,
Be Aware. Understand. Comply

SME Toolkit

The CRA-COMP SME Toolkit provides practical resources for organisations that need simple, usable support for Cyber Resilience Act (CRA) compliance. These tools are designed specifically for resource-constrained SMEs to build secure products and provide mandatory regulatory transparency

1. Awareness & Training Materials

Resources to educate your workforce and engineering teams on CRA obligations without requiring an advanced cybersecurity background.

  • Cybersecurity Awareness Guide: A foundational text translating legal requirements into simple, daily habits for all SME employees.
  • Low-Threshold Cyber Resilience Training: A guide that simplifies regulatory requirements into actionable steps, matching checklists for easy implementation, and a dedicated importer/distributor compliance checklist. It covers the necessary obligations for manufacturers, distributors and importers to meet CRA standards.
Download Materials

2. Internal Process & Compliance Templates

The core paperwork required to satisfy EU auditors and structure your mandatory technical compliance folder.

  • Cybersecurity Risk Assessment Matrix: A lightweight spreadsheet template to identify threats and document design-phase security decisions.
  • Vulnerability & Incident Escalation Protocol: An internal step-by-step checklist detailing how to identify, track, and report severe vulnerabilities to ENISA to avoid fines.
  • Simplified Technical Documentation Index: A table-of-contents checklist to organize your mandatory compliance file (including verifying the location/URL of your generated SBOM).
  • EU Declaration of Conformity: The standardized legal form where the SME officially assumes responsibility for compliance to apply the CE marking.
Download Compliance Templates

3. Customer Facing Transparency Template

Ready-to-use templates that strictly fulfill CRA Annex II mandates, allowing buyers to make informed, risk-based choices

  • Product Security Manual: Clear user instructions detailing secure setup, configuration, and how to manage or disable automatic updates.
  • Cybersecurity Factsheet: A transparency document provided at purchase detailing product identity, security posture, data processing/privacy footprints, and known residual risks.
  • Support Period Policy: A public statement template declaring the product’s guaranteed security patch duration (minimum 5 years), end-of-support dates, and product retirement instructions.
  • Vulnerability Disclosure Policy (VDP): A public-facing website policy template outlining how external security researchers can safely and legally report bugs to your company.
Download Customer-Facing Templates