Cybersecurity in Moldova’s SMEs: findings from a national survey

News July 16, 2025

Cybersecurity is vital for the stability, reputation, and competitiveness of any business today. For Moldova’s small and medium-sized enterprises (SMEs), strengthening cybersecurity is an essential part of building a modern, resilient economy.

To support this goal, the e-Governance Academy, in collaboration with Magenta Consulting, conducted a nationwide study in May and June 2025 to understand better how Moldovan SMEs perceive and address cybersecurity risks. The survey covered 363 SMEs from across Moldova, with respondents typically being owners, general managers, or accountants, offering a direct view into business decision-making.

Awareness is high, but practice lags behind

The main sectors surveyed—from transportation and storage to other service activities—showed clear differences in cybersecurity awareness. Industries like information and communication, financial and insurance activities, and health and social care likely had higher awareness because they rely heavily on technology, handle sensitive data, and face strict regulations. On the other hand, sectors such as accommodation and food services, arts, entertainment, and recreation activities, and other service activities probably had lower awareness. This may be due to less perceived risk, fewer dedicated IT resources, or smaller-scale operations.

Encouragingly, the results show high awareness of the issue. Around 85% of SMEs recognise that cybersecurity is important for their business. Many companies already use basic protections such as antivirus software and regular system updates. Over 40% of companies say they have discussed cybersecurity in strategic planning or business meetings, showing that awareness is starting to shape management discussions.

However, the study also reveals significant gaps between recognising the risk and managing it effectively. Although basic security practices are relatively common, more robust or proactive measures—like formal staff training, encryption, or incident planning—are far less widespread. About 45% of SMEs have no formal cybersecurity policy and no plans to develop one. Over half never offer any cybersecurity training for employees.

A notable finding is that many still see cybersecurity as something only IT experts should handle, rather than a shared responsibility that requires leadership, planning, and staff awareness. This mindset limits companies’ ability to build a real culture of cybersecurity, where everyone understands their role in managing risks.

Barriers, needs, and the path forward

Financial and organisational barriers remain persistent. High costs, limited internal expertise, and lack of awareness were the most frequently cited obstacles—especially among smaller firms and those in rural areas. Many companies operate with minimal or no budget for cybersecurity, and large portions report on no recent investments at all, indicating that digital risk management is often a low priority.

The study also highlights issues in the broader support ecosystem. Awareness of existing support programs or legal requirements is weak. External resources are fragmented and underused, with most companies unaware of where to turn for help. Yet among those that have received external support, satisfaction is very high, showing that when practical, affordable help is offered, businesses value and embrace it.

Importantly, SMEs expressed clear demand for the kind of help they need: legislative updates, information sessions, free templates and guides, staff training, technical audits, and financial support such as subsidies.

Elsa Neeme, Moldova Cybersecurity Rapid Assistance Project Lead, senior cybersecurity expert at the e-Governance Academy:

These survey results clearly validate the direction we’ve taken. Through the EU’s Rapid Assistance Projects, we’ve proudly partnered with Moldova to upgrade the national cybersecurity framework in line with the EU’s NIS 2 Directive. That work has helped set a stronger legal foundation in Moldova, but this study underlines a crucial next step: turning legal texts into lived practice. That means training, awareness, and tools tailored to the realities of the private sector, especially SMEs.

It’s a logical and expected progression. This survey sends a clear message: businesses are ready to engage, but they need support that is actionable and relevant to the sector. “It also reinforces the idea that cybersecurity isn’t just a government or IT issue – it’s a shared responsibility.” Neeme continues, “And building a resilient digital economy means continuing this close cooperation between public institutions, the private sector, and international partners.”

Overall, the research paints a picture of a cybersecurity environment characterised by partial awareness and low capacity. Companies recognise the risks, but need structured, accessible, and affordable support to act on them effectively. Improving Moldova’s cyber resilience will mean not only strengthening technical defences but also promoting a shift in culture, so that cybersecurity is seen as everyone’s responsibility, integrated into planning, management, and daily business practices.

This study was funded by the European Union under the Moldova Cybersecurity Rapid Assistance 2.0 project, implemented by the e-Governance Academy.