Cyber Resilience Act

ENISA's First SME CRA Survey: High Awareness, Low Readiness

On 24 June 2026, ENISA published its first survey of how small and medium-sized enterprises are preparing for the Cyber Resilience Act. This article breaks down what it found: broad awareness but weak implementation, a large gap on the software bill of materials, shaky incident response, and why the smallest firms have the furthest to go before the 11 September 2026 reporting deadline.

By the NormScout Compliance Team · Updated July 2026 · 7 min read

Reviewed against the official EUR-Lex texts.

← Back to Blog

On 24 June 2026, ENISA published its first survey of how small and medium-sized enterprises are preparing for the Cyber Resilience Act. The short version: most SMEs know the CRA is coming, but far fewer are in a position to comply with it. That gap matters now, because the first binding obligation, the mandatory reporting of actively exploited vulnerabilities, starts on 11 September 2026, with the full requirements following on 11 December 2027.

The headline number: only about 35 percent of the SMEs surveyed (67 of 194) use a software bill of materials, one of the CRA's core building blocks. Awareness of the regulation is high. The practical groundwork is not.

What did ENISA's SME CRA survey measure?

ENISA ran the survey in February and March 2026 and collected responses from 194 organisations across 31 countries. Rather than reduce readiness to a single pass-or-fail figure, it scored maturity across five domains, covering awareness of the regulation, understanding of its practical requirements, current cybersecurity practice, and the obstacles SMEs expect on the way to compliance. A companion report on software bill of materials adoption, published on 9 June 2026, looks at the same transparency problem from the supply-chain side.

Why the high awareness figure needs a caveat

Awareness scored well, but the way the data was collected flatters it. Taking part was voluntary, so the sample is drawn from exactly the SMEs that already follow regulatory developments closely enough to answer an ENISA questionnaire about the CRA. Firms that have not registered the regulation at all are unlikely to show up in the results. Read that way, the survey is closer to a best-case picture of the market than a representative one, and the true level of readiness across all EU SMEs is probably lower than the report's own figures suggest. Even within this engaged group, the recurring theme is that understanding has not turned into the outputs the CRA asks for: documented risk assessments, a technical file, and a working process for handling vulnerabilities.

Where are SMEs least ready?

Two capabilities stand out as the widest gaps between current practice and what the regulation expects: threat modelling and the software bill of materials. An SBOM is the inventory that lets a manufacturer track third-party and open-source components and match them against known vulnerabilities, which is why the essential requirements in Annex I effectively require one, yet only around a third of respondents keep one today. ENISA also singled out incident response as one of the weakest areas, and that is the one with a clock attached. The 24-hour early-warning duty that begins on 11 September 2026 assumes a company can already detect, triage and escalate an exploited vulnerability at speed. An SME with an immature incident process is precisely the one that will miss that window.

Why does company size predict readiness?

Size was the clearest signal in the data. Medium-sized firms scored roughly a point higher than micro-enterprises across all five maturity domains, which fits the obvious explanation that more headcount and budget buy more capacity. The uncomfortable corollary is that the least prepared organisations are the smallest ones, and they are also the least able to fund the work of getting ready. ENISA has said its follow-up guidance and tooling will be aimed specifically at smaller organisations for this reason.

What CRA machinery is still missing in mid-2026?

SMEs preparing today are building against moving parts. The Single Reporting Platform that manufacturers will use to file their Article 14 notifications is not yet live, and ENISA expects it to be operational by the 11 September 2026 deadline. And no CRA harmonised standard has yet been cited in the Official Journal, so the presumption of conformity that comes from building to a harmonised standard is not available for any product category. In practice, the earliest movers are documenting compliance before both the reporting tool and the standards they can point to are finalised.

What should an SME do now?

The priorities follow straight from the weakest areas ENISA found. Three are worth starting immediately.

  • Produce a software bill of materials. Even a basic, machine-readable list of top-level dependencies, screened against known-vulnerability databases, is the foundation for everything else in vulnerability handling.
  • Stand up an incident-response process that can meet the CRA's reporting rhythm: an early warning within 24 hours, a fuller notification within 72 hours, and a final report within 14 days. Incident response is the capability most likely to break under a real deadline.
  • Start the technical documentation now. The technical file is the same work whether a product self-assesses or later goes through a notified body, so there is no reason to wait for the standards to land.
DateWhat applies
December 2024CRA enters into force
11 September 2026Vulnerability- and incident-reporting duties apply
11 December 2027Essential requirements and CE marking apply in full

Where NormScout fits

Most of the CRA workload for an SME comes down to a few concrete outputs: knowing whether a product is in scope and in which class, generating and screening an SBOM, and mapping each obligation to the article it comes from so nothing is missed. NormScout works through the scoping and classification, checks the product against the CRA requirements, and lays out the gaps with their article references. Run the free assessment to see where your product stands, or read our practical CRA guide for the full set of obligations.

Frequently asked questions

What did ENISA's first SME CRA survey find?

That awareness of the Cyber Resilience Act is high among SMEs but readiness is low. Based on 194 organisations across 31 countries, surveyed in February and March 2026, ENISA found most respondents know the regulation is coming yet lack the documentation, processes and cybersecurity governance to comply. The biggest practical gaps were the software bill of materials, threat modelling and incident response.

How many SMEs use a software bill of materials (SBOM)?

In ENISA's survey, only about 35 percent of respondents (67 of 194) reported using an SBOM, despite its central role in tracking third-party and open-source components against known vulnerabilities. An SBOM underpins the vulnerability-handling duties the CRA sets out in Annex I, so it is a natural first step for SMEs that do not yet keep one.

When does the CRA vulnerability-reporting duty start?

The obligation to report actively exploited vulnerabilities and severe incidents applies from 11 September 2026, with an early warning due within 24 hours. The full set of CRA requirements, including the essential requirements and CE marking, applies from 11 December 2027.

Why are smaller companies less ready for the CRA?

Company size was the clearest predictor of maturity in ENISA's survey. Medium-sized firms scored around a point higher than micro-enterprises across all five maturity domains, reflecting greater staff and budget. The least prepared organisations are therefore the smallest ones, which are also least able to absorb the cost of compliance. ENISA has said its follow-up guidance will be tailored to smaller organisations.

Is the CRA Single Reporting Platform available yet?

Not as of mid-2026. ENISA's Single Reporting Platform, which manufacturers will use for their Article 14 notifications, is not yet operational and is scheduled to be live by the 11 September 2026 deadline. In addition, no CRA harmonised standard has yet been cited in the Official Journal, so the presumption of conformity from building to a harmonised standard is not available for any product category.

Sources & references

  1. ENISA, SME Cyber Resilience Act Survey Report (24 June 2026)
  2. ENISA, SME CRA Survey Report (full PDF)
  3. ENISA, SBOM Adoption State of Play 2026 (9 June 2026)
  4. ENISA, Single Reporting Platform (SRP)
  5. Regulation (EU) 2024/2847, Cyber Resilience Act (full text, EUR-Lex)

This guide draws on the official regulation texts and European Commission guidance linked above. It is general information, not legal advice.