EU Cybersecurity Survey Finds SMEs Aware of Cyber Resilience Act but Ill-Prepared for Its Demands
Key Takeaways
- Awareness Has Outpaced Readiness: Although 66% of respondents had heard of the Cyber Resilience Act, many still lacked a practical understanding of its requirements.
- Company Size Shapes Cyber Maturity: Medium-sized companies scored about one point higher than microcompanies across all five domains assessed.
- Product Life-Cycle Practices Remain Weak: Incident response and product life-cycle management emerged as the weakest area overall, particularly among micro-companies.
- SMEs Want Practical Assistance: More than 70% of respondents requested technical-documentation templates, while more than 70% also sought secure-development templates.
- Financial Constraints Could Slow Preparation: Of the 194 organizations surveyed, 142 highlighted the need for financial support.
Deep Dive
Nearly two-thirds of the small and medium-sized businesses surveyed by the European Union’s cybersecurity agency had heard of the Cyber Resilience Act. Knowing that a law exists, however, is not the same as knowing what to do about it.
That distance between recognition and readiness runs through the findings released July 13 by the EU Agency for Cybersecurity, or ENISA. Smaller companies understand that the CRA is coming, but many still lack the resources, expertise and practical tools needed to translate its requirements into the daily work of building and maintaining secure products.
ENISA is trying to shorten that distance with a new Cyber Resilience Maturity Assessment Model, developed as part of the European Commission’s cybersecurity strategy for micro, small and medium-sized enterprises. The model gives companies a structured way to assess their current practices, identify weaknesses and improve their cyber resilience with the CRA in view.
The stakes extend well beyond the companies being assessed. SMEs occupy a large part of the EU’s digital ecosystem, and the success of the CRA will depend in no small measure on businesses that have neither the compliance departments of large manufacturers nor the luxury of assigning a team to every new regulatory demand. For a micro-company, the person deciphering the law may also be writing code, managing suppliers and answering the phone.
The model is intended primarily for companies that manufacture and place products with digital elements on the market, making them directly subject to the CRA. It can also be used by integrators, service providers and other businesses involved in the product life cycle that want to examine their own product-security practices.
ENISA’s framework looks across five areas: governance and documentation; risk management and security by design and by default; vulnerability and patch management; product life-cycle management; and awareness, competence and skills. Each domain contains five maturity criteria based on practices expected under the CRA and established approaches to product security.
Companies are assessed at one of three levels (basic, intermediate or advanced) according to how consistently they manage product-related risks. A downloadable Excel tool walks users through the assessment, calculates their scores and allows them to measure progress through repeated self-checks.
The simplicity is deliberate. Smaller businesses rarely suffer from a shortage of frameworks telling them what good security looks like. Their difficulty lies in turning those expectations into work that can be assigned, documented and repeated with the people and money they already have.
ENISA is careful about what the assessment can prove. An advanced maturity rating does not replace any legal obligation under the CRA, nor should it be treated as evidence of compliance. The model is a means of organizing improvement, not a certificate that the work is finished.
Awareness Has Outpaced Readiness
The need for that distinction becomes clearer in ENISA’s accompanying survey. Conducted in February and March 2026, it examined awareness of the CRA, understanding of its requirements, existing cybersecurity practices, internal responsibilities and the obstacles companies expect to encounter as they prepare for compliance. It also asked businesses what forms of support would help them most and established a baseline for product-security maturity.
The survey received responses from 194 organizations across 31 countries, including 25 EU member states. The sample covered micro-companies, small companies and medium-sized companies under the European Commission’s definition of an SME.
Of those respondents, 66% had heard of the CRA before taking part in the survey. The results nonetheless showed that practical understanding remains uneven. The name of the regulation has traveled farther than the knowledge required to implement it.
Company size was the most consistent dividing line. Across each of the five domains examined, medium-sized businesses scored approximately one point higher than microcompanies on average. The difference is unsurprising, but its consistency matters. The CRA may establish common expectations for product security, yet businesses will arrive at those expectations with profoundly different capacities to meet them.
Incident response and product life-cycle management formed the weakest area overall, particularly among micro-companies. These are not peripheral shortcomings. Product security does not end when a device or piece of software reaches the market. Vulnerabilities emerge, patches become necessary and incidents force companies to demonstrate whether their security processes can survive contact with an actual problem.
The support companies requested was notably practical. More than 70% of respondents asked for technical-documentation templates, and more than 70% also wanted secure-development templates. They were not asking for another broad account of why cybersecurity matters. They wanted to know what the paperwork should contain and how secure development should be recorded.
Some constraints are less amenable to good formatting. Of the 194 organizations surveyed, 142 underscored the need for financial support as they confronted the costs, staffing demands and time pressures associated with implementation. For the smallest companies, compliance work does not merely compete for budget. It competes with the ordinary business of keeping the company alive.
ENISA also found that SMEs do not rely on a single source for information about the CRA. Any outreach capable of reaching them will therefore have to move across different formats and platforms rather than assume that one official channel will carry the message to every manufacturer, integrator and service provider affected.
The agency’s recommendations follow the weaknesses the survey exposed. They call for more support with documentation and conformity assessment, including technical-documentation templates, as well as help with incident response and product life-cycle management. ENISA also identified a need for financial assistance and measures designed specifically for micro-companies, whose difficulties are not simply smaller versions of those faced by larger businesses.
The maturity model gives these companies a way to see where they stand. The survey supplies the less comfortable part of the picture, which is that many now know that the Cyber Resilience Act concerns them, but they do not yet have everything required to answer it. Awareness was the first threshold. Capacity will be the harder one.
The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.

