The European SMB Network Stack in 2026: What Actually Works

"What network gear should we buy?" is the most-asked question in our discovery calls. The answer varies wildly depending on whose marketing budget was largest the year someone wrote the buyer's guide. This article is the practitioner's view from inside 23 EU SMB deployments — what we actually deploy in 2026 across firewall, switching, wireless, ZTNA, observability, and identity, with the reasoning per choice.

Sized for the 50-300 seat European SMB. Compliance-aware (DORA / NIS2 / ISO 27001 / GDPR). Budget-aware. Operational-team-aware. Vendor-neutral as much as honest practice allows.

The five constraints that shape every EU SMB network decision

1. Data sovereignty + GDPR. Vendor cloud-control planes outside the EU are an operational + compliance friction. Increasingly important post-2024 regulatory tightening.
2. Compliance-mapping requirements. NIS2 + DORA + ISO 27001 all expect specific evidence; the gear has to produce it.
3. Operational headcount. A 200-seat company has 2-4 IT engineers. Anything requiring a dedicated network engineer is over-spec.
4. Budget shape. Capex-heavy + opex-light vs capex-light + opex-heavy. The right mix depends on the company's cashflow + accounting preferences.
5. EU vendor support presence. Time-zone-aligned support + EU-shipped spare parts matter when a switch fails on a Friday afternoon.

Layer 01: Edge firewall

The firewall is the most visible single decision. Three tiers map to most SMB scales:

Tier	Recommended	Scale	Annual TCO
Small (under 50 users, single site)	OPNsense on Protectli FW6E, or pfSense on Netgate appliance	250 Mbps - 1 Gbps	€800-€2,500
Mid (50-200 users, 1-2 sites)	Sophos XGS, Fortinet FortiGate 70/100F, or Aruba EdgeConnect	1-3 Gbps inspected	€3,500-€8,000
Large (200+ users, multi-site)	Fortinet FortiGate 200/600F, Palo Alto PA-400, Check Point Quantum SMB	3-10 Gbps inspected	€12,000-€30,000

What we actually deploy

For the typical 100-seat EU SMB: Sophos XGS 2100 or 2600. Reasoning:

• European company, EU-resident cloud-management option, GDPR-clean DPA
• Native ZTNA via Sophos ZTNA add-on if needed
• Hardware quality + EU spare-parts shipping reliable
• Web filtering + IPS + email security in one box (consolidation vs separate vendors)
• Reasonable per-feature licensing rather than punitive enterprise tiering

For shops already invested in Fortinet's broader ecosystem: FortiGate 70F or 100F. The FortiOS feature set is genuinely deeper; the licensing complexity is genuinely worse.

For Linux-comfortable teams wanting open source: OPNsense on Protectli. Capable, EU-supported, no licensing. Trade-off: smaller community than pfSense, fewer commercial integrations.

What we avoid by default

• WatchGuard: the EU support presence has weakened post-2023; firmware update cadence frustrates EU-time-zone teams.
• Cisco ASA / Firepower for SMB: the licensing model + RMA experience does not align with the 50-200 seat operational reality.
• SonicWall: mid-2020s security incidents and firmware-quality regressions; we have not recommended in 3+ years.

Layer 02: Switching

The switching decision is mostly boring + that is the point. Three tiers:

Tier	Recommended	Note
Access switches (per-floor / per-office)	Aruba CX 6100, Cisco Catalyst 1300, MikroTik CSS or CRS for budget	24/48 port, PoE+, layer 2/3
Core / distribution switches	Aruba CX 6300M, MikroTik CCR for budget, Cisco Catalyst 9200/9300	Layer 3, VRF support, 10/25GbE uplinks
Top-of-rack (server / Proxmox HCI)	Aruba CX 8325, MikroTik CRS520, Mellanox SN2700	25/100GbE for storage backplane

What we actually deploy

For the typical 100-seat EU SMB: Aruba CX 6100 (access) + Aruba CX 6300M (core). Reasoning:

• Mid-market positioning aligns with SMB scale (vs Cisco's enterprise-first defaults)
• Aruba Central cloud management is robust + EU-resident
• Lifetime warranty (Aruba's switch warranty is genuinely lifetime, with the operational caveats)
• VRF + advanced L3 features in the 6300M without needing a SKU upgrade

For maximum-budget-discipline shops: MikroTik CRS / CCR. Trade-off: the management UI is acquired-taste; the documentation assumes network-engineering depth; the per-port cost is unmatchable.

For Cisco-environment shops: Catalyst 9300. Strong feature set; licensing complexity tax; vendor TAC is reliable but slow on EU time zone.

