Cyber Resilience Act for SMEs
Cyber Resilience Act for SMEs: products with digital elements, software, vulnerability handling, reporting, CE evidence and 2027 readiness plan.
Direct answer
The Cyber Resilience Act requires manufacturers of products with digital elements, including many software and connected products, to meet cybersecurity requirements, handle vulnerabilities, provide user information, and keep technical documentation. SMEs should start by deciding whether their product is in scope and what role they play.
What does the Cyber Resilience Act require from SMEs?
The Cyber Resilience Act requires manufacturers of products with digital elements, including many software and connected products, to meet cybersecurity requirements, handle vulnerabilities, provide user information, and keep technical documentation. SMEs should start by deciding whether their product is in scope and what role they play.
- Confirm product scope
- Build vulnerability process
- Prepare technical file
| Entered into force | 2024-12-10 |
| Reporting starts | 2026-09-11 for Article 14 reporting obligations |
| Full application | 2027-12-11 |
The Cyber Resilience Act requires manufacturers of products with digital elements, including many software and connected products, to meet cybersecurity requirements, handle vulnerabilities, provide user information, and keep technical documentation. SMEs should start by deciding whether their product is in scope and what role they play.
Certain vulnerability and incident reporting obligations start applying.
Cyber Resilience Act for SMEs checklist
Action checklistCheck whether software, hardware or remote data processing falls in scope.
Define intake, triage, patching, disclosure and reporting workflow.
Article 14
Document security requirements, testing, support period and user instructions.
Key deadlines
| Date | Requirement | Source |
|---|---|---|
| 2026-09-11 | CRA reporting obligationsCertain vulnerability and incident reporting obligations start applying. | European Commission Cyber Resilience Act summary |
| 2027-12-11 | CRA full applicationMain CRA obligations for products with digital elements apply. | European Commission Cyber Resilience Act summary |
30/60/90-day action plan
First 30 days
Confirm scope and assign an owner
Evidence needed: Applicability note, business owner, systems or product list, and source links.
Cyber Resilience Act
Days 31-60
Close the evidence gaps
Evidence needed: Policies, supplier records, data maps, technical notes, training records, or process owners.
Cyber Resilience Act
Days 61-90
Prepare for audit or customer review
Evidence needed: Versioned compliance file, action log, exception register, and next review date.
Cyber Resilience Act
Evidence to retain
Applicability decision
Shows whether Cyber Resilience Act readiness applies and why the SME made that decision.
Retain: Scope memo, trigger criteria, country notes, owner approval, and review date.
Action owner list
Regulators and enterprise customers expect named accountability, not generic intent.
Retain: Owner, backup owner, due date, status, and unresolved blocker notes.
Evidence folder
The fastest way to answer customer due diligence is a single audit-ready evidence file.
Retain: Policies, screenshots, registers, exports, supplier responses, and training records.
SME questions answered
Does the CRA apply to software SMEs?
It can apply where software is a product with digital elements made available on the EU market.
What is the first CRA task for an SME?
Classify the product and role, then build a vulnerability handling and security documentation process.
Turn this guide into a tracked action plan
Start with the Regulation Checker, save the result, and import the action plan into your EuroComply dashboard when you are ready to assign owners.
Informational only. This page is not legal advice and does not replace a qualified legal review of your business, systems, products or employment practices.