The awareness of Italian SMEs on cyber risks is growing, but is still far from fully adequate levels. This is what emerges from the SME Cyber Index 2025, the index measuring the level of maturity and preparedness of Italian SMEs in digital risk management.

The report, sponsored by Confindustria e Generali, with the scientific contribution of Digital Innovation Observatories of the Politecnico di Milano and the institutional partnership of the’National Cybersecurity Agency, It monitors over time the ability of companies to govern cyber risk through strategies, organisational processes and operational tools.

According to the latest survey data, the average awareness level of Italian SMEs reaches 55 points out of 100, up three points by 2024 but still below the sufficiency threshold set at 60. The report is based on a sample of over 1,500 companies, offering an up-to-date snapshot of the cyber maturity of the Italian production system.

Cybersecurity in SMEs: growing awareness but below the threshold of sufficiency

The SME Cyber Index analysis shows a strong polarisation in the level of preparedness of Italian companies. Alongside a core of companies that are more structured and aware of digital risks, there remains a large share of SMEs that do not yet have the necessary tools to effectively manage cyber security.

Only 16% of SMEs have an adequate security posture

The report highlights how only 16% of Italian SMEs can be considered “mature”.” in IT security management, i.e. capable of taking a strategic approach and implementing effective tools to protect data and digital infrastructure.

The majority of companies are still in intermediate levels of maturity. The SME 32% can be described as “aware“, with a good understanding of risks but still limited operational capabilities, while the 38% falls into the category of “inform“characterised by a still unstructured approach to IT security. Finally, there remains a 14% share of “beginners”with little awareness of cyber risks and an almost total absence of protective measures.

On a positive note, for the first time, mature companies outnumber beginners, a sign of a progressive improvement in the spread of digital security culture among SMEs.

Cyber strategy improving, but implementation remains critical

The index is based on three main dimensions: strategic approach, risk identification and implementation of security measures. Of these, the most advanced component concerns the strategy, which reaches a average score of 62 out of 100, exceeding the sufficiency threshold due to an increased focus on risk governance and investment planning by companies.

On the other hand, critical issues remain in the later stages of the process. The ability to identify cyber risks stops at 47 out of 100, while the dimension implementation of operational measures reaches 57 out of 100, indicating that many SMEs still struggle to translate strategic awareness into concrete protection tools.

Cybersecurity and competitiveness: the challenge for the SME system

The report highlights how IT security is becoming increasingly central to the competitiveness of companies. Over the past three years almost one in four SMEs suffered a cyber breach, a sign of a growing risk environment fuelled by digital transformation and evolving cyber threats.

Fausto Bianchi, President of Piccola Industria Confindustria, said: “If we want Italian SMEs to close the productivity gap with their main European partners, digital transformation is a necessary step. Digitising without protecting oneself, however, exposes companies to real risks: today, those who do not guarantee minimum IT security standards risk being excluded from production chains. Confindustria is working on several fronts: we dialogue with national and European institutions for the effective adoption of binding regulations such as NIS2 and the Cyber Resilience Act, and we inform SMEs about the funds and facilities available for security. Supporting small businesses on this path is not only a priority of Piccola Industria, but an essential condition for the competitiveness of the entire country system”.

Pietro Labriola, Confindustria President's Delegate for Digital Transition, he added: “European digital sovereignty is also built through the daily choices of companies. We need more transparency along the technology supply chain, minimum security requirements in contracts and procurement criteria that value verifiable, reliable and resilient solutions. It is a question of industrial trust and technological autonomy. In this context, cybersecurity becomes a strategic lever for competitiveness and a fundamental garrison of economic and national security. This is why Italy must focus on clear and stable rules, on incentives that guide investments and on a public-private collaboration model capable of strengthening and protecting the entire production ecosystem. The SME Cyber Index shows that awareness is growing, but the quantum leap comes from execution through governance, risk management and skills. As Confindustria, we want to accompany companies along this path with operational tools, reference standards, and concrete initiatives that make security accessible to the entire production system, especially the smallest realities”.

The role of cyber risk prevention and management

According to Barbara Lucini, Head of Country Sustainability & Social Responsibility of Generali Italy, the growing exposure of companies to digital threats makes it increasingly necessary to strengthen prevention tools and response capabilities. “Italian small and medium-sized enterprises represent an essential component of the country's economic and social fabric: supporting their ability to face the challenges linked to technological transformation means strengthening the solidity and continuity of the production system in the long term,” Lucini explains. “In this context, Generali interprets its role as a Partner of the Country as a concrete commitment to support businesses, not only through insurance solutions, but also by fostering awareness, prevention and responsiveness to digital threats. With the Cyber Index PMI we provide expertise, experience and tools to help companies understand their exposure, manage the risks linked to digital operations and integrate prevention, protection and insurance coverage in a responsible and long-term oriented approach”.