Summary

The EU Cyber Resilience Act (CRA) includes specific provisions and support mechanisms to assist microenterprises and small and medium-sized enterprises (SMEs), including start-ups, in complying with its requirements. These measures aim to reduce administrative burdens and provide tailored support to ensure these entities can effectively meet the cybersecurity standards set by the CRA without undue financial strain.

Relevant CRA Provisions

Recitals: Recital 6, Recital 5, Recital 93, Recital 128, Recital 96, Recital 94, Recital 127, Recital 13

Articles: Article 33, Article 26

Detailed Explanation

The CRA acknowledges the unique challenges faced by microenterprises and SMEs in implementing stringent cybersecurity measures. To address these challenges, the Regulation mandates specific support actions by Member States and the Commission. These include awareness-raising and training activities, establishment of dedicated communication channels, support for testing and conformity assessment, and the potential creation of cyber resilience regulatory sandboxes. These sandboxes offer controlled environments for innovative products to be tested and validated in compliance with the CRA before market release. Additionally, the Commission is required to provide comprehensive guidance tailored to SMEs, advertise financial support available under Union programmes, and specify a simplified technical documentation format to reduce administrative costs. Conformity assessment bodies are also encouraged to consider the specific needs of SMEs when setting fees, applying a risk-based approach.

Obligations for Stakeholders

  • Manufacturers, Distributors, Importers: SMEs must comply with the essential cybersecurity requirements of the CRA. They are encouraged to utilize the simplified technical documentation format and can benefit from the guidance and support measures provided by Member States and the Commission.
  • Open Source Software Stewards: SMEs involved in open source software development should pay particular attention to the guidance provided by the Commission regarding remote data processing and free and open-source software, as outlined in Recital (6) and Article 26.