The Cyber Resilience Act (CRA) is transforming cybersecurity requirements for every company placing products with digital elements on the European market. While the legislation introduces new obligations for manufacturers, importers and distributors, many small and medium-sized enterprises (SMEs) are still struggling to understand what compliance actually requires.
To better understand the challenges facing Europe’s smaller businesses, the European Union Agency for Cybersecurity (ENISA) surveyed 194 organisations across 31 countries during February and March 2026. The results provide one of the first comprehensive pictures of SME readiness for the Cyber Resilience Act and highlight where companies need the most support.1
This article explores the survey’s main findings, explains what they mean for SMEs, and highlights the growing ecosystem of EU-funded tools and projects helping businesses prepare for compliance.
Key takeaways
- The first CRA reporting obligations begin on 11 September 2026.
- Full Cyber Resilience Act compliance becomes mandatory on 11 December 2027.
- Documentation and conformity assessment remain SMEs’ biggest compliance challenge.
- Incident response and software lifecycle management are the weakest maturity areas.
- Multiple EU-funded projects already provide free tools, templates and funding to support compliance.
The Cyber Resilience Act timeline: Why SMEs need to act now
The Cyber Resilience Act (Regulation (EU) 2024/2847) entered into force on 10 December 2024 and introduces mandatory cybersecurity requirements for products with digital elements sold within the European Union.
For SMEs, two deadlines are particularly important:
- 11 September 2026 – manufacturers must begin reporting actively exploited vulnerabilities and severe cybersecurity incidents through ENISA’s Single Reporting Platform.
- 11 December 2027 – the CRA becomes fully applicable, introducing requirements for secure-by-design development, vulnerability handling, technical documentation, CE marking and conformity assessment.
Penalties for non-compliance can reach €15 million or 2.5% of worldwide annual turnover, although micro and small enterprises benefit from some proportionality measures, including exemptions from certain reporting penalties.
One important challenge remains: harmonised European standards are still under development. As of June 2026, none had been cited in the Official Journal of the European Union. SMEs therefore cannot afford to wait—they must begin preparing using the legal text and draft standards already available.
What this means for SMEs
The deadlines are fixed, but the supporting standards are still evolving. Businesses should begin their compliance journey now rather than waiting for the final technical specifications.
ENISA survey: SMEs know about the CRA but lack practical understanding
The survey shows encouraging awareness—but limited practical readiness.
While 66% of respondents had already heard of the Cyber Resilience Act, understanding drops significantly when it comes to implementation.
More than half (54%) reported little or no understanding of conformity assessment, while 42% struggled with the documentation requirements. Only 13% considered themselves confident about technical documentation, and just 14%felt they understood conformity assessment well.
Even more concerning, one in five organisations were unsure whether the CRA applied to them at all.
What this means for SMEs
The communication challenge has changed. Businesses no longer need to hear that the CRA exists—they need practical guidance explaining exactly what documents, processes and evidence they must prepare.
Projects such as CONFIRMATE and CRA-AI are already helping bridge this gap through free compliance guides and readiness assessment tools.
Documentation and conformity assessment remain the biggest compliance challenge
Across every survey question, two topics consistently emerged as the greatest concern:
- Technical documentation
- Conformity assessment
Both were identified 128 times as major challenges, making them the highest-ranked compliance concerns among respondents.
This is not surprising. The documentation required under CRA Annex VII is significantly more detailed than what many SMEs currently maintain.
Fortunately, several EU-funded initiatives are already developing practical solutions:
- CRACoWi provides a Compliance Wizard that guides organisations through scope assessment and automatically generates an EU Declaration of Conformity.
- CRA-AI offers the Attestra platform for generating conformity documentation directly from supplier information.
- CURIUM supports organisations through guided self-assessment and certification preparation.
What this means for SMEs
Ready-made templates and guided compliance tools will likely prove more valuable than additional awareness campaigns.
Why micro-enterprises need different support
The survey confirms that company size is the strongest predictor of CRA readiness.
Across all five cybersecurity maturity domains, medium-sized organisations scored approximately one full point higher than micro-enterprises.
The reasons are clear:
- 57% of microcompanies have nobody responsible for cybersecurity.
- 25% have undertaken no formal compliance activity.
In many small businesses, the same person is responsible for software development, customer support, operations and regulatory compliance.
This means guidance written for dedicated cybersecurity teams simply does not work.
