On 24 June 2026, ENISA published its first survey of how small and medium-sized enterprises are preparing for the Cyber Resilience Act. The short version: most SMEs know the CRA is coming, but far fewer are in a position to comply with it. That gap matters now, because the first binding obligation, the mandatory reporting of actively exploited vulnerabilities, starts on 11 September 2026, with the full requirements following on 11 December 2027.
What did ENISA's SME CRA survey measure?
ENISA ran the survey in February and March 2026 and collected responses from 194 organisations across 31 countries. Rather than reduce readiness to a single pass-or-fail figure, it scored maturity across five domains, covering awareness of the regulation, understanding of its practical requirements, current cybersecurity practice, and the obstacles SMEs expect on the way to compliance. A companion report on software bill of materials adoption, published on 9 June 2026, looks at the same transparency problem from the supply-chain side.
Why the high awareness figure needs a caveat
Awareness scored well, but the way the data was collected flatters it. Taking part was voluntary, so the sample is drawn from exactly the SMEs that already follow regulatory developments closely enough to answer an ENISA questionnaire about the CRA. Firms that have not registered the regulation at all are unlikely to show up in the results. Read that way, the survey is closer to a best-case picture of the market than a representative one, and the true level of readiness across all EU SMEs is probably lower than the report's own figures suggest. Even within this engaged group, the recurring theme is that understanding has not turned into the outputs the CRA asks for: documented risk assessments, a technical file, and a working process for handling vulnerabilities.
Where are SMEs least ready?
Two capabilities stand out as the widest gaps between current practice and what the regulation expects: threat modelling and the software bill of materials. An SBOM is the inventory that lets a manufacturer track third-party and open-source components and match them against known vulnerabilities, which is why the essential requirements in Annex I effectively require one, yet only around a third of respondents keep one today. ENISA also singled out incident response as one of the weakest areas, and that is the one with a clock attached. The 24-hour early-warning duty that begins on 11 September 2026 assumes a company can already detect, triage and escalate an exploited vulnerability at speed. An SME with an immature incident process is precisely the one that will miss that window.
Why does company size predict readiness?
Size was the clearest signal in the data. Medium-sized firms scored roughly a point higher than micro-enterprises across all five maturity domains, which fits the obvious explanation that more headcount and budget buy more capacity. The uncomfortable corollary is that the least prepared organisations are the smallest ones, and they are also the least able to fund the work of getting ready. ENISA has said its follow-up guidance and tooling will be aimed specifically at smaller organisations for this reason.
What CRA machinery is still missing in mid-2026?
SMEs preparing today are building against moving parts. The Single Reporting Platform that manufacturers will use to file their Article 14 notifications is not yet live, and ENISA expects it to be operational by the 11 September 2026 deadline. And no CRA harmonised standard has yet been cited in the Official Journal, so the presumption of conformity that comes from building to a harmonised standard is not available for any product category. In practice, the earliest movers are documenting compliance before both the reporting tool and the standards they can point to are finalised.
What should an SME do now?
The priorities follow straight from the weakest areas ENISA found. Three are worth starting immediately.
- Produce a software bill of materials. Even a basic, machine-readable list of top-level dependencies, screened against known-vulnerability databases, is the foundation for everything else in vulnerability handling.
- Stand up an incident-response process that can meet the CRA's reporting rhythm: an early warning within 24 hours, a fuller notification within 72 hours, and a final report within 14 days. Incident response is the capability most likely to break under a real deadline.
- Start the technical documentation now. The technical file is the same work whether a product self-assesses or later goes through a notified body, so there is no reason to wait for the standards to land.
| Date | What applies |
|---|---|
| December 2024 | CRA enters into force |
| 11 September 2026 | Vulnerability- and incident-reporting duties apply |
| 11 December 2027 | Essential requirements and CE marking apply in full |
Where NormScout fits
Most of the CRA workload for an SME comes down to a few concrete outputs: knowing whether a product is in scope and in which class, generating and screening an SBOM, and mapping each obligation to the article it comes from so nothing is missed. NormScout works through the scoping and classification, checks the product against the CRA requirements, and lays out the gaps with their article references. Run the free assessment to see where your product stands, or read our practical CRA guide for the full set of obligations.