Summary
- ENISA surveyed SMEs on awareness and understanding of the Cyber Resilience Act during February and March 2026.
- The report will inform guidance, tools, and support for smaller organisations implementing CRA obligations.
- Smaller suppliers may struggle to evidence secure development, vulnerability handling, and product lifecycle security without proportionate guidance.
ENISA has published survey findings on how small and medium-sized enterprises understand the EU Cyber Resilience Act, placing the practical readiness of smaller suppliers inside Europe’s product security agenda.
The European Union Agency for Cybersecurity says the survey was conducted in February and March 2026 to assess SME familiarity with the CRA, their understanding of practical requirements, and the support they need. ENISA says the findings will help shape guidance, tools, and support activities tailored to smaller organisations.
The CRA introduces cybersecurity requirements for products with digital elements placed on the EU market. Its reach extends across software, connected devices, embedded systems, and other digital products, making it one of Europe’s most consequential product security regimes for suppliers inside and outside the bloc.
SME readiness will influence whether the regime improves security at scale. Large technology vendors may have product security teams, legal support, vulnerability disclosure processes, secure development tooling, and compliance staff. Smaller manufacturers, developers, component suppliers, and specialist software providers often have less internal capacity while still sitting deep inside enterprise and public-sector supply chains.
Product security obligations require evidence. Suppliers will need to show how vulnerabilities are handled, how software components are tracked, how updates are delivered, how risks are documented, and how security is maintained across a product lifecycle. Where smaller suppliers cannot produce that evidence, procurement, due diligence, and market access may become harder.
The CRA also intersects with wider regulatory pressure. NIS2 raises expectations for essential and important entities across Europe, while DORA sets operational resilience duties in financial services. Enterprise buyers are already asking more detailed questions about software bills of materials, vulnerability response, secure by design practices, supplier assurance, and incident reporting.
Weakness in a small component maker, library maintainer, industrial device vendor, or specialist software supplier can propagate into much larger estates. The CRA tries to move security earlier in the lifecycle, but smaller suppliers will need templates, tooling, and proportionate guidance if compliance is to improve controls rather than simply expand paperwork.
Publication of legal duties does not automatically create operational capability. Secure product development depends on process, skills, tooling, testing, update management, and customer communication. SMEs will need to understand not only what the law requires, but what evidence buyers, regulators, and notified bodies are likely to expect.
Practical guidance will need to turn legal concepts into repeatable operating steps: how vulnerability handling should be documented, what records should be retained, how software components should be tracked, and how customers should be informed when risk changes. Europe’s product security regime will be shaped as much by implementation capacity in smaller suppliers as by enforcement against the largest vendors.





