If you make a product that connects to the internet — a smart thermostat, a mobile app, an industrial sensor, even a piece of software — the EU Cyber Resilience Act (CRA) probably applies to you. If you're a small or medium business, that may sound daunting.
The good news: there's time, and a clear path.
The CRA is the most significant product-security regulation in EU history. But it's also surprisingly navigable for SMEs once you understand what it asks, when it asks for it, and how to build compliance into your product development rather than bolting it on at the end.
This guide breaks down the Cyber Resilience Act (Regulation (EU) 2024/2847) for small businesses — manufacturers, importers, distributors, and software teams who need clarity without the legal fog.
What is the Cyber Resilience Act?
The CRA is an EU regulation — not a directive, so it applies directly in every Member State without national transposition — that sets horizontal cybersecurity requirements for products with digital elements placed on the EU market.
Key dates:
- Adopted: 23 October 2024
- Entered into force: 10 December 2024
- Reporting obligations (Article 14): 11 September 2026
- Full application: 11 December 2027
The CRA's core principle is "secure by design and by default." It shifts responsibility for product cybersecurity from the user to the manufacturer. Before the CRA, if your smart lock had a vulnerability, that was the buyer's problem. After December 2027, it's yours — and getting it wrong can cost up to €15 million.
Does the CRA apply to your SME?
Three questions decide it. If the answer to all three is yes, you're in scope.
Question 1: Do you make or sell a "product with digital elements"?
The CRA defines this broadly: any software or hardware product that can connect to another device or network, directly or indirectly.
In scope:
- Smart home devices (thermostats, cameras, locks)
- Network equipment (routers, firewalls, switches)
- Mobile apps and software
- Industrial control systems and IoT sensors
- Laptops, smartphones, wearables
- Embedded software and firmware
- Remote data-processing solutions
Out of scope (already regulated elsewhere): medical devices (MDR/IVDR), automotive components (UNECE), marine equipment, and certain aviation systems.
Critical point: the CRA applies based on where the product is placed on the market, not where it's made. A US SaaS company selling to EU customers is in scope. A Chinese manufacturer selling through Amazon EU is in scope.
Question 2: Are you an "economic operator"?
The CRA imposes obligations on four roles:
| Role | Definition | Primary obligations |
|---|---|---|
| Manufacturer | Designs, develops, or places a product on the market under its name | Risk assessment, conformity, CE marking, vulnerability handling, reporting |
| Importer | Brings non-EU products into the EU market | Verify CE marking, retain documentation, cooperate with authorities |
| Distributor | Makes products available on the EU market (not manufacturer or importer) | Check CE marking, avoid non-compliant products, cooperate with surveillance |
| Open-source steward | Supports open-source software within a commercial ecosystem | Specific vulnerability-handling and documentation duties |
For SMEs, the manufacturer role is the heavy lift. If you design, brand, or sell a digital product, you're the manufacturer — even as a 10-person team.
Question 3: Is your product commercial?
Open-source software developed without commercial activity is generally exempt. But if you monetize the software (subscriptions, support, hosting), integrate it into a commercial product, or provide it as a service (SaaS), the CRA likely applies.
The three product classes
Not all products are treated equally. The CRA escalates requirements across three tiers:
| Class | Examples | Conformity assessment |
|---|---|---|
| Standard products | General software, non-critical hardware | Self-assessment |
| Important — Class I | Browsers, password managers, VPNs, operating systems, network management tools | Self-assessment |
| Important — Class II | Hypervisors, firewalls, industrial monitoring, smart-meter components, smart-card readers | Third-party assessment |
| Critical products | Smart cards, secure elements, industrial safety systems | EU cybersecurity certificate or third-party assessment |
What this means for SMEs: most small software vendors and IoT makers fall into "Standard" or "Important Class I" — meaning you can self-assess. Only firewalls, industrial control systems, and security hardware need third-party certification. The CRA Fast Check tool can pin down your class in about a minute.
Core manufacturer obligations
Article 13 lists the manufacturer's duties. Here are the ones that matter most for SMEs, translated from legalese into plain English.
1. Security by design & by default (Annex I, Part I)
Before you ship, a product must come with secure default configurations (no default passwords, least privilege), protect against unauthorised access by design, ensure confidentiality and integrity of data, protect the availability of essential functions, and minimise impact on other systems.
SME translation: don't ship with "admin/admin" credentials, don't make users disable security to get your product working, and don't let your IoT device become a botnet waiting to happen.
2. Vulnerability handling (Annex I, Part II)
You need a documented process to identify and document vulnerabilities, ship security updates promptly, keep updates available for the support period (minimum 5 years), run a coordinated vulnerability disclosure (CVD) policy, and share remediation with upstream maintainers where relevant.
SME translation: you need a security@ address, a reasonable response time to
vulnerability reports, fast patches for critical bugs, and the discipline to keep
doing this for at least 5 years after you stop selling the product.
3. Cybersecurity risk assessment
Before placing a product on the market, you must run — and document — a risk assessment that drives your security design. Keep it for at least 10 years.
