The Cyber Resilience Act applies to every manufacturer that places hardware or software on the EU market, and most of those manufacturers are small. If you run a ten-person device company or a small software house, you face the same obligation areas as a multinational. The workload scales down considerably once you see the whole sequence, because most SME products sit in the regulation's default class and qualify for the lightest conformity route.
This guide walks through every CRA obligation in the order you will meet it, from the first scope check to the reporting duties that begin on 11 September 2026. For a deeper treatment of the reporting side, see our SME guide to CRA incident reporting obligations. For a realistic view of the effort involved, our PERT cost estimate for Article 14 readiness at an SME puts numbers on the work.
Start with the scope check
The CRA applies to products with digital elements. That covers hardware and software that can connect, directly or indirectly, to a device or a network, and that is made available on the EU market in the course of a commercial activity. Routers, sensors, industrial controllers, desktop software, mobile apps, and embedded firmware all fall inside. Pure SaaS offerings sit outside the regulation, although remote data processing that is integral to a product's function is treated as part of that product. Products already covered by sector frameworks, such as medical devices, motor vehicles, and civil aviation equipment, are excluded. Open-source software escapes the regulation only when it is supplied outside a commercial activity.
If your product is out of scope, document that conclusion and revisit it whenever the product changes. If it is in scope, the obligations below apply in full to products placed on the market from 11 December 2027, with the Article 14 reporting duties arriving earlier, on 11 September 2026.
Classify your product, then choose the conformity route
The regulation sorts products into three tiers, and the tier determines how much external scrutiny your conformity assessment needs.
- Default class. Every product that does not appear in Annex III or Annex IV. This is the large majority of products with digital elements, and it is where most SME products land.
- Important products (Annex III). Split into Class I, which includes products such as password managers, VPN products, and smart home devices with security functions, and Class II, which includes firewalls and hypervisors.
- Critical products (Annex IV). A short list including smart meter gateways and smartcards, carrying the heaviest assessment requirements.
For default-class products, Article 32 allows Module A, the internal control procedure. You carry out the assessment yourself, compile the evidence, draw up the EU declaration of conformity, and affix the CE marking. No notified body is involved, and no fees are paid to one. Annex III and Annex IV products need third-party involvement, and if your product appears on those lists you should engage a notified body early, because assessment timelines run to months.
Harmonised standards for the CRA are still in development. Once they are cited in the Official Journal of the European Union, applying them will give a presumption of conformity for the requirements they cover. Until that happens, your own risk assessment and testing evidence carry the demonstration.
The risk assessment and Annex I carry the technical weight
Article 13 requires a documented cybersecurity risk assessment before the product goes on the market, and the assessment must inform design, development, and production. An assessment written after the design is finished does not satisfy the obligation. For an SME the practical approach is a structured pass over the product. Identify the realistic threats, record the weaknesses that matter, describe the controls you have implemented, and justify any residual risk you accept. Keep the result in your technical file and update it when the product changes.
The requirements the product must meet live in Annex I, in two parts.
- Part I covers product properties. Ship without known exploitable vulnerabilities, use secure default settings, control access, protect data in transit and at rest, minimise the attack surface, log security-relevant events, and provide a secure update mechanism.
- Part II covers vulnerability handling. Maintain a coordinated vulnerability disclosure policy, remediate vulnerabilities without undue delay, publish information about fixed issues, and provide security updates free of charge throughout the support period.
Part I determines whether the product can carry the CE marking. Part II governs how you operate for years after the sale. Working through both parts requirement by requirement, with a short written justification for each, is the core of a Module A self-assessment.
Documentation, user information, and the declaration
Three deliverables turn the work above into evidence that a market surveillance authority can inspect.
- Technical documentation. Annex VII lists the contents. A product description, the risk assessment, a software bill of materials in a machine-readable format such as CycloneDX or SPDX, security test results, and the standards or specifications you applied. Retain it for ten years after the last unit is placed on the market. For the smallest manufacturers, Article 33 provides for a simplified technical documentation form to be established by the Commission, alongside Member State support measures such as awareness raising, training, and dedicated communication channels for SMEs. If documentation effort worries you, Article 33 is the part of the regulation written in your favour.
- User information. Annex II specifies what must accompany the product. Your identity and contact details, the contact point for vulnerability reports, the support period end date, instructions for secure configuration, and where users can find the declaration of conformity. For downloadable software this information travels with the installer and the product documentation.
- Declaration of conformity and CE marking. Annex V sets the required fields of the EU declaration of conformity, from product identification through the assessment module used to the signatory. Our declaration of conformity template follows the Annex V structure. With the declaration signed, you affix the CE marking. For software, the marking can appear on the website or in the accompanying documentation instead of on a physical label.
The duties that continue after the sale
The CRA follows the product through its supported life, so plan for the recurring work before launch.
- Support period. You must define a support period and disclose its end date. For most products this means at least five years, and vague commitments such as updates for as long as commercially viable do not meet the requirement. Security updates during this period are free of charge.
- Vulnerability handling in practice. Someone must watch the intake channel, monitor your components against new CVE disclosures, triage incoming reports, coordinate disclosure with researchers, and publish advisories when fixes ship. For a small team this is a defined role measured in hours per week, and it needs a named owner.
- Article 14 reporting from 11 September 2026. When you become aware that a vulnerability in your product is being actively exploited, or that a severe incident has an impact on the product's security, Article 14 requires an early warning within 24 hours, a full notification within 72 hours, and a final report within 14 days. Notifications go to the CSIRT designated as coordinator in your Member State and to ENISA through the single reporting platform. All three clocks run from the moment of awareness, so the escalation path from support inbox to filed notification must exist before the first incident.
Note the sequencing. The reporting duties bind you more than a year before the full conformity obligations do, which is why intake and escalation deserve first priority in an SME preparation plan.
What this means for small manufacturers
Treated as a single list, the CRA can look overwhelming. Treated as a sequence, it is manageable for a small team. Confirm scope, classify the product, and in most cases plan for Module A self-assessment. Run the risk assessment early enough to shape the design. Work through Annex I with written justifications, assemble the Annex VII technical file, prepare the Annex II user information, sign the declaration, and affix the CE marking. Then keep the post-market machinery running. A monitored disclosure channel, component monitoring against your SBOM, free security updates through the support period, and a rehearsed Article 14 escalation path.
Two dates anchor the plan. Reporting readiness by 11 September 2026, full conformity for products placed on the market from 11 December 2027. The penalties for missing the essential requirements reach 15 million euros or 2.5 percent of worldwide turnover, but for most SMEs the sharper risk is losing EU market access over paperwork that a few structured weeks of effort would have produced. Start with the scope check, keep the evidence as you go, and use the Article 33 support measures your Member State offers. The obligations are numerous, and each one is tractable on its own.