Large corporations have spent three years flagging AI as their top threat: in the latest ISG study, 49% rank it above ransomware, data leakage and phishing. For an SMB the picture is different in scale, but the lesson is the same: threats have diversified and so must your defence. There's no single pill. Some decisions are technological, others are human protocols, others are strategic — and only some involve AI.
Every week we talk to SMB owners in Málaga, Marbella, Seville and Granada with the same feeling: that the ground is shifting and they can't quite pin down where. The short answer is that it's shifting in seven places at once, and each one needs a different kind of response: some require training, others protocols, others a commercial review, others specific software — and yes, some benefit from AI, but not all.
In this article we do the honest exercise: what are the seven real threats SMBs will face between 2026 and 2028, how they show up on the ground, and what concrete steps protect you without needing to invest €50,000. No scaremongering, no jargon, and no telling you that one tool solves everything.
Starting point: what large enterprises are saying
A recent ISG (Information Services Group) study asked executives at large enterprises what their top threat over the next 2 years was. Here are the results:
Four of the top seven have AI in the name. That's not a coincidence: the frontier is no longer "having AI or not", it's "having it well or having it badly". For an SMB this translates to very concrete situations. Let's go through them.
The 7 real threats facing an SMB
AI-powered cyberfraud: phishing, impersonation and voice deepfakes
Two years ago a phishing email was easy to spot from spelling mistakes and a weird sender address. Today, with generative AI, attackers write flawless emails in any language, clone a manager's voice from 30 seconds of audio scraped from a public video, and generate fake invoices perfectly designed with your real supplier's logo.
We see this especially in hospitality, retail and professional services: the typical victim is an admin team member who receives an "urgent invoice" from a regular supplier, or a call from the "director" requesting an immediate transfer while out of office.
Three basic actions: practical team training on modern fraud signals (costs a morning), a double-confirmation protocol for any transfer or change to a supplier's bank account (using a channel different from the one that triggered the alert), and two-factor authentication across all critical services. Spain's INCIBE offers free SMB resources through its "Empresa Cibersegura" programme.
Competitiveness loss against businesses already adopting AI
The quietest threat — and the one most likely to eat into margins over the next 24 months. While you're deciding whether to spend €99/month on an AI assistant, the business down the street is already capturing leads 24/7, responding in five languages and booking appointments while you sleep. In sectors with international clients (tourism, private healthcare, real estate), the gap shows up in months, not years.
This isn't a hypothesis: there are already restaurants, dental clinics and real estate agencies in central Málaga with automated after-hours responses. But competitiveness isn't won only by automating — it's won by several paths in parallel.
You have three levers and it's worth picking the one that fits your business: (a) real differentiation — something you do and your competition doesn't (specialisation, brand, customer community); (b) operational efficiency — more output with the same team, where automation (with or without AI) makes sense; (c) commercial presence — serving customers where you couldn't before (extended hours, languages, new channels). AI fits mostly in (b) and (c), not (a). What matters is to pick one lever and measure it for 30 days, not all three at once.
Rising labour costs and shortage of young talent
Spain's minimum wage has risen more than 50% since 2018. Add social security contributions and a full-time hire in Spain costs between €22,000 and €30,000 a year even at entry level. At the same time, finding young profiles for reception, phone support or admin work gets harder — Gen Z has other professional priorities.
The result: SMBs with overstretched minimal teams, owners taking on operational rather than strategic work, and margins narrowing because prices can't be raised at the same pace as labour costs.
Three lines that usually combine: (1) audit and eliminate unnecessary work — most SMBs have 15–30% of tasks that nobody uses but that keep being done "because we always have"; (2) redesign processes before automating anything — a broken process automated is just a broken process running faster; (3) automate what's repetitive — AI fits well for after-hours calls, FAQs, lead follow-up, but other tasks (invoicing, bank reconciliation, shift planning) are solved better with classic software than AI. The choice depends on the process, not the trend.
Data leakage from misuse of free AI tools
The most invisible threat: your team, with good intentions, pastes sensitive information into free ChatGPT, Gemini or Copilot to draft emails, summarise contracts or translate documents. That data may end up in training models, and on free plans there's no contractual confidentiality guarantee. Spain's data protection agency (AEPD) has already sanctioned several Spanish companies on this exact basis.
The problem isn't the tool — it's using it without a policy. The good news is that it's solved for free, with clear rules.
A two-page AI usage policy: what's allowed, what isn't, which paid-plan tools are authorised (where confidentiality clauses do apply) and what to do when in doubt. Free templates exist on Spain's CCN-CERT and AEPD websites (and equivalents in other EU countries). One of the highest-return time investments an SMB can make in 2026.
Regulatory compliance: EU AI Act, Verifactu, GDPR, sustainability
Between 2026 and 2028 four overlapping regulations affect SMBs:
- Verifactu / Spain's anti-fraud regulation: mandatory for all Spanish businesses from 2026. You need certified invoicing software.
- EU AI Act: real obligations only kick in if you use AI in high-risk decisions (hiring, credit scoring). For most SMBs the direct impact is low.
- GDPR: still the bulk of real regulatory risk, particularly with generative AI.
- Sustainability reporting (CSRD / EU Taxonomy): extends to medium-sized businesses through 2026-2027 depending on turnover thresholds.
