If you're tiny you get out of a few GDPR regulations, like having a data protection officer. Also the GDPR mostly calls for reasonable and appropriate measures, which are terms that scale with company size (measures reasonable for a hairdressing salon are not appropriate for a fortune 500).

Making even further cutouts for SMEs seems unreasonable, after all the individual citzen has similar impact from a data breach in a medium sized company compared to a data breach in a large enterprise.