FAQ for SMEs: What You Need to Know

Still unsure what to do about the CRA? You're not alone

If you haven’t noticed the EU Cyber Resilience Act (CRA) by now, it's high time you did. Since its adoption in late 2024, the CRA represents a game-changing regulation for all products with digital elements sold in the EU—whether you're developing smart toys, industrial controllers, or IoT devices.

That's the schedule: September 2026 you're obliged to handle vulnerabilities according to the process foreseen in the CRA. A year later, September 2027, you must be able to show that your products fulfill CRA security requirements.

As an SME, you're likely wondering:

  • What exactly does CRA compliance involve?
  • Can we self-assess or do we need third-party testing?
  • How do we document compliance, manage updates, and integrate security into product development?

Good questions. In fact, these are some of the most frequently asked questions by SMEs as they begin implementing the CRA. We’ve compiled them below—based on real expert discussions and regulatory analysis—to give you clear, actionable answers.

And with new obligations now extending across the entire lifecycle of your product (design, manufacturing, supply chain, updates, and even vulnerability disclosure), it’s more important than ever to prepare early and efficiently.

Top 10 Questions SMEs Ask About CRA Compliance

  1. What does the CRA require from me beyond a simple compliance check at the end of product development? → CRA mandates a secure product development lifecycle (SDL). Security must be embedded from the design phase through to post-sale support—including secure configuration, risk assessment, regular testing, and vulnerability handling.

  2. How do I know which standards are applicable to my specific product? → Standards are not always straightforward. While the CRA references harmonized standards (once the horizontal and vertical norms are finalized), SMEs often need guidance to map these onto their own product’s features and risks. ENISA and whitepapers suggest tools and mappings to help with this.

  3. Can we self-assess for CRA compliance, or do we need external certification? → For most products, self-assessment is allowed unless you're producing "critical" components (as defined by classification rules). However, it’s essential to base this on documented risk evaluation, as this will be scrutinized by market surveillance bodies.

  4. How can I integrate CRA requirements into our existing development processes and tools? → You don’t need to throw away existing processes like ISO 9001 or agile workflows—but you must embed cybersecurity checkpoints and make sure they align with CRA expectations. This may involve risk assessment templates, SBOM integration, and automated testing tools.

  5. What tools or platforms exist to help automate or guide CRA implementation? → There are increasing numbers of tools for SBOMs, vulnerability scans, and security testing (e.g. Maven, SAST/DAST, fuzzing). Many can be integrated into DevOps pipelines. What matters is that they match the complexity of your product and the available stewards and open-source software resources.

  6. Where can I find affordable and trustworthy consultancy or support services? → The CRA market is still maturing. Look for partners with proven track records or experiances in product security and regulatory compliance. Free initial support is often available through EU initiatives such as the European Digital Innovation Hubs.

  7. How do I justify the cost and effort of CRA compliance to my team or leadership? → Compliance is not just a legal duty—it’s a market differentiator. Products with CE marking under CRA will signal trust and security, helping you pass procurement checks and enter new markets.

  8. What documentation is required, and how detailed must it be? → Expect to maintain documentation such as risk assessments, SBOMs, test reports, coordinated vulnerability disclosure procedures, and incident response plans—for at least 10 years. This is not optional: it forms the backbone of your technical file and CE declaration.

  9. Is there a clear starting point or checklist for CRA compliance tailored to SMEs? → While no official checklist exists yet, best practices and EU resources outline structured steps: start with a risk assessment, identify applicable standards, embed secure design, document, and test. Tailored toolkits and templates are becoming available.

  10. How do we ensure ongoing compliance when risks and systems are constantly evolving? → CRA is a risk-based, lifecycle regulation. That means you must monitor for new vulnerabilities, support software updates for at least 5 years, and adjust your documentation and controls accordingly. Automation can help, but periodic audits and updates remain essential.

Need help implementing the CRA without drowning in complexity?

If you’re an SME navigating CRA for the first time, you don’t need to go it alone. I offer CRA-focused consulting services tailored to small and mid-sized tech companies—whether you're building connected devices, software platforms, or embedded systems.

Let’s clarify your obligations, optimize your compliance processes, and save your team time and risk.

➡️ Explore my services at Cyber Resilience Consulting (peterschoo.de) for custom checklists, technical coaching, risk analysis templates, and similar.