SME translation: write down what could go wrong, what you did to prevent it, and why that's enough. A 5-page document is fine for a simple product.
4. Technical documentation
Maintain documentation covering the product description and intended use, the risk assessment, how you met the essential requirements, your vulnerability-handling procedures, and test evidence.
SME translation: keep a (digital) folder with your risk assessment, architecture diagrams, security test results, and update logs. Market surveillance authorities can request it any time for 10 years.
5. EU Declaration of Conformity & CE marking
Once you've self-assessed (or been certified), draw up an EU Declaration of Conformity, affix the CE marking, and include manufacturer identification and the support-period end date.
SME translation: the CE mark now also means "this product meets cybersecurity requirements." You can't slap it on without doing the work.
6. Support period & update availability
The minimum support period is 5 years (or the product's expected lifetime if shorter). Security updates must stay available for at least 10 years after release, and the end-of-support date must be communicated to buyers at purchase.
The reporting timeline: 24h / 72h / 14 days
Article 14 introduces strict reporting for actively exploited vulnerabilities and severe incidents. It applies from 11 September 2026 — earlier than the main obligations.
| Stage | Deadline | What to report |
|---|---|---|
| Early warning | Within 24 hours | Actively exploited vulnerability or severe incident detected |
| Notification | Within 72 hours | Detailed assessment, impact, indicators of compromise |
| Final report | 14 days (vulnerabilities) / 1 month (incidents) | Root cause, corrective measures, cross-border impact |
Reports go to the CSIRT of your main-establishment Member State and to ENISA via the CRA Single Reporting Platform.
SME reality check: a 15-person team needs a 24/7 escalation path for security incidents. That doesn't mean a SOC — it means a documented process for who gets called when a critical vulnerability drops on a Friday evening.
Importers, distributors & the supply chain
If you're not the manufacturer but you bring products into the EU or distribute them, you have your own duties.
Importers must verify the CE marking, confirm that technical documentation and the Declaration of Conformity exist, ensure user instructions are in an understandable language, retain documentation for 10 years, and cooperate with authorities.
Distributors must check for the CE marking and required documentation, refuse to place non-compliant products on the market, cooperate with investigations, and take corrective action when a product presents a cybersecurity risk.
SME translation: if you import smart-home devices and resell them on Amazon EU, you are responsible for verifying CRA compliance. You can't blame the manufacturer if they fall short.
Open source: the steward exception
The CRA worried the open-source community. The final text answers it with the "open-source software steward" concept:
| Scenario | CRA applicability |
|---|---|
| Non-commercial open-source project (no monetization) | Exempt |
| Open-source component inside a commercial product | The commercial product's manufacturer is responsible |
| Commercial entity supporting an open-source ecosystem (steward) | Steward has specific vulnerability-handling and documentation duties |
| SaaS built on an open-source stack | The SaaS provider is the manufacturer and must comply |
What this means for SMEs: if you build a commercial product on open-source components (most do), you're responsible for the security of the whole product — open-source bits included. Exercise due diligence when integrating third-party components and report vulnerabilities upstream.
Practical tip: keep a Software Bill of Materials (SBOM) for every release. Tools like Syft, CycloneDX, or SPDX can automate it.
A 24-month compliance roadmap for SMEs
With full application on 11 December 2027, SMEs have roughly 24 months from mid-2026 to prepare. A realistic phased approach:
Phase 1: Scoping & assessment (months 1–3)
- Confirm your product class with the CRA Fast Check
- Map your portfolio: which products are in scope, which are exempt
- Identify your role: manufacturer, importer, distributor, or steward
- Run a gap analysis against the Annex I essential requirements
- Create initial SBOMs for each product
Phase 2: Foundation building (months 4–9)
- Establish a secure development lifecycle: threat modelling, code review, security testing
- Implement a vulnerability-handling process: CVD policy, intake channel, triage SLA
- Draft a technical-documentation template
- Set support periods (minimum 5 years per product)
- Build incident-response capability: 24/7 escalation, reporting templates
- Write user security documentation
Phase 3: Conformity & documentation (months 10–18)
- Complete risk assessments for all in-scope products
- Run internal conformity assessment (self-assessment for Standard / Class I)
- Prepare the EU Declaration of Conformity for each product
- Affix the CE marking (can be digital for software)
- Publish user instructions with the support-period end date
- Stand up an update-delivery mechanism (OTA updates, patch repository)
Phase 4: Reporting readiness (months 19–22)
- Register with the CRA Single Reporting Platform (via ENISA)
- Test the reporting workflow with a tabletop exercise
- Train the team on the 24h/72h/14-day deadlines
- Build a relationship with your national CSIRT
- Document your 10-year evidence-retention process
Phase 5: Go-live & continuous improvement (months 23–24+)
- Confirm every product placed on the market after 11 Dec 2027 is compliant
- Monitor for harmonised standards and delegated acts
- Run an annual review of risk assessments and documentation
- Apply for SECURE EU funding if eligible (up to €30,000 for MSMEs)
Fines & enforcement
The CRA's penalties are tiered:
| Violation | Maximum fine |
|---|---|
| Non-compliance with essential requirements or Articles 13 & 14 | €15 million OR 2.5% of global annual turnover |
| Other infringements | €10 million OR 1.5% of global annual turnover |
Authorities can also withdraw or recall products, prohibit sales, issue corrective orders, and publicly name non-compliant companies.
