Cyber Resilience Act for SMEs: What Manufacturers Need to Do Now
The Cyber Resilience Act (Regulation (EU) 2024/2847) hits small and medium-sized manufacturers of digital products harder than many expect: there is no size exemption. Anyone placing a product with digital elements on the EU market — whether hardware with a software component, an embedded device or pure software — is in principle subject to the same requirements as a large corporation. The difference lies in timeline, prioritisation and available budget. This article provides a prioritised roadmap that starts exactly there.
Does the CRA apply to my business at all?
The decisive question is not company size but product category. In scope are manufacturers, importers and distributors of products with digital elements that have a direct or indirect logical or physical data connection to a device or network — and that are made available on the EU market. This also applies to free software and to products marketed under your own name but developed by third parties.
Exemptions apply to products already equivalently regulated by sector-specific EU legislation, such as medical devices (MDR/IVDR), motor vehicles (type-approval), or aviation products. For the vast majority of SME software and hardware manufacturers these exemptions do not apply. Use our interactive applicability check for a systematic self-assessment; a detailed explanation of roles and boundaries is available in the article Cyber Resilience Act — am I affected?
The two hard deadlines — and why the first one is urgent
For SMEs, two dates structure the entire implementation plan:
- 11 September 2026: The CRA's reporting and notification obligations (Art. 14) become applicable. From this date, manufacturers must report actively exploited vulnerabilities and severe security incidents within 24 hours as an early warning and within 72 hours as a full notification. A final report follows within 14 days of a corrective or mitigating measure becoming available (vulnerabilities), or within one month of the 72-hour notification (severe incidents). Reporting is submitted via the ENISA Single Reporting Platform (SRP) to the competent CSIRT.
- 11 December 2027: All remaining product requirements become fully applicable: security by design, vulnerability handling over the entire support period, SBOM, technical documentation, CE marking and EU declaration of conformity.
The first deadline is the more critical one for operational decisions: it is only months away and requires functioning processes — not a completed product certification, but a ready-to-use reporting infrastructure. Details in the article CRA Reporting Obligations from 11 September 2026.
Minimum Viable CRA Compliance: priorities for limited budgets
When resources are constrained, sequence matters. Not all CRA obligations take effect simultaneously, and not all carry the same penalty risk. The following roadmap is ordered by deadline urgency and implementation effort.
Phase 1 (now until September 2026): build reporting processes
This is the most urgent measure. A Product Security Incident Response Team (PSIRT) does not need to be a dedicated department — but it requires a named responsible person, a documented escalation path and the technical capability to issue a qualified early warning within 24 hours. In practice this means:
- Define the internal notification chain: who decides whether an incident is "actively exploited" or "severe"?
- Prepare access to the ENISA Single Reporting Platform (SRP) — check registration and the reporting format
- Create templates for the 24-hour early warning, 72-hour notification and final report
- Secure a monitoring baseline: is there a vulnerability database feed (NVD, OSV) to detect exploited weaknesses in your product components?
Note: the ENISA Single Reporting Platform was still being set up at the time this article was written (July 2026). Manufacturers should monitor the ENISA website for the launch date and the exact reporting format. Details on the reporting obligation.
Phase 2 (in parallel, until December 2027): build your SBOM
A Software Bill of Materials (SBOM) is the indispensable foundation for all other CRA obligations: without knowing which third-party components are in a product, neither rapid vulnerability reporting nor coordinated vulnerability handling is possible. At the same time, the SBOM is the most time-consuming measure in the entire CRA roadmap.
For SMEs a staged approach is recommended:
- Immediate action: create an SBOM for your highest-revenue or highest-risk product — in CycloneDX ≥ 1.6 or SPDX ≥ 3.0.1 format (BSI standard TR-03183-2)
- Tooling: open-source tools such as Dependency-Track enable automated SBOM generation and continuous vulnerability monitoring
- Note the retention obligation: the technical documentation including the SBOM must be kept for at least 10 years after the product is placed on the market, or for the product's support period — whichever period is longer
A detailed technical overview of formats, tools and the retention obligation is available in the article SBOM Requirements under the CRA. Alternatively you can use our SBOM Gap Report to have your current software bill of materials assessed for CRA readiness.
