Brief № 040 · Strategy
Cyber skills need a role map, not a course list
The new EU Cybersecurity Skills Coalition helps SMEs only if the training choice starts with named operational roles.
On this page
The EU has added another coordination layer to the cybersecurity labour problem. That is useful only if small firms translate it into jobs that must actually be done on Monday morning.
On 30 June 2026, the Commission and participating Member States launched the Cybersecurity Skills Coalition European Digital Infrastructure Consortium, or CSC-EDIC. Greece, Cyprus, Austria, Croatia and Slovenia are founding members, Athens will host the seat, and Czechia plus Poland start as observers. The announcement ties the new consortium to the Cybersecurity Skills Academy, which the Commission says has already helped generate 26 industry pledges and training for more than 900,000 cyber professionals.
The missing file is not a catalogue
The temptation for an SME is to treat the Academy as a shopping aisle: one course for phishing, one for cloud, one certificate for the IT manager, then a line in the board pack saying cyber skills are being handled. That is tidy. It is also backwards.
The coalition’s stated work is broader than a course catalogue. The Commission says it will develop tailored training programmes, measure cybersecurity skills gaps, support the Industry-Academia Network, work with ENISA, contribute to an EU-wide attestation scheme, design career pathways and micro-credentials, and engage industry partners through training pledges.
For a 40-person manufacturer, retailer, agency or software firm, the first useful artefact is smaller: a role map. It names the cybersecurity work the company needs before it names the training provider.
| SME cyber job | Minimum internal owner | Evidence that it exists |
|---|---|---|
| Incident intake | Operations or IT lead | One inbox, one escalation route, one decision log |
| Supplier security check | Procurement owner | A short questionnaire and a refusal rule |
| Backup recovery test | IT or managed service owner | Last restore test date and result |
| Vulnerability contact | Product or website owner | Public contact path and triage rule |
| Access review | Finance or operations owner | Quarterly list of privileged accounts |
| Staff drill | Team lead | One phishing or device-loss exercise per quarter |
Source: ENISA ECSF role logic and Commission Cybersecurity Skills Academy materials. Last verified 2026-07-03.
ENISA gives the vocabulary
ENISA’s European Cybersecurity Skills Framework is not written for tiny teams, but it gives them a useful language. It summarises cybersecurity work into 12 role profiles, with responsibilities, skills, knowledge and interdependencies. An SME does not need 12 full-time roles. It does need to know which parts are internal, which parts sit with a managed service provider, and which parts are missing.
That distinction matters because the cyber market sells credentials more easily than responsibility. A staff member can complete a course and still have no authority to isolate a device, refuse a supplier, pause a deployment, or call legal after a data incident. The business has bought knowledge, but not an operating model.
The CSC-EDIC may make training easier to find and easier to compare. The Academy may make credentials more legible. Those are real improvements. They do not remove the need for a local map of who decides, who records, who calls, and who pays when an incident crosses from IT nuisance into business risk.
The SME version is six lines
The lazy, useful file is six lines long. For each recurring cyber task, write the owner, backup owner, external provider if any, evidence kept, review rhythm and next training need. That is enough to stop buying generic courses because a public programme exists.
The Academy’s recent pledges show why this matters. In March 2026, the Commission highlighted commitments that included training for SME professionals and cyber-hygiene support for European SMEs. Those offers are easier to use when a firm can say: we need one procurement person who can read a supplier security answer, not another general-awareness session for everyone.
The same applies to micro-credentials. A credential for a staff member who owns no process becomes a private career asset. A credential tied to incident intake, access review or supplier checks becomes business infrastructure.
What to do before the first course
Before spending money, write the role map and mark each line red, amber or green.
- Red means nobody owns the task.
- Amber means somebody owns it, but there is no evidence trail.
- Green means the owner, evidence and review rhythm are clear.
Then buy the smallest training that turns one red line amber or one amber line green. A founder course may help a tiny firm. A technical course may help the person who manages the provider. A procurement course may be the best cyber spend if the firm buys connected products, cloud platforms or AI tooling. The point is to make the training answer a named operational gap.
The new European coalition is a useful signal because skills coordination is becoming part of digital sovereignty, not a soft HR sidebar. But for SMEs, the outcome should not be a framed certificate. It should be a working list of cyber jobs that no longer fall between people.
Frequently asked questions
Does the new coalition train SMEs directly?
Not by itself. The Commission says the CSC-EDIC will support the Cybersecurity Skills Academy by coordinating programmes, measuring gaps, supporting micro-credentials and engaging industry partners.
What should an SME do first?
Map the cyber work it already has: incident owner, supplier checker, backup tester, vulnerability contact, access reviewer and staff-training owner. Then buy training against the missing role.
Is a certification enough?
No. Certification can be useful evidence, but the business still needs named responsibilities, time allocation, escalation paths and supplier handover rules.
Sources
- Official Cybersecurity Skills Coalition EDIC set to champion and support the EU Cybersecurity Skills Academy European Commission, Shaping Europe's digital future accessed
- Primary Commission Implementing Decision (EU) 2026/1416 setting up the Cybersecurity Skills Coalition EDIC EUR-Lex accessed
- Official Cybersecurity Skills Academy Digital Skills and Jobs Platform accessed
- Official European Cybersecurity Skills Framework (ECSF) ENISA accessed
- Official New commitments for the Cybersecurity Skills Academy announced at Forum InCyber 2026 European Commission, Shaping Europe's digital future accessed
Image credit: Photo: wooden cybersec tiles - Markus Winkler, Unsplash
Iris Van Loon covers SME operational reality and advisors for Flint Brief.
Spotted an error or want a right of reply? hello@flintbrief.com (subject [Right of reply]).