Layer 03: Wireless

Covered separately in our enterprise WiFi deep-dive and the hospitality RF comparison. The short version for general EU SMB:

• Under 100 users, single office: UniFi U7 Pro (Wi-Fi 7, EU pricing, no licensing, mature dashboard)
• 100-300 users, single or multi-site: Aruba AP-505 / 615 with Aruba Central, or Cisco Meraki MR44 / MR57
• Large + high-density (conference centres, hospitality, dense offices): Aruba AP-635 + ARM tuning

Layer 04: Site-to-site backbone

Covered in detail in our VPN-vs-SD-WAN article and the WireGuard vs IPsec deep-dive. The short version:

• 1-3 sites, no multi-uplink requirement: IPsec on the existing firewalls
• 3-8 sites, Linux-comfortable team: WireGuard mesh on small Linux gateways
• 5+ sites, multi-uplink with automatic failover: SD-WAN (Meraki or Fortinet for SMB; Cisco SD-WAN for larger)

Layer 05: ZTNA + remote access

Replace the corporate VPN with identity-aware ZTNA. Three options for SMB:

Vendor	Strengths	Cost
Cloudflare Zero Trust (formerly Cloudflare Access)	EU presence, generous free tier, integrates with broader Cloudflare stack	€5-€10/user/month above 50 users
Twingate	Simple deployment, WireGuard-based, good UX	€6-€12/user/month
Tailscale	Open-source variant (Headscale), engineer-friendly, mesh-based	Free under 100 users + 100 devices, paid tiers reasonable

What we actually deploy

For technical teams: Tailscale (free tier for under 100 users; the operational ergonomics are unmatched). For non-technical teams who need a polished admin experience: Cloudflare Zero Trust. For shops that want EU-only with no US-jurisdiction parent: a self-hosted alternative (NetBird, Headscale) is increasingly viable.

Layer 06: Identity

The identity-first security shift means the identity stack is the most consequential single decision. Three patterns dominate EU SMB:

Microsoft-native (most common)

• Entra ID P2 (the necessary tier — Conditional Access risk policies + PIM require P2)
• Microsoft 365 E3 or E5 (E5 cleaner for regulated entities)
• Intune for endpoint management
• Defender for Endpoint + Defender for Office for the security baseline

Google-native

• Google Workspace Enterprise Plus
• BeyondCorp Enterprise for the ZTNA layer
• Context-Aware Access policies for the equivalent of Conditional Access
• Endpoint management via Google Endpoint Management or paired with Jamf for Mac

Hybrid / specialist

• Okta as the identity provider (universal SAML / SCIM + strong policy engine)
• Microsoft 365 or Google Workspace as the productivity layer
• Independent endpoint management (Intune, Jamf, Kandji)

For most EU SMBs, Microsoft-native with Entra ID P2 + M365 E5 wins by default. The integration depth + EU-resident options + DORA / NIS2 mapping are mature. Google Workspace wins for startups + scale-ups born after 2018 who never invested in Microsoft licenses.

Layer 07: Endpoint management + EDR

The MDM + EDR decision:

Layer	Microsoft estates	Apple-heavy estates	Mixed estates
MDM	Intune	Jamf Pro or Kandji	Intune + Jamf bridge, or Microsoft Defender XDR baseline
EDR	Defender for Endpoint	SentinelOne or CrowdStrike Falcon	SentinelOne (cross-platform parity)
Application protection (MAM)	Intune MAM	Jamf Connect	Mixed by platform

For Microsoft-heavy estates, the Intune + Defender bundle (in M365 E5) is the obvious default. For Apple-heavy: Jamf Pro is the gold standard; Kandji is cheaper + cleaner for smaller deployments. EDR-wise, Defender for Endpoint is good enough for most Microsoft estates; SentinelOne or CrowdStrike for clients who want cross-platform parity or stronger Mac coverage.

Layer 08: Observability + monitoring

Covered in detail in our SMB monitoring article and our useful-alerts deep-dive. Short version:

• Self-hosted Prometheus + Grafana + Loki + Alertmanager for under 150 hosts
• Grafana Cloud or Datadog Lite when self-hosting operational burden outweighs the SaaS premium
• Full Datadog / New Relic only above ~200 hosts or in regulated environments needing single-vendor evidence chain

Layer 09: Backup + disaster recovery

Covered in our backup-strategy article. Short version for the stack:

• Veeam Backup & Replication for the broader infrastructure backup (VM-level, application-aware, EU-strong vendor)
• Veeam Backup for Microsoft 365 for the M365 SaaS estate
• Wasabi or Backblaze B2 as the off-site immutable storage tier
• Optional: tape rotation for the highest-tier workloads

