The market and regulatory picture
Network access control didn't suddenly become important. The world around it changed.
Regulation is being enforced. Cyber insurers are asking harder questions. Customers are demanding proof from their suppliers.
For SMEs, controlling and proving who and what connects to the network is becoming a business requirement.
Three forces converged in the last eighteen months
Regulation caught up. NIS2 is now law across most of the EU, with audits underway and enforcement active. Even if you're not directly in scope, your customers are, and they're pushing requirements down their supply chain.
Insurance got serious. Cyber-insurance applications now look like technical audits. Industry analysts report that around 41% of applications are denied on first submission, with missing MFA and inadequate endpoint protection as the top two reasons,1 and network segmentation is now a baseline control alongside MFA and endpoint protection.
Attackers changed strategy. SMEs aren't overlooked. They're targeted. Smaller, less-defended networks connected to larger organisations are now the easiest path to high-value breaches.
The rest of this page explains how that affects you in practice.
What changed in the regulatory environment
NIS2 is now being enforced
NIS2 came into force in 2023, with an EU-wide transposition deadline of 17 October 2024. By April 2026, the majority of EU member states have completed transposition into national law, and the European Commission has launched infringement proceedings against the laggards.2
This isn't theoretical anymore:
- 22 of 27 member states have completed NIS2 transposition. Enforcement is active in Germany, France and the Netherlands. Regulators are auditing, and fines are being applied.3
- The first EU-wide compliance audit deadline has been set for 30 June 2026.4
- Belgium set the first conformity-assessment deadline at 18 April 2026, with the Netherlands days behind.3
For a live country-by-country picture, the European Commission's NIS2 transposition tracker and the ECSO Transposition Tracker are the two authoritative sources.
But the detail that matters most for SMEs isn't the headline. It's the supply-chain requirement.
The supply-chain effect
NIS2 Article 21 requires in-scope organisations to manage cybersecurity risk across their suppliers. In practice, that means your customers are being audited, they are passing those requirements down to you and procurement questionnaires are becoming security assessments.
The EU has reinforced this by adopting the ICT Supply Chain Security Toolbox through the NIS Cooperation Group, which gives member states a common methodology for assessing and mitigating supply-chain cyber risk.
You may not be directly regulated. You are still being evaluated as if you were. For many SMEs, the audit doesn't come from a regulator. It comes from a customer.
What this means in plain English
If you are 50+ employees or €10m+ turnover in a covered sector, you are directly in scope. If you supply an in-scope organisation, you are indirectly in scope.
Either way, you will be asked:
- Do you control who connects to your network?
- Do you segment devices by trust level?
- Can you show logs of access decisions?
"Not really" is no longer an acceptable answer.
DORA, briefly
The Digital Operational Resilience Act (DORA) applies similar requirements specifically to the financial sector and its ICT providers. It has been in full application since 17 January 2025. Different regulation, same outcome: your network controls are now part of someone else's compliance boundary.
What changed in the insurance market
For many SMEs, this is where NAC becomes real.
Cyber insurance used to be simple. Fill in a form, pay a premium, get coverage. That's over. Today, applications are assessed like audits, external scans validate your answers, and claims are investigated against what you declared.
Two critical changes
1. The questionnaire is now an audit.
Insurers don't just ask. They verify. After a breach, forensic firms check your controls, and mismatches can invalidate claims. In 2019, you could get a cyber insurance policy by filling out a 10-question application and writing a check. In 2026, underwriters are deploying their own security scanners against your external attack surface, requiring evidence of specific technical controls and writing coverage exclusions that invalidate claims if you misrepresented your security posture.5
The result is visible at both ends of the process. Industry analysts tracking carrier behaviour through 2026 report that 41% of applications are denied on first submission, with missing MFA and inadequate endpoint protection as the top two reasons.1 And once a policy is in place, Coalition's own claims data shows that 82% of denied claims involved organisations without fully implemented MFA. A close second is misrepresentation: answering "yes" to a control that was only partially in place.6
If you said you had controls and didn't, coverage can be denied.
