Micro and small enterprises (SMEs) remain structurally vulnerable to cyber threats while facing capacity constraints that make formal compliance burdensome. This article develops a governance design model for proportionate SME cybersecurity, grounded in an awareness-first logic and informed by the EU Squad 2025 experience. Using a qualitative policy-analysis and conceptual policy-design approach, we reconstruct a seven-dimension preventive architecture: awareness and visibility, human behaviour, access control, system hygiene, data protection, detection and response, and continuous review, and justify each dimension's contribution to proportionality and risk reduction. We then map the model's regulatory scope and limits against the NIS2 Directive, Commission Implementing Regulation (EU) 2024/2690, the Digital Operational Resilience Act (DORA), the Cyber Resilience Act (CRA), and the EU Action Plan on Cybersecurity for Hospitals, clarifying which obligations are supported and which require complementary governance (e.g. role accountability, incident timelines, statements of applicability, sector-specific testing and procurement). The analysis argues that raising awareness is the fastest, scalable lever to increase cyber-risk sensitivity in micro-SMEs and complements, rather than replaces, formal compliance. We conclude with policy implications for EU and national programmes seeking practical, proportionate pathways to SME cyber resilience under NIS2.

翻译：微型与小型企业（SMEs）在结构上仍易受网络威胁，同时面临能力限制，使得正式合规负担沉重。本文基于意识优先的逻辑，并借鉴欧盟Squad 2025的经验，开发了一个面向适度SME网络安全的治理设计模型。通过定性政策分析和概念性政策设计方法，我们重构了一个七维预防架构：意识与可见性、人类行为、访问控制、系统卫生、数据保护、检测与响应以及持续审查，并论证了每个维度对适度性和风险降低的贡献。随后，我们将模型的监管范围与限制映射至NIS2指令、欧盟委员会实施条例(EU) 2024/2690、《数字运营韧性法案》（DORA）、《网络韧性法案》（CRA）以及《欧盟医院网络安全行动计划》，明确了哪些义务得到支持，哪些需要补充治理（例如角色问责、事件时间线、适用性声明、特定行业测试与采购）。分析认为，提高意识是提升微型SME网络风险敏感度最快、可扩展的杠杆，它补充而非取代正式合规。最后，我们总结了政策含义，为欧盟及各国项目在NIS2下寻求实用、适度的SME网络韧性路径提供参考。