medium-sized enterprises (SMEs) between 2015 and 2025, with particular focus on trends in cyber threat exposure, defensive investment patterns, and the regulatory impact of the NIS2 Directive. Given the limited availability of long-term firm-level microdata, the research combines aggregated EU-level time-series data (Eurostat, ENISA, IBM) with a calibrated synthetic SME dataset (N = 100) to model maturity dynamics. Time-series forecasting was conducted using Prophet models to analyze the development of incident frequency (INCID_FREQ) and cybersecurity investment intensity (SPEND_RATIO), treating NIS2 as an exogenous regulatory shock. In parallel, K-Means clustering was applied across three maturity dimensions (investment ratio, NIS2 compliance level, and incident response time) to identify distinct cybersecurity profiles. The results indicate that cyber threat exposure has increased at a faster pace than defensive expenditures, particularly between 2015 and 2020. While the anticipated NIS2 effect in 2025 generates a measurable surge in security spending, it does not ensure long-term convergence between risk growth and investment intensity. The cluster analysis identifies three maturity groups (Ad-hoc, Managed, and Optimized) corresponding to consolidated CMMI and NIST-CSF levels. These findings suggest that regulatory pressure can accelerate short-term adaptation, but sustainable cybersecurity maturity among SMEs requires structural capability development, governance improvements, and strategic investment alignment