SME Integration Into a Cyber-Security Cluster Without Bureaucracy

Mansfeld-Südharz, Germany - October 11, 2025

A field manual that fits into a single A4 folder and assumes the managing director still keeps invoices in a shoebox

The phrase “SME integration” usually summons visions of 47-page self-assessment spreadsheets and consultants who bill by the syllable. We threw that playbook into the brown bin and replaced it with a single A4 sheet that asks four questions: How many PCs do you own? Which machine talks to the internet? Who signs the invoice when the internet is down? And do you want coffee or cocoa during the site visit? The entire on-boarding takes 90 days, costs less than the company’s annual coffee budget, and satisfies the parts of NIS2 that actually apply to a 12-person metal-bending shop that only went digital because customers stopped sending faxes. The shop in question—Schmidt & Söhne in Sandersleben—became the template for 63 similar firms across the county, and none of them has yet asked for a refund.

Day 1 is the “coffee audit.” A single engineer from the Alliance visits the shop floor at 7 a.m., accepts whichever beverage the managing director offers, and asks to see the one PC that “sometimes receives drawings by email.” The engineer does not open a laptop; he photographs the cables, notes the Windows sticker, and counts how many steps it takes to walk from the machine to the router. The distance is written on the A4 sheet and signed by both parties. That signature is the only document the firm will be asked to produce until day 90. The audit is over in 42 minutes, short enough that no one feels inspected and long enough to spot the two classic sins: the PC runs Windows 7 and the router still carries the manufacturer’s default password. Those sins are not scolded; they are simply circled in red pencil, because red is the colour everyone understands.

Days 2 to 30 are the “shadow month.” The Alliance ships a pre-configured edge gateway the size of a paperback, pre-paid 4G modem included. The device is not installed; it is simply placed on the desk and powered from the same multi-plug that feeds the desk lamp. The gateway passively mirrors traffic for four weeks, sending only net-flow metadata to the shared SOC. No agent is installed on the PC, no settings are changed, and the factory manager is explicitly told to keep using the old router for daily work. The goal is to map which external IPs the CNC controller phones home to, which times of day the traffic peaks, and which ports are left open to the internet. The shadow month proves to the firm that monitoring can occur without touching production, a reassurance that is worth more than any certificate. When the SOC detects anomalous traffic—say, a contact in Shanghai trying to log in at 3 a.m.—the analyst calls the managing director on his mobile, speaks plain German, and asks only one question: “Did you expect anyone in China this morning?” If the answer is no, the connection is dropped at the gateway and the incident is closed. The first such call usually happens on day 18, and it is followed by a text message that says “Problem gone. No action needed.” That message is the moment the firm realises someone else is watching the gate while they bend metal.

Days 31 to 60 are the “swap month.” The gateway is now inserted inline, but only after the firm has received a replacement router pre-flashed with firmware that closes the default-password vulnerability. The swap is performed by the same engineer who drank coffee on day 1, takes 23 minutes, and is scheduled during the lunch break so that no production minute is lost. The PC is still Windows 7, but it no longer faces the internet directly; it sits behind a NAT layer that logs every outbound connection. If the CNC controller needs to fetch a tool-path update, the gateway whitelists the vendor’s IP range and blocks everything else. The firm does not manage the whitelist; the Alliance does, because the goal is to relieve the owner, not to recruit him into IT administration. During the swap month the SOC issues a weekly one-page report that contains only three numbers: attacks blocked, legitimate connections allowed, and hours the gateway was offline (usually zero). The report is printed and pinned next to the coffee machine, where it becomes a conversation piece among shift workers who have never seen a firewall but who now brag that “our box stopped 47 Russians this week.”

"If it takes longer than a coffee break, we have already lost the SME."

Days 61 to 90 are the “paperwork month,” but the paper is pre-completed. The Alliance maintains a master NIS2 compliance folder that is 90 % identical for every micro-factory: asset inventory, access-control matrix, incident-response checklist, business-continuity plan. The only bespoke section is the page that lists the firm’s name and the serial numbers of its two machines. That page is filled in during the coffee audit and is never shown to the firm again unless an auditor asks. The managing director is asked to sign two documents: a one-page membership agreement that makes him part of the Alliance federation, and a two-page data-processing addendum that allows the SOC to retain logs for 90 days. Both documents are written in 14-point font and contain no footnotes. The signature ceremony takes place at the same desk where the firm signs supplier contracts, reinforcing the psychological message that cyber is just another utility, not a regulatory ambush. The moment the ink dries, the firm receives a sticker that says “NIS2-ready” and is encouraged to place it on the front door. The sticker is meaningless in court but priceless in marketing: the firm’s largest customer, a Dutch tractor maker, has started to demand proof of cyber maturity before issuing purchase orders. The sticker is the proof, and it costs nothing to display.

The entire out-of-pocket cost to the firm is €1 200 per year, payable in monthly instalments of €100, which is less than the firm spends on coffee and far less than the €4 800 it once paid to a Hanover consultant who delivered a 63-page report that no one read. The €1 200 covers the gateway hardware, 4G failover, SOC monitoring, and the engineer’s annual coffee consumption. There is no setup fee, no cancellation penalty, and no upgrade path—because the gateway auto-updates over the same 4G link. If the firm doubles its staff or buys a second CNC line, the Alliance simply ships another gateway and adds €50 a month. The pricing is intentionally subscription-based because subscriptions feel like electricity, not like capital expenditure, and SMEs treat electricity as the cost of keeping the lights on. The moment cyber feels like electricity, it stops being optional.

After 90 days the firm is not merely connected; it is insured. The Alliance signs a supplemental deed that grants the firm access to the county’s incident-response team if a breach ever escalates beyond the gateway’s ability to contain. The deed is one page long and is countersigned by the county’s chief administrative officer, giving the firm the same emergency hotline that protects the county’s own wastewater plant. The psychological effect is immediate: the managing director now knows that if ransomware ever locks the tool-path library, he can call a number that is answered by someone who already knows his network layout and who can dispatch a recovery truck within 45 minutes. That knowledge is the real product; the gateway is just the delivery vehicle. And because the knowledge is shared among 63 similar firms, it is amortised across enough payrolls to stay affordable for a 12-person shop that still keeps invoices in a shoebox under the desk.

The template is now so standardised that the Alliance can onboard a new SME every three business days. The coffee audit is scheduled for 7 a.m., the gateway ships by courier at noon, and the sticker is on the door before the next payroll run. No lawyer is hired, no procurement department is involved, and no board resolution is passed because the annual fee is below the €5 000 threshold that triggers internal approval. The only ritual left is the coffee itself, now served in a mug that carries the Alliance logo and is left on the desk as a permanent reminder that cybersecurity tastes like breakfast, not like bureaucracy.

The Cyber Resilience Alliance is a public-private partnership established 2025, led by CypSec, Validato and the County of Mansfeld-Südharz. The Alliance operates a sovereign private-cloud security stack, a shared SOC and an cyber academy, aiming to make Mansfeld-Südharz the reference site for rural cyber resilience by 2030.

Media Contact: Daria Fediay, Chief Executive Officer at CypSec - daria.fediay@cypsec.de.