. 333-339.
U.S. Securities and Exchange Commission, 2023. *Cybersecurity risk management, strategy, governance, and incident disclosure*. Washington, DC: U.S. Securities and Exchange Commission.