Phase 3 (until December 2027): determine product class and plan conformity assessment
The CRA distinguishes three product categories with different conformity assessment requirements:
| Product category | Conformity assessment | Typical examples |
|---|---|---|
| Default | Self-assessment (Module A) | Mobile apps, smart speakers, video games |
| Important, Class I (Annex III) | Self-assessment with harmonised standards; otherwise notified body | Password managers, VPN, browsers, PKI software, SIEM |
| Important, Class II (Annex III) | Notified body mandatory (Module B/C or H) | Hardware firewalls, hypervisors, industrial control systems |
| Critical (Annex IV) | Notified body or EU cybersecurity certification scheme | Smart cards, secure elements, smart-meter gateways |
For Class I products there is an important relief option: where harmonised standards or common specifications are applied, self-assessment is sufficient — without an external testing body. These standards (being developed under Mandate M/608 by ETSI and CEN/CENELEC) are expected to become available by the end of 2026. SMEs with Class I products should track this timeline, as it can significantly affect the effort required for conformity assessment.
The precise classification of specific products requires interpretation and depends on Implementing Regulation (EU) 2025/2392. All class references in this article are schematic — the classification of your specific product should be assessed with professional support. More details in the article CRA Product Classes: Default, Class I/II and Critical.
What CRA compliance typically costs SMEs
Market estimates put the initial CRA implementation cost at between €50,000 and €200,000 — highly dependent on product complexity, the starting state of existing security processes and product class. For SMEs with a single default-category product and existing basic security documentation, the lower end is realistic. Companies with multiple Class I/II products or without established vulnerability management processes should plan for the upper range.
Sequencing is crucial for cost control: introducing SBOM tooling first saves significant effort in technical documentation and simultaneously accelerates reporting processes. Clarifying the product class early avoids costly rework if it turns out that an external testing body is required.
Reliefs for micro-enterprises — and what they do not cover
The CRA provides targeted reliefs for micro-enterprises (fewer than 10 employees, annual turnover or balance-sheet total below €2 million), for example regarding certain penalty aspects and administrative requirements. These reliefs do not, however, mean that micro-enterprises are exempt from the CRA — the technical product requirements and the reporting obligations apply to them as well. For manufacturers in this size category the pragmatic approach is especially important: prioritise reporting processes and SBOM, use self-assessment wherever permitted, apply harmonised standards as soon as they are available.
The realistic timeline at a glance
- Immediately (Q3 2026): assess applicability, make a preliminary product class estimate, assign PSIRT responsibility, document the notification chain, prepare SRP registration
- Q4 2026 – Q2 2027: build SBOMs for core products, introduce Dependency-Track or comparable tooling, begin technical documentation
- Q3 – Q4 2027: complete conformity assessment (self-assessment or notified body), affix CE marking, issue EU declaration of conformity
A complete overview of all CRA obligations is available on the CRA pillar page. If you are unsure whether and how your product is affected, start with the applicability check or schedule a no-obligation initial consultation directly.
Frequently asked questions
Does the Cyber Resilience Act apply to small businesses too?
What is the most important CRA obligation SMEs should address first?
Do I need to involve a notified body for my product?
What is an SBOM and why is it so important for CRA compliance?
What does CRA implementation cost for an SME?
Let's talk about your CRA readiness
Want to know where your company stands on CRA compliance and what to do next? Christian Gebhardt, Managing Director of Blackfort Technology and co-author of the ACS/BSI guide on pentesting LLMs, supports SME manufacturers from applicability analysis through to completed conformity assessment. Schedule a no-obligation initial consultation now.
Request a first call Check eligibility