Summary

The Cyber Resilience Act (CRA) introduces specific provisions and support measures aimed at mitigating the impact on small and medium-sized enterprises (SMEs), including microenterprises and start-ups, to ensure they can effectively comply with the new cybersecurity requirements without disproportionate burdens.

Relevant CRA Provisions

Recitals: Recital 5, Recital 17, Recital 6, Recital 93, Recital 94, Recital 96, Recital 127, Recital 128

Articles: Article 33

Detailed Explanation

The CRA acknowledges the unique challenges faced by SMEs in implementing stringent cybersecurity measures. To address these challenges, the Regulation provides tailored support and simplified procedures. Member States are encouraged to organize awareness-raising and training activities, establish dedicated communication channels, and support testing and conformity assessment activities for SMEs. Additionally, the establishment of cyber resilience regulatory sandboxes is proposed to allow SMEs to test innovative products in a controlled environment. The Commission is tasked with providing guidance and advertising financial support available under existing Union programmes to ease the financial burden on SMEs. Furthermore, SMEs are permitted to use a simplified format for technical documentation, reducing administrative costs while maintaining cybersecurity standards.

Obligations for Stakeholders

  • Manufacturers, Distributors, Importers: SMEs in these categories must comply with the CRA’s cybersecurity requirements. However, they benefit from simplified technical documentation and potential financial support to ease compliance costs.
  • Open Source Software Stewards: SMEs involved in open source software development should take note of the CRA’s provisions that consider the nature of open source development models, aiming to foster innovation while ensuring cybersecurity.
  • Member States: Required to provide tailored support to SMEs, including awareness-raising activities, dedicated communication channels, and potentially establishing regulatory sandboxes. They must also ensure open, fair, and transparent access to these support measures.
  • Commission: Obligated to provide guidance for SMEs on implementing the CRA, advertise financial support opportunities, and specify a simplified technical documentation form for SMEs.