Where do SMEs stand in preparing for the Cyber Resilience Act?

Back to News

The EU Agency for Cybersecurity (ENISA) publishes the Micro, Small and Medium-sized enterprises (SME) Cyber Resilience Maturity Assessment Model, a simple and practical guidance for SMEs to support them assess their current status, identify improvements and strengthen their cyber resilience practices.

As SMEs make up a large part of EU´s digital ecosystem, their ability to understand and implement the Cyber Resilience Act (CRA)is significant for the regulation’s success. Particularly, as smaller organisations face practical challenges related to resources, expertise, time and implementation capacity. To help address this, as part of the European Commission’s SME cybersecurity strategy, ENISA is working on practical guidance, tools and support activities tailored to the realities and needs of smaller organisations.

The SME Cyber Resilience Maturity Assessment Model provides a structured approach for SMEs to evaluate and strengthen their overall cyber resilience, while taking into account the requirements of the CRA. The model is primarily intended for organisations that manufacture and place products with digital elements on the market, as these are directly subject to CRA requirements. However, it can also be used by other organisations involved in the product life cycle, such as integrators or service providers, to assess and improve their product security practices.

It focuses on the following five domains, with each domain divided into five maturity criteria that reflect expected practices under the CRA and product security approaches:

  • governance and documentation,
  • risk management and security by design and by default,
  • vulnerability and patch management,
  • product life cycle management,
  • awareness, competence and skills.

The model suggests three maturity profiles: basic, intermediate and advanced, intended to show how consistently product-related risks are managed in the organisation. Overall, this model reflects practices supporting the implementation of the CRA and supports organisations in strengthening their product security and cyber resilience over time in a structured and manageable way. However, having an advanced maturity level does not replace legal obligations and should not be considered evidence of compliance. 

To support practical implementation, the maturity model includes a downloadable Excel tool that guides users through the process, automatically calculates maturity scores and helps SMEs to track progress across repeated self-checks.

A survey on SMEs preparedness in light of the CRA

ENISA recently published the findings of the ENISA SME CRA Survey, conducted in February and March 2026. The survey covered awareness of the CRA, understanding of its requirements, existing cybersecurity practices, organisational responsibilities and anticipated challenges related to compliance. Additionally, the survey gathered feedback on the support SMEs need and established a baseline for their maturity in product security practices. 

In line with the European Commission definition of SMEs, the sample included SMEs, covering microcompanies, small companies and medium-sized companies. A total of 194 organisations responded from 31 countries, including 25 EU Member States, and geographical groupings.

Key findings of the report

  • Gap between awareness and practical readiness. 66 % of respondents had heard of CRA before the survey but results suggest that there is still room for improvement in understanding practical requirements.
  • The size of the enterprise is the most consistent factor influencing the level of maturity. Across all five domains in the survey, medium-sized companies scored about one point higher than microcompanies on average. 
  • Incident response and product life cycle management is the weakest area overall, particularly for microcompanies. 
  • Practical templates are the most requested form of support. Technical documentation templates and secure development templates were each requested by more than 70 % of respondents.
  • The challenge of resources, cost and time management for SMEs, with 142 of the responded underlining the need for financial support.
  • SMEs do not rely on a single source of CRA information, thus effective outreach will require a combination of communication formats and platforms.

Based on the findings, the report provides recommendations on the identified challenges covering documentation and conformity assessment, technical documentation templates, incident response and product life cycle management, financial support as well as the specific recommendations for microcompanies.