The SME angle: for a €5M-turnover SME, a 2.5% fine is €125,000; for a €50M SME, it's €1.25M. Real numbers that can kill a business — and entirely avoidable with preparation.
CRA vs NIS2: how they interact
Many SMEs will face both. Here's how they differ and overlap:
| Aspect | CRA | NIS2 |
|---|---|---|
| Type | Regulation (directly applicable) | Directive (national transposition) |
| Focus | Product security | Organizational security |
| Target | Makers, importers, distributors of digital products | Essential and Important Entities |
| Key obligation | Secure-by-design, CE marking, vulnerability reporting | Risk management, incident reporting, supply-chain security |
| Timeline | Full application Dec 2027 | Already transposed in most Member States |
| Fines | Up to €15M or 2.5% turnover | Up to €10M or 2% turnover |
The overlap: if you're a software manufacturer that's also an "Important Entity" under NIS2, you're doing double duty — but the CRA's technical documentation, risk assessment, and vulnerability handling align closely with NIS2's Article 21 measures. One well-structured security program serves both. For the organizational side, see our NIS2 guide for SMEs.
How Komplyo helps you get CRA-ready
The CRA's product-security duties — risk assessment, vulnerability handling, secure-by-default configuration, and technical documentation — sit on top of an organizational security baseline. That baseline is exactly what Komplyo helps you build and prove.
- Assess once, read everywhere. You answer once against NIST CSF 2.0 and Komplyo projects your posture onto NIS2, GDPR, ISO 27001, and SOC 2 — the same controls that underpin CRA vulnerability management and risk assessment. See how the methodology works.
- Start free. The free diagnostic gives you a maturity score by CSF function in minutes — a fast way to spot the gaps that CRA conformity will expose.
- From gaps to evidence. Identified gaps flow into a prioritized roadmap and generated policies — the documentation auditors and enterprise buyers ask for. Explore the product.
Frequently asked questions
Does the Cyber Resilience Act apply to software, or only hardware?
Both. The CRA covers any "product with digital elements" that can connect to a device or network — including standalone software, mobile apps, firmware, and SaaS with remote data-processing components.
When does the CRA actually start to bite?
Reporting obligations under Article 14 apply from 11 September 2026, and the full set of obligations applies from 11 December 2027. Products placed on the market after that date must be compliant.
Do small businesses have to pay for third-party certification?
Usually not. Most SME software and IoT products fall into "Standard" or "Important Class I," which allow self-assessment. Only Class II and Critical products (firewalls, industrial control systems, security hardware) require third-party assessment or an EU cybersecurity certificate.
What are the CRA reporting deadlines?
For actively exploited vulnerabilities and severe incidents: an early warning within 24 hours, a notification within 72 hours, and a final report within 14 days (vulnerabilities) or 1 month (incidents), sent to your national CSIRT and ENISA.
How long must I support a product under the CRA?
A minimum of 5 years (or the product's expected lifetime if shorter). Security updates must remain available for at least 10 years after release, and the end-of-support date must be disclosed to buyers at purchase.
Free resources & tools
| Resource | Source | What it provides |
|---|---|---|
| CRA full text (EU Official Journal) | EU Official Journal | The legal text of Regulation (EU) 2024/2847 |
| CRA Fast Check self-assessment | Independent CRA resource | 3-question wizard for scope and product class |
| European Commission CRA summary | European Commission | Official summary of the legislation |
| ENISA CRA materials | ENISA | Guidance, standards mapping, implementation support |
| SECURE EU project | EU-funded project | Free training and cascade funding (up to €30,000) for MSMEs |
| CycloneDX SBOM standard | OWASP | Free SBOM format and tooling |
| SPDX SBOM standard | Linux Foundation | Alternative SBOM standard, widely used in open source |
Final thoughts: start now, at a steady pace
The CRA fundamentally changes how digital products are designed, sold, and supported in the EU. For SMEs, it creates both risk and opportunity.
The risk is clear: non-compliance means fines, market exclusion, and reputational damage. The opportunity is quieter but just as real — SMEs that build CRA-compliant products early can use security as a competitive differentiator. When a procurement team compares two IoT vendors, one with a documented security lifecycle and one without, the choice makes itself.
Start with three questions:
- Are our products in scope? (connectivity + EU market + commercial)
- What's our product class? (Standard, Important I/II, or Critical)
- Who owns compliance? (someone must coordinate engineering, legal, and operations)
Frameworks like NIST CSF 2.0, ISO 27001, and NIS2 provide the structure. The CRA provides the product-specific urgency. Your engineering knowledge provides the context. Combine them, and compliance becomes a product feature, not a burden.