Brief № 040 · Strategy

Cyber skills need a role map, not a course list

The new EU Cybersecurity Skills Coalition helps SMEs only if the training choice starts with named operational roles.

By Iris Van Loon 4 min read Last verified

Wooden letter tiles spell cybersec on a table against a blurred green background.
Photo: wooden cybersec tiles - Markus Winkler, Unsplash
On this page
  1. The missing file is not a catalogue
  2. ENISA gives the vocabulary
  3. The SME version is six lines
  4. What to do before the first course

The EU has added another coordination layer to the cybersecurity labour problem. That is useful only if small firms translate it into jobs that must actually be done on Monday morning.

On 30 June 2026, the Commission and participating Member States launched the Cybersecurity Skills Coalition European Digital Infrastructure Consortium, or CSC-EDIC. Greece, Cyprus, Austria, Croatia and Slovenia are founding members, Athens will host the seat, and Czechia plus Poland start as observers. The announcement ties the new consortium to the Cybersecurity Skills Academy, which the Commission says has already helped generate 26 industry pledges and training for more than 900,000 cyber professionals.

The missing file is not a catalogue

The temptation for an SME is to treat the Academy as a shopping aisle: one course for phishing, one for cloud, one certificate for the IT manager, then a line in the board pack saying cyber skills are being handled. That is tidy. It is also backwards.

The coalition’s stated work is broader than a course catalogue. The Commission says it will develop tailored training programmes, measure cybersecurity skills gaps, support the Industry-Academia Network, work with ENISA, contribute to an EU-wide attestation scheme, design career pathways and micro-credentials, and engage industry partners through training pledges.

For a 40-person manufacturer, retailer, agency or software firm, the first useful artefact is smaller: a role map. It names the cybersecurity work the company needs before it names the training provider.

SME cyber jobMinimum internal ownerEvidence that it exists
Incident intakeOperations or IT leadOne inbox, one escalation route, one decision log
Supplier security checkProcurement ownerA short questionnaire and a refusal rule
Backup recovery testIT or managed service ownerLast restore test date and result
Vulnerability contactProduct or website ownerPublic contact path and triage rule
Access reviewFinance or operations ownerQuarterly list of privileged accounts
Staff drillTeam leadOne phishing or device-loss exercise per quarter

Source: ENISA ECSF role logic and Commission Cybersecurity Skills Academy materials. Last verified 2026-07-03.

ENISA gives the vocabulary

ENISA’s European Cybersecurity Skills Framework is not written for tiny teams, but it gives them a useful language. It summarises cybersecurity work into 12 role profiles, with responsibilities, skills, knowledge and interdependencies. An SME does not need 12 full-time roles. It does need to know which parts are internal, which parts sit with a managed service provider, and which parts are missing.

That distinction matters because the cyber market sells credentials more easily than responsibility. A staff member can complete a course and still have no authority to isolate a device, refuse a supplier, pause a deployment, or call legal after a data incident. The business has bought knowledge, but not an operating model.

The CSC-EDIC may make training easier to find and easier to compare. The Academy may make credentials more legible. Those are real improvements. They do not remove the need for a local map of who decides, who records, who calls, and who pays when an incident crosses from IT nuisance into business risk.

The SME version is six lines

The lazy, useful file is six lines long. For each recurring cyber task, write the owner, backup owner, external provider if any, evidence kept, review rhythm and next training need. That is enough to stop buying generic courses because a public programme exists.

The Academy’s recent pledges show why this matters. In March 2026, the Commission highlighted commitments that included training for SME professionals and cyber-hygiene support for European SMEs. Those offers are easier to use when a firm can say: we need one procurement person who can read a supplier security answer, not another general-awareness session for everyone.

The same applies to micro-credentials. A credential for a staff member who owns no process becomes a private career asset. A credential tied to incident intake, access review or supplier checks becomes business infrastructure.

What to do before the first course

Before spending money, write the role map and mark each line red, amber or green.

  • Red means nobody owns the task.
  • Amber means somebody owns it, but there is no evidence trail.
  • Green means the owner, evidence and review rhythm are clear.

Then buy the smallest training that turns one red line amber or one amber line green. A founder course may help a tiny firm. A technical course may help the person who manages the provider. A procurement course may be the best cyber spend if the firm buys connected products, cloud platforms or AI tooling. The point is to make the training answer a named operational gap.

The new European coalition is a useful signal because skills coordination is becoming part of digital sovereignty, not a soft HR sidebar. But for SMEs, the outcome should not be a framed certificate. It should be a working list of cyber jobs that no longer fall between people.

Frequently asked questions

Does the new coalition train SMEs directly?

Not by itself. The Commission says the CSC-EDIC will support the Cybersecurity Skills Academy by coordinating programmes, measuring gaps, supporting micro-credentials and engaging industry partners.

What should an SME do first?

Map the cyber work it already has: incident owner, supplier checker, backup tester, vulnerability contact, access reviewer and staff-training owner. Then buy training against the missing role.

Is a certification enough?

No. Certification can be useful evidence, but the business still needs named responsibilities, time allocation, escalation paths and supplier handover rules.

Sources

  1. Official Cybersecurity Skills Coalition EDIC set to champion and support the EU Cybersecurity Skills Academy European Commission, Shaping Europe's digital future accessed
  2. Primary Commission Implementing Decision (EU) 2026/1416 setting up the Cybersecurity Skills Coalition EDIC EUR-Lex accessed
  3. Official Cybersecurity Skills Academy Digital Skills and Jobs Platform accessed
  4. Official European Cybersecurity Skills Framework (ECSF) ENISA accessed
  5. Official New commitments for the Cybersecurity Skills Academy announced at Forum InCyber 2026 European Commission, Shaping Europe's digital future accessed

Image credit: Photo: wooden cybersec tiles - Markus Winkler, Unsplash

Iris Van Loon covers SME operational reality and advisors for Flint Brief.

Spotted an error or want a right of reply? hello@flintbrief.com (subject [Right of reply]).

Stay in the loop

Now and then, a concrete take on internal tools and practical AI for SMEs. No spam.