You don't have to be an expert in all four — you need a quarterly checklist with your accountant and/or tech consultant, plus software that complies by default. Verifactu and GDPR are the priorities; the rest depends on your size and sector. Concrete action: book a meeting with your accountant before month-end to align a 2026-2027 plan.
Tourism dependency, seasonality and geopolitical volatility
For an SMB on the Costa del Sol, in Cabo de Gata or central Seville, a bad low season or a geopolitical event hitting international tourism can wipe out a year's margin. Seasonality isn't new — but its combination with high interest rates, inflationary pressure and rapid shifts in travel patterns is.
The specific risk: relying on a single channel (Booking, agencies, a couple of large suppliers) and discovering it only when it's too late.
The key word is diversification, not technology. Four fronts: (a) reduce dependency on a single main channel; (b) build an owned brand and recurring-customer base (newsletter, loyalty programme, well-managed reviews); (c) expand markets — international clients with better purchasing power, professional segments not tied to seasonality; (d) improve the direct digital experience (fast website, easy booking, attention in the customer's language — some businesses use automated assistants, others just a good form plus quick human responses). Not everything is solved with software; much of it is a commercial decision.
Digital gap with customers and public administrations
Your customer already expects a WhatsApp reply within the hour, two-click online booking and instant payment. Public administrations increasingly require digital-only procedures (electronic notifications, digital invoicing, certificates). SMBs still operating on paper and landlines aren't just falling behind — they're being shut out.
The interesting part: digitising a typical SMB in 2026 costs a tenth of what it cost in 2018, thanks to Spain's Kit Digital subsidy programme and modern SaaS tools. The barrier isn't money any more — it's time and lack of judgement to pick well.
Plan by priority, not by technology. Start with the bottleneck you already have today — customer service, bookings, document management, invoicing — and apply the specific tool that solves it, whether AI or not. Sometimes that's a free CRM, other times certified invoicing software, other times a conversational assistant. Our guide on where to start helps you sequence it without overspending.
The real pattern: diverse responses, not a single pill
If you look at the seven threats together and then at their responses, something worth underlining emerges: there's no single technology, no single strategy and no single provider that solves them all. Effective defence is built by combining different pieces:
- Human protocols and training solve the bulk of cyberfraud and data leakage from AI misuse.
- Commercial and strategic decisions solve channel dependency, competitor differentiation and international positioning.
- Classic software (invoicing, accounting, CRM, ERP) handles most of regulatory compliance and admin efficiency.
- Accountants and advisors are key for EU AI Act, Verifactu, GDPR and sustainability — no chatbot solves that.
- AI brings real value in specific cases: 24/7 multilingual attention, draft generation, text analysis at scale. Not everywhere.
So be sceptical of any provider — including us — telling you "AI is the answer". The honest question is this:
"What specific problem do I have in my business, and what's the most effective tool to solve it? If that tool is AI, perfect. If it's a protocol, training or classic software, equally fine."
— The question that separates useful decisions from spending on trends
A 90-day plan for an SMB
No impossible budgets, no 12-month projects. Here's what we recommend over the next three months:
| Timeframe | Action | Indicative budget |
|---|---|---|
| Month 1 | Team training on modern cyberfraud + double-confirmation protocol for transfers + 2FA on all critical services | €0–200 |
| Month 1 | Meeting with your accountant: Verifactu, GDPR and 2026-2027 compliance plan checklist | Standard fees |
| Month 1-2 | Process audit: identify unnecessary work still being done and real (not assumed) bottlenecks | Internal time |
| Month 2 | Review commercial strategy: channel dependency, market diversification, owned brand vs intermediaries | Internal time |
| Month 2-3 | Pick one tech lever for the priority bottleneck — could be new invoicing software, a CRM, an automated assistant, or nothing at all if what's missing is process | €0–299/month |
| Month 3 | Review results, decide next priority. Don't open a second front until the first one is closed | — |
If you have to pick just one action, start with team training + the double-confirmation protocol. It's the cheapest, the fastest, and the one that closes most of the reputational and financial risk for any SMB. The rest of the plan is built afterwards, calmly and based on results — not as a single block.
What we expect in 2027–2028
Our reading, based on what we see week after week with SMBs on the ground:
The SMBs that handle this biennium well — with order, clear priorities and combining several levers — will come out with less overstretched staff, better margins and more resilience to shocks. Those who postpone decisions will end up reacting under pressure, which is where the worst investment decisions get made and where regulatory or reputational risk turns into the most expensive bill.
Want to see which of these threats affects your business most?
In 30 minutes we analyse your specific situation — sector, size, processes — and tell you where to start to defend and grow at the same time. Free and no commitment.
Free assessment →Quick summary
- Large enterprises have spent three years ranking AI as their top 2-year threat (49% in the latest ISG). For an SMB the pattern repeats at smaller scale.
- The 7 concrete threats: AI cyberfraud, competitiveness loss, labour costs, data leakage, regulatory compliance, tourism dependency and the digital gap.
- There's no single pill. Defence combines training, human protocols, commercial decisions, classic software, legal advice and — where it fits — AI. Each threat asks for its own tool.
- A realistic 90-day plan: training + compliance + process audit + commercial review + one tech lever. Without opening all fronts at once.
- SMBs that handle the 2026-2028 period well come out with more margin and less risk; those who postpone end up reacting under pressure, which is where money is spent worst.