2. Network segmentation is now a baseline requirement.
Modern underwriting expects MFA, endpoint protection, backups and network segmentation. Network segmentation between critical systems and general network appears alongside MFA and EDR on application forms from major carriers including Coalition, Corvus, At-Bay, Beazley, Chubb, AIG, Hartford, Travelers and others.5
Flat networks are now understood as a major risk factor: one compromised device leads to full network access leads to a ransomware event. The reality for most SMEs is that printers, IoT devices and laptops share the same VLAN, access is not controlled and visibility is limited. That now has a direct impact on premiums, coverage and approval rates.
For many businesses, the insurance renewal is the first time NAC becomes unavoidable.
We are not your auditor
We don't make you compliant by default. What Arbiter provides are the building blocks that regulators, insurers and customers are now asking for.
Control every connection
Know which devices are accessing your network and enforce who gets access.
Verify device identity
Certificate-based authentication using 802.1X and EAP-TLS.
Prove security controls
Session-level logs and policy evidence for audits, insurers and customers.
This is where NAC stops being theory and becomes something you can actually show: an auditor, an insurer, a customer.
What changed in the threat landscape
Attackers adapted faster than defenders.
Enterprises spent years hardening their networks: access control, segmentation, monitoring. So attackers changed approach. They stopped going through the front door. They started going through the supplier.
Why SMEs are now the target
Smaller networks are easier to compromise. Security controls are often incomplete. And they provide access into larger organisations.
This isn't speculation. It's reflected in the market. Per Grand View Research, the SMEs segment is expected to grow at the highest CAGR of 27.8% during the forecast period. Small and medium enterprises are emerging as the easiest and most valuable target for cybercriminals due to the lack of adoption of security solutions, accessible to-comprisable networks and lack of technological knowledge and infrastructures.7
The defensive market is catching up to where the offensive market already moved. The mechanics are simple:
- Compromise a smaller network
- Move laterally (a flat network helps)
- Use that access to reach higher-value targets
NAC exists to break that chain.
Where NAC actually fits
NAC isn't a silver bullet. It doesn't make you compliant on its own. It doesn't replace endpoint security or user training.
What it does is enforce one fundamental rule: nothing connects to your network without being identified and controlled.
In practice, that means devices must authenticate before access, access is segmented based on identity and type, and every decision is logged and auditable. This is why NAC keeps appearing in regulatory frameworks, insurance requirements and security best practices.
It turns network access from "whoever plugs in gets on" into "access is controlled, enforced and provable."
Most SMEs don't adopt NAC because they want to
They adopt it because a customer asks, an insurer requires it or a breach makes it unavoidable.
The earlier you implement it, the less painful that moment is.
Stop answering "we don't really do NAC" on procurement and insurance forms.
Start controlling and proving access instead. 60-day trial. No credit card. Monthly billing, cancel any time.
References
- 2026 cyber insurance requirements: application denial rate analysis. bsgtech.com/cyber-insurance-requirements-for-businesses-in-2026
- European Commission: NIS2 Directive overview, Shaping Europe's digital future. digital-strategy.ec.europa.eu/en/policies/nis2-directive
- NIS2 transposition status (April 2026). passwork.pro/blog/nis2-latest-news-april-2026
- ECSO NIS2 Directive Transposition Tracker. ecs-org.eu/activities/nis2-directive-transposition-tracker
- Cyber Insurance Requirements 2026: control mapping across major carriers. securebin.ai/blog/cyber-insurance-requirements-2026
- Coalition: 2025 Cyber Claims Report (covering 2024 claims data). coalitioninc.com/announcements/2025-cyber-claims-report
- Grand View Research: Network Access Control Market Size & Share Report, 2030. grandviewresearch.com/industry-analysis/network-access-control-market
Additional reading: European Commission NIS2 country-by-country tracker · DORA (EIOPA) · RFC 2865: RADIUS
Last updated May 2026. For questions about this page, contact hello@arbiter.ie.