What this means for SMEs
Micro-enterprises need:
- free tools
- simple language
- practical examples
- step-by-step guidance
- no specialist cybersecurity knowledge
Projects such as OSCRAT and OCCTET are already addressing this need through open-source compliance tools designed specifically for smaller organisations.
Where SMEs are least prepared
ENISA evaluated cybersecurity maturity across five domains.
The weakest area was incident response and product lifecycle management, with an average maturity score of just 2.6 out of 5.
Some findings are particularly striking:
- 36% of micro-enterprises have no incident response plan.
- No micro-enterprise reported having a fully enforced product lifecycle policy.
- Only 24% perform threat modelling.
- Only 35% maintain a Software Bill of Materials (SBOM).
- No micro or small company reported formal role-specific cybersecurity training.
These are all capabilities explicitly encouraged—or required—under the Cyber Resilience Act.
What this means for SMEs
The greatest opportunities for improvement include:
- incident response
- lifecycle management
- SBOM generation
- threat modelling
Several EU-funded projects—including OSCRAT, OCCTET and CRACY—already provide tools that generate SBOMs and integrate vulnerability reporting with ENISA’s reporting platform.
What SMEs are asking for
The survey makes one point very clear: SMEs want practical support—not more theory.
The most requested forms of assistance were:
- Technical documentation templates (73%)
- Secure development templates (71%)
- Compliance assessment tools (68%)
- Step-by-step documentation guidance (66%)
However, the single most requested resource was financial support, identified by 142 respondents.
Businesses also rely on multiple information channels—including webinars, EU websites, national authorities and helpdesks—which means no single communication channel will reach every SME.
What this means for SMEs
The most effective support combines:
- free templates
- practical assessment tools
- financial assistance
- accessible guidance
- multiple communication channels
These projects collectively offer compliance guidance, readiness assessments, open-source software tools, certification support and training specifically designed for SMEs.
Funding opportunities for Cyber Resilience Act compliance
Support extends beyond guidance. Several EU-funded initiatives provide direct financial assistance to SMEs.
For example, the SECURE project launched its first €5 million cascade funding call in early 2026, offering grants of up to €30,000 per project. Additional funding rounds are expected through 2027. Other initiatives combine financial support with free compliance platforms and training.
The Cyber Resilience Act also allows Member States to establish regulatory sandboxes, enabling SMEs to test compliance approaches before the legislation becomes fully applicable.
Next steps for SMEs
The ENISA survey paints a clear picture. European SMEs understand that the Cyber Resilience Act is coming, but many still lack the knowledge, resources and internal capacity needed for compliance.
Fortunately, the support ecosystem is rapidly expanding. Businesses should begin now by:
- reviewing product development processes
- strengthening cybersecurity documentation
- preparing vulnerability reporting procedures
- introducing SBOMs and threat modelling
- exploring available EU-funded compliance tools and funding opportunities
Starting early will not only reduce compliance risk but also strengthen cybersecurity practices and improve long-term competitiveness.
Preparing for the Cyber Resilience Act?
The Cyber Resilience Act represents one of the most significant changes to Europe’s digital regulatory landscape. Understanding the regulation is only the first step.
Martel helps organisations navigate European digital policy, cybersecurity regulation and innovation through research, communication and strategic advisory services.
Download our free white paper, EU Cyber Resilience Act: Trends, Challenges and Opportunities, for a deeper analysis of the regulation, its timelines and practical recommendations for businesses preparing for compliance.
Frequently Asked Questions
What is the Cyber Resilience Act?
The Cyber Resilience Act (CRA) is an EU regulation introducing mandatory cybersecurity requirements for products with digital elements throughout their lifecycle.
When does the Cyber Resilience Act apply?
The first reporting obligations begin on 11 September 2026, while the regulation becomes fully applicable on 11 December 2027.
Does the Cyber Resilience Act apply to SMEs?
Yes. The CRA applies to manufacturers, importers and distributors placing products with digital elements on the EU market, including SMEs.
What are the penalties for non-compliance?
Serious infringements can lead to fines of up to €15 million or 2.5% of global annual turnover, alongside potential market restrictions and product recalls.
Where can SMEs get help with CRA compliance?
Several EU-funded projects—including CONFIRMATE, CRA-AI, CRACoWi, CURIUM, OSCRAT, OCCTET, CRACY and SECURE—already provide free guidance, tools, funding opportunities and readiness assessments.
