Summary

The EU Cyber Resilience Act (CRA) introduces specific provisions and measures to support microenterprises and small and medium-sized enterprises (SMEs) in complying with its requirements. These measures aim to alleviate the administrative and financial burdens typically faced by smaller entities while ensuring they maintain adequate cybersecurity standards.

Relevant CRA Provisions

Detailed Explanation

The CRA acknowledges the unique challenges faced by SMEs, including microenterprises and start-ups, in implementing robust cybersecurity measures. To address these challenges, the Regulation provides several tailored support mechanisms. Member States are encouraged to organize awareness-raising and training activities, establish dedicated communication channels, and support testing and conformity assessment activities for these enterprises. Additionally, the CRA allows for the establishment of cyber resilience regulatory sandboxes, which provide controlled environments for testing innovative products. The Commission is tasked with providing guidance and advertising financial support available under existing Union programmes to ease the financial burden on SMEs. Furthermore, SMEs are permitted to use a simplified technical documentation format for conformity assessment, reducing administrative costs without compromising cybersecurity standards.

Obligations for Stakeholders

Manufacturers, Distributors, Importers, and Open Source Software Stewards: SMEs in these categories must comply with the CRA’s cybersecurity requirements. However, they benefit from simplified technical documentation, dedicated support channels, and potential financial assistance. They are encouraged to utilize regulatory sandboxes for testing and should take advantage of the guidance provided by the Commission to ensure compliance. Conformity assessment bodies are required to consider the specific interests and needs of SMEs when setting fees, applying a risk-based approach where appropriate.