Summary

The EU Cyber Resilience Act (CRA) provides specific support measures and resources tailored to help small and medium-sized enterprises (SMEs), including microenterprises and start-ups, comply with its provisions. These measures aim to reduce the compliance burden and facilitate the implementation of the Regulation.

Relevant CRA Provisions

• Recitals (6), (127), (128), (93), (94), (95), (96)
• Articles 26, 33

Detailed Explanation

The CRA acknowledges the unique challenges faced by SMEs in complying with its requirements and therefore provides several support mechanisms. These include guidance from the Commission, financial support through Union programmes, and technical assistance from entities like the European Cybersecurity Competence Centre. Member States are encouraged to establish dedicated communication channels, organise training activities, and set up regulatory sandboxes to facilitate testing and development of compliant products. Additionally, SMEs can use a simplified technical documentation format to reduce administrative costs while maintaining cybersecurity standards.

Obligations for Stakeholders

Member States: Should provide tailored support to SMEs, including awareness-raising activities, dedicated communication channels, and regulatory sandboxes. They should also ensure the availability of notified bodies and consider the specific needs of SMEs in conformity assessment fees.

Commission: Must publish guidance to assist SMEs in applying the Regulation, focusing on areas like the scope of the Regulation, support periods, and substantial modifications. The Commission should also advertise available financial support and specify a simplified technical documentation form for SMEs.

SMEs: Are encouraged to utilise the available support measures, including guidance, financial aid, and simplified documentation formats, to facilitate their compliance with the CRA.