Responsible Innovation in Cybersecurity Governance: An RRI-Based Analysis of SME Responses to the NIS2 Directive

The Network and Information Security 2 (NIS2) Directive is the European Union's most ambitious attempt to standardise cybersecurity governance across Member States, which extends regulatory obligations to small and medium-sized businesses, which account for 99 percent of all businesses in Europe. This thesis looks at how SMEs view and react to their new responsibilities and explores whether NIS2 embodies responsible innovation in its procedural development and normative substance. Using Responsible Research and Innovation as an analytical lens, the research evaluates two consultation processes: the European Commission's 2020 open public consultation during policy formulation and the European Digital SME Alliance's 2025 consultation during implementation. Analysis applies RRI's procedural dimensions (anticipation, reflexivity, inclusion, and responsiveness) to assess stakeholder participation qualifications and employs RRI's normative approach to evaluate alignment with EU fundamental rights and democratic values. Findings show both consultations demonstrate partial responsibility. The Commission's 2020 process shows moderate anticipation and responsiveness. However, reflexivity remained operational rather than ethical, with limited discussion of underlying purposes. Inclusion was formally broad but resulted in being consultative rather than co-creative. The 2025 SMEs consultation similarly reveals advancing but incomplete responsibility: organisations showed growing anticipatory planning through gap analyses, yet reflexivity remained narrow, with enterprises viewing NIS2 primarily as compliance rather than contribution to collective European resilience. Normative analysis reveals strong alignment with fundamental rights—the Directive explicitly protects privacy, data protection, business freedom, and fair trial rights, though implementation depends on Member State transposition. According to this thesis, NIS2 maintains a top-down regulatory model rather than fostering collaborative responsibility cultures, despite making significant progress towards engaging participants and fundamental rights alignment. Future frameworks must reinforce deliberative processes, incorporate ethical reflection into policy cycles, and offer appropriate support to enable real SME participation in order to achieve digital sovereignty based on shared responsibility.