The reference bill of materials for a 100-seat EU SMB

Layer	Hardware / software	Year-1 cost	Annual cost
Firewall	2× Sophos XGS 2100 (HA pair)	€6,800	€2,200 (licensing)
Core switch	1× Aruba CX 6300M (24-port L3)	€3,800	€0
Access switches	3× Aruba CX 6100 (48-port PoE+)	€7,500	€0
Wireless	14× Aruba AP-505 + Aruba Central licensing	€8,400	€2,800
ZTNA	Tailscale free tier (under 100 users)	€0	€0
Identity + productivity	M365 E5 × 100 seats	€48,000	€48,000
Endpoint management	Bundled with E5	€0	€0
EDR	Defender for Endpoint (bundled with E5)	€0	€0
Observability	Self-hosted Prometheus stack on Hetzner	€500 (setup)	€2,400
Backup	Veeam Backup + Wasabi + Veeam M365 (100 seats)	€4,800	€8,400
Compute (Proxmox cluster, see pets-to-cattle)	3× R660 + storage + UPS	€84,000	€2,000 (support)
Total CAPEX		€163,800	€65,800

Per-seat: roughly €660/seat amortised (CAPEX over 5 years + OPEX). For a 100-seat company doing €5-€20M revenue, this is ~1-3% of revenue on IT infrastructure. The exact percentage depends on what proportion of the business is information-work-heavy.

The gear we changed our minds about in 2024-2026

1. VMware → Proxmox. Post-Broadcom acquisition + licensing changes, we moved every active SMB virtualisation deployment to Proxmox over 18 months. The transition was less painful than vendor-FUD suggested.
2. Cisco SMB → Aruba SMB. Cisco's mid-market positioning has weakened; Aruba's hardware + management UI + licensing model is operationally cleaner for the 50-300 seat company.
3. WatchGuard → Sophos. Sophos's EU presence + DPA + management dashboard pulled ahead.
4. Stand-alone VPN appliance → ZTNA-first. Replaced corporate VPN concentrators with identity-aware ZTNA at every renewal opportunity.
5. Manual MDM → Intune / Jamf with Autopilot / DEP. Zero-touch enrolment became table stakes; manual setup is no longer competitive.

The five questions that guide every decision

1. What is the EU-resident option? Vendor cloud-control plane in the EU; sub-processors disclosed; DPA clean.
2. What is the operational team's depth? Tooling that requires more depth than the team has is a slow-motion incident.
3. What is the 5-year TCO including licensing renewal? "Introductory year-1 pricing" is a known cost trap.
4. What is the EU support presence? Time-zone alignment + spare-parts shipping matter at incident time.
5. What is the exit cost? If we have to leave this vendor in 3 years, how painful is the migration?

Compliance evidence mapping

The stack maps to the regulatory frameworks the EU SMB has to defend:

Framework	Stack components producing evidence
DORA Article 6 (ICT risk)	Sophos firewall + Defender + Sentinel + Veeam DR + Prometheus stack
NIS2 Article 21	Same + Intune endpoint compliance + IdP audit logs
ISO 27001:2022 Annex A	All of the above + documented IaC + policy library
GDPR Article 32	Encryption at rest (BitLocker / FileVault) + transit (TLS) + ZTNA per-app verification

The evidence is produced by the stack as a side effect of operation. The compliance team queries the existing telemetry + audit logs; they do not need additional evidence-collection tooling for most controls.

What we would tell our past self

1. The mid-market vendor tier is the right answer most of the time. Enterprise tier features cost real money; the marginal value at SMB scale is usually negative.
2. Operational fit beats spec sheet every time. A 10% slower switch that the team operates confidently outperforms the 30% faster switch that produces 02:00 phone calls.
3. EU presence matters more than it did in 2020. Post-Schrems II + post-CLOUD-Act-litigation + post-NIS2, the EU-resident DPA is increasingly the procurement gate.
4. Consolidate vendors where you can. Three vendors with deep integration beats six vendors with shallow integration. Pick lanes.
5. The exit cost is real; document it before commit. Vendor lock-in compounds. Year-3 migration cost is meaningful budget pressure.

The one paragraph version

The 2026 EU SMB network stack: Sophos firewall + Aruba switching + Aruba wireless + Tailscale ZTNA + M365 E5 identity + Intune endpoint + Defender EDR + self-hosted Prometheus observability + Veeam backup + Proxmox compute. CAPEX €164k for a 100-seat company, OPEX €66k/year, total per-seat €660/year amortised. Maps cleanly to DORA / NIS2 / ISO 27001 / GDPR compliance evidence requirements. The deciding factors are operational fit + EU vendor presence + 5-year TCO + exit cost — not vendor benchmark sheets. We changed our minds on VMware (→ Proxmox), Cisco SMB (→ Aruba), WatchGuard (→ Sophos), and corporate VPN (→ ZTNA) over the past 18 months; the patterns hold across 23 EU SMB deployments.

If you want a scoped audit + stack recommendation + migration plan for your specific operation, that is the engagement shape. We deliver this as part of Azure Cloud Infrastructure + Microsoft 365 Management + Hardware & Endpoint Management engagements depending on what the client has + what they need. The free Bloodbath Scan gives the cloud-cost slice; the broader network audit is project-based.