,
Understand the Cyber Resilience Act

About

The Cyber Resilience Act aims to improve the cybersecurity of products with digital elements. For SMEs, this can create new responsibilities around secure development, documentation, vulnerability handling, and customer communication. CRA-COMP explains these requirements in accessible language and helps SMEs take practical first steps.

Why was the CRA created?

Products with digital elements are now part of everyday business and society. When these products are insecure, vulnerabilities can affect customers, supply chains, public services, and markets. The CRA supports a more secure digital economy by strengthening cybersecurity expectations for products with digital elements. This was created to establish a uniform legal framework that forces manufacturers to reduce vulnerabilities throughout a product's lifecycle and improves transparency so users can make informed, secure buying choices. For SMEs, this means cybersecurity should not be treated as a final technical add-on. It should become part of product planning, development, documentation, updates, and customer communication.

What does the CRA mean for SMEs?

For SMEs, the CRA may require a clearer understanding of:

  • Whether a product is affected.
  • Which role the organisation plays.
  • What security risks exist.
  • What technical and organisational measures are needed.
  • How vulnerabilities are handled.
  • What documentation should be prepared.
  • What customers need to know.
  • How compliance efforts can be maintained over time

What does the CRA mean for SMEs?

1. What is the CRA?

The Cyber Resilience Act is a European regulation focused on cybersecurity requirements for products with digital elements.

2. Am I affected?

You may be affected if your organisation develops, manufactures, imports, distributes, integrates, or sells products with digital elements.

3. How strongly am I affected?

The answer depends on your organization’s role, product type, product criticality, supply-chain position, and customer context.

4. What do I need to do?

SMEs should begin by understanding their product, identifying risks, documenting cybersecurity decisions, preparing customer information, and setting up vulnerability handling processes.

5. How do I communicate this to customers?

Customers need clear, understandable information about security features, updates, responsibilities, support periods, and residual risks.

The CRA-Comp Project

Project Description:

CRA-COMP supports small and medium-sized enterprises in understanding the Cyber Resilience Act and taking practical steps toward cyber resilience. The platform provides simple guidance, awareness materials, documentation templates, training resources, and customer communication tools designed for SMEs with limited time, staff, and cybersecurity resources.

Objectives:

CRA-Comp aims to help SMEs:

  • Understand what the Cyber Resilience Act is.
  • Identify whether they are affected.
  • Understand the level of responsibility connected to their digital element products.
  • Apply practical cybersecurity measures.
  • Prepare useful documentation.
  • Communicate clearly with customers.
  • Strengthen their cyber resilience with limited resources.
  • Participate in a broader European support network.

Project Handbook:

This project handbook is a practical coordination document. It helps the project team plan, create, validate, publish, and sustain CRA-COMP outputs. It is not legal advice, certification guidance, or a substitute for formal conformity assessment. (To learn more, click this link)

Download Handbook