SMEs

SMEs should pay particular attention to the Cyber Resilience Act (CRA) as it sets the foundation for ensuring their products meet  mandatory security standards, which is crucial for market access and  competitiveness.

The Cyber Resilience Act (CRA) is Europe's flagship legislation regarding the cybersecurity of products with digital elements. 
It was introduced to address the growing risks posed by cybersecurity  threats and ensure that digital products sold in the European market are secure and resilient. 

For the first time, the European Union is mandating the level of cybersecurity of these products. 
It can be understood as the digital version of the CE safety marking. 

Before placing a product on the European market, manufacturers will have to  demonstrate that it reaches the required level of cybersecurity. 

Banner

 

LEARN MORE

  • What Products are affected by the Cyber Resilience Act?
  • How do companies demonstrate compliance with the CRA?
  • What should SMEs do?
  • CYBERSTAND financial and technical incentives to help SMEs learn about the CRA and ensure compliance
  • Challenges faced by SMEs and How the Project Helps?
Chip

What Products are affected by the Cyber Resilience Act?

Products covered under the CRA include connected devices such as:

  • IoT products: Wearables, smart home devices, and smart appliances.
  • Computing devices: Servers and related equipment.
  • Networking equipment: Routers, modems, and switches.
  • Software: Operating systems, mobile and desktop applications, enterprise software like CRMs, cloud-based business solutions, and security software such  as firewalls, VPNs, and password managers.
  • Cloud computing products and services.

This list is not exhaustive and we will be adding to it as more clarity is provided. 
For SMEs, this is particularly relevant because non-compliance could mean  losing access to the European market, making it essential to understand  and prepare for these requirements now.

How do companies demonstrate compliance with the CRA?

Compliance requirements depend on the type of product being produced. 

  • Low-risk products: Companies can self-certify through a conformity assessment. 
  • High-risk products: It is required a certification by a third party. 

The European Commission will maintain a list of products that will be classified as high risk. 

Risk
compliance

What should SMEs do?

SMEs should first determine if their product falls within the scope of the CRA. 

Next, they need to understand the mandated security requirements and ensure compliance. 
Cyberstand is a valuable resource for learning more about the CRA and understanding how to comply.

CYBERSTAND financial and technical incentives to help SMEs learn about the CRA and ensure compliance

Cyberstand partners are collaborating closely with the European Commission to support the implementation of the CRA by providing technical expertise, supporting the development of harmonized standards, and assisting companies in understanding compliance requirements. This involves two key activities:

  • Companies with technical expertise can apply for funding through a Specific Service Procedure grant to work with European Standardisation Organizations to create or adapt standards that meet CRA requirements.
This means that if you have the technical knowledge and experience in your company, you can receive funding to work with the European Standardisation Organisations to create or adapt standards that match the cybersecurity measures set out in the CRA.
  • Cyberstand is also forming  CRA Working Groups (CRAWGs) where members can discuss challenges and receive support. 
Participation in the group offers opportunities to directly engage with policymakers and contribute to shaping the CRA's implementation.
Funding
Challenges

Challenges faced by SMEs and How the Project Helps?

SMEs often struggle to adopt cybersecurity standards due to their complexity and the resources required.  For example, understanding which specific standards are relevant and applying them without dedicated cybersecurity staff can be overwhelming for smaller companies. This means that they need look externally for the expertise to apply standards.

Many standards are developed as "one-size-fits-all," covering scenarios that may not apply to SMEs, which makes them difficult to implement.  Therefore, before SMEs can even begin to apply controls or security processes, they need to analyse which are required or relevant to them.

Cyberstand aims to address this by involving more SMEs in the standards creation process to ensure that the resulting standards are more appropriate and easier for SMEs to adopt.