Cyber Resilience Act for SMEs: Clear Priorities, Achievable Compliance
Does the CRA apply to your business? Yes – and soon.
The Cyber Resilience Act (Regulation (EU) 2024/2847) includes no size exemption for manufacturers. If you place a product with digital elements – hardware or software – on the EU market, the obligations typically apply to you. Whether you have 10 or 10,000 employees.
There are targeted reliefs for SMEs in certain penalty and reporting provisions. But these do not change the fundamental obligation to comply.
The good news: with the right starting point, the CRA can be addressed in a structured and proportionate way – if you start now.
Two deadlines that matter
| Date | What applies from then on? | Priority for SMEs |
|---|---|---|
| 11 September 2026 | Reporting obligations for actively exploited vulnerabilities and severe security incidents | High – operational processes must be in place beforehand |
| 11 December 2027 | Full product requirements: security by design, SBOM, CE marking, technical documentation, EU declaration of conformity | Medium to high – allow for lead time in product development |
The first deadline – September 2026 – is more urgent. It requires working processes, not a finished product dossier. If you have no defined workflow for when a vulnerability is reported or a security incident occurs, you have less runway than you might think.
What you must have in place operationally by September 2026
From 11 September 2026, manufacturers must report actively exploited vulnerabilities and severe security incidents via the CRA Single Reporting Platform (addressed to the relevant CSIRT, with the information made available to ENISA at the same time):
- 24 hours: Early warning from the moment of awareness
- 72 hours: Full notification including corrective or mitigating actions taken
- Final report: 14 days after a corrective measure is available (actively exploited vulnerabilities); one month after the 72-hour notification (severe security incidents)
These sound like standard processes – but for many SMEs they are not. Typical gaps: no defined point of contact for security reports, no escalation path, no template for the final report. Building these processes takes time, but not a seven-figure project plan.
More on reporting timelines and channels: CRA Reporting Obligations from 11 September 2026.
Typical pitfalls for SME manufacturers
"We only make software – surely this doesn't apply to us."
Software products are explicitly covered by the CRA, provided they establish a direct or indirect data connection to a device or network. Purely offline software with absolutely no network component may be out of scope – but the boundary is narrower than most assume.
"We're too small to need a notified body."
Most standard products can be certified through self-assessment. However, this depends on the product category. Important products (Annex III, Class I and II) are subject to stricter requirements – up to and including mandatory involvement of a notified body. Which route typically applies to your product should be clarified early. More: CRA Product Classes: Classification and Conformity Paths.
"The SBOM obligation doesn't kick in until 2027 – that can wait."
Yes and no. The obligation applies from 2027 – but building a complete, CRA-compliant software bill of materials when your product has fifty dependencies that your development team has never systematically tracked takes months. Waiting means you hit time pressure at exactly the moment every other SME is catching up at once. More on formats and requirements: SBOM Requirements in the CRA.
"We also sell outside the EU – the CRA only applies domestically."
The CRA is triggered by placing a product on the EU market. If you sell in the EU, it applies – regardless of where your headquarters are located or where else you export.
Prioritised roadmap: what to tackle first when budget and time are limited
No SME needs to do everything at once. The following prioritisation is based on the deadlines and on what is typically examined first in an audit or incident review.
Phase 1 – By September 2026: processes before documents
- Clarify applicability: Does the CRA cover your product? What role do you play (manufacturer, importer, distributor)? → Interactive Applicability Check
- Classify your product: Standard, important Class I, important Class II, or critical? This determines the conformity path.
- Build the reporting process: Designate a point of contact, define the escalation path, create report templates, and prepare access to the CRA Single Reporting Platform.
- Introduce vulnerability tracking: Who reports what to whom internally? How are known vulnerabilities in third-party components monitored?
Phase 2 – By December 2027: systematically close product gaps
- Risk assessment and security by design: Cybersecurity risk assessment covering design, development, and production – can be anchored in existing processes.
- Build the SBOM: Compile your software bill of materials to CRA requirements (CycloneDX ≥ 1.6 or SPDX ≥ 3.0.1 recommended), observe the 10-year archiving obligation. Request a gap report: have your SBOM assessed for CRA readiness
- Build technical documentation: The foundation for CE marking and the EU declaration of conformity.
- Carry out the conformity assessment: Depending on the product class, self-assessment or involvement of a notified body.
- User information (Annex II): Provide security-relevant product information to end users.
What Blackfort Technology handles for SME manufacturers
Blackfort Technology supports small and mid-size manufacturers from the initial scoping through to documented conformity – without consulting overhead that doesn't scale for a 30-person company.
- Applicability and product class analysis: Determining whether and to what extent your products fall under the CRA
- Reporting process setup: Building a lean PSIRT (Product Security Incident Response) process ready for September 2026
- SBOM gap report: Assessing your software bill of materials against CRA requirements, tooling recommendation (Dependency-Track, CycloneDX)
- Technical documentation: Creating or reviewing the documents required for CE marking
- Conformity assessment support: Preparing for self-assessment or coordinating with a notified body
Christian Gebhardt, Managing Director of Blackfort Technology, is a member of the ACS AI working group and co-author of the ACS/BSI guide on LLM penetration testing. His hands-on experience from PKI, DORA, NIS2, ISMS, and vulnerability management projects feeds directly into the CRA work.
Further reading for SME manufacturers
A detailed step-by-step breakdown: Cyber Resilience Act for SMEs: Prioritised Implementation Plan.
A full overview of CRA obligations: Cyber Resilience Act: Requirements, Deadlines and Obligations.
Frequently asked questions
Does the Cyber Resilience Act also apply to very small businesses with fewer than 10 employees?
We build a SaaS product – does software without hardware fall under the CRA?
What happens if we fail to meet the reporting obligation from September 2026?
Do we have to build a dedicated security team to meet the reporting obligation?
How much effort does a software bill of materials (SBOM) take for a typical SME product?
We sell mainly in the US – do we still need to become CRA-compliant?
Let's talk about your CRA readiness
Book a free initial call: In 30 minutes we clarify which CRA obligations typically apply to your product – and what genuinely needs to be in place by September 2026.
Request a first call Check eligibility