TL;DR. For a typical EU SME manufacturer (20–50 FTE, one product line, no existing CVD programme), the expected cost of meeting the CRA Article 14 reporting deadline on 11 September 2026 is approximately €39,700, with a 90% confidence interval of roughly €33,900–€45,500. That covers ~60 person-days of internal effort, ~3 person-days of external legal review, and ~€3,800 in tooling. Variance is dominated by process design and threat-detection setup. These are the parts of the work that depend most on a manufacturer's starting maturity.
The deadline that's actually arriving in 2026
A lot of CRA coverage conflates two very different milestones. The 11 December 2027 deadline is the big one: full conformity, CE marking, Annex I essential requirements, the whole regulatory apparatus. The 11 September 2026 deadline is narrower, but it has teeth, and it lands first.
What's enforceable on 11 September 2026 is Article 14: the obligation to notify ENISA (via the designated national CSIRT) when an actively exploited vulnerability or a severe security incident is identified in a product with digital elements placed on the EU market. The three deadlines that bite are:
- 24 hours. Early warning to the designated CSIRT (who relays to ENISA).
- 72 hours. Full vulnerability or incident notification with technical detail.
- 14 days. Final report for vulnerabilities, or 1 month for severe incidents.
It applies to products already on the market, not just new ones. If your product is still in its support lifecycle on 11 September 2026, you're on the hook. Fines for Article 14 violations can reach €10 million or 2% of global annual turnover, whichever is higher, although microenterprises and small enterprises are explicitly exempted from fines for missing the 24-hour early warning specifically (Recital 120), and market surveillance authorities must take SME status into account when calibrating any penalty (Article 47).
That last point matters for the cost estimate below: an SME isn't building Goldman-Sachs-grade compliance theatre. It's building a credible, proportionate process that can survive scrutiny.
Why PERT for this?
Compliance projects are estimation-resistant for two reasons. The work is inherently new (most SMEs are doing this for the first time), and the scope is interpretive (Article 14 says “without undue delay” alongside the 24-hour deadline, leaving room for argument about edge cases). Point estimates feel false. PERT (Program Evaluation and Review Technique) handles that by asking three honest questions about each task.
- O, Optimistic. Best-case effort if everything aligns.
- M, Most Likely. The modal outcome.
- P, Pessimistic. Realistic worst case (not catastrophic, just bad).
The expected cost for each task is then:
E = (O + 4M + P) / 6
And the standard deviation is:
σ = (P − O) / 6
Totals aggregate by sum; total variance is the sum of individual variances (assuming task-level independence), and total σ is the square root of that. The result is a defensible mean estimate with a quantified uncertainty band. Much more honest than a single number.
A caveat upfront: PERT's confidence intervals are well-calibrated only when task durations are roughly bell-shaped. Compliance tasks have ugly right tails (the regulator changes guidance; the legal advisor goes on holiday; a real incident lands mid-implementation). Treat the upper bound below as a planning floor, not a ceiling.
Work breakdown: what an SME actually has to build
The September 2026 deadline doesn't require a full coordinated vulnerability disclosure programme. But it does require enough infrastructure to detect, decide, and report (under pressure) within 24 hours. Working backwards from that operational requirement, the minimum viable scope is:
- Scoping and gap assessment. Confirm products in scope, identify what's missing.
- CVD/vulnerability disclosure policy. Drafted, reviewed, published (Article 13 baseline; pragmatically needed to receive reports at all).
- Intake mechanism.
security.txt, contact channel, PGP or equivalent secure messaging. - PSIRT / response process design. Designated roles, escalation, decision authority for “is this actively exploited?”
- Active-exploitation detection capability. Customer reporting channels, threat-intel monitoring, internal triggers.
- Article 14 notification templates and runbook. Pre-drafted submissions, decision tree, who-signs-what.
- CSIRT contact registry. Which national CSIRT, in which member state, with current contacts.
- Internal training and awareness. Engineering, support, exec on what triggers the clock.
- Tabletop exercise. One full simulation before go-live.
- Tooling (SaaS subscription). Audit trail, secure communication, notification workflow.
- External legal review. Counsel sign-off on policy and notification templates.
- Operational reserve. Capacity to actually run the process from 11 September through year-end.
PERT cost table
Internal blended rate €500/day; external legal/advisory €1,200/day. Tooling is direct cost.
| # | Task | O (€) | M (€) | P (€) | E (€) | σ (€) |
|---|---|---|---|---|---|---|
| 1 | Scoping and gap assessment | 2,340 | 5,460 | 10,920 | 5,850 | 1,430 |
| 2 | CVD policy drafting | 1,920 | 4,480 | 9,600 | 4,907 | 1,280 |
| 3 | Intake mechanism setup | 1,000 | 2,500 | 6,000 | 2,833 | 833 |
| 4 | PSIRT / process design | 1,500 | 4,000 | 9,000 | 4,417 | 1,250 |
| 5 | Active-exploitation detection | 1,000 | 3,000 | 7,500 | 3,417 | 1,083 |
| 6 | Templates and runbook | 1,000 | 2,500 | 5,000 | 2,667 | 667 |
| 7 | CSIRT contact registry | 500 | 1,000 | 2,500 | 1,167 | 333 |
| 8 | Internal training | 1,000 | 2,000 | 4,000 | 2,167 | 500 |
| 9 | Tabletop exercise | 500 | 1,500 | 3,000 | 1,583 | 417 |
| 10 | Tooling (SaaS, first year) | 1,000 | 3,000 | 10,000 | 3,833 | 1,500 |
| 11 | External legal review | 1,200 | 3,600 | 8,400 | 4,000 | 1,200 |
| 12 | Operational reserve (Sept–Dec 2026) | 1,000 | 2,500 | 6,000 | 2,833 | 833 |
| Totals | 13,960 | 35,540 | 81,920 | €39,674 | €3,532 |
Total expected cost: €39,674. Aggregate σ: €3,532.
Using a normal-approximation 90% confidence interval (E ± 1.645σ): roughly €33,900–€45,500. The 95% interval (±1.96σ) widens to about €32,750–€46,600.
The single largest line is the upfront scoping and gap assessment, which makes sense. For an SME with no prior programme, this is where decisions get made that shape every downstream task. The most uncertain line item is tooling (σ = €1,500), reflecting the wide gap between adopting a freemium SaaS solution and a heavier commercial platform.
What the variance is hiding
The aggregate σ of €3,532 looks tight relative to the €39,674 mean. That's because the model assumes task independence. In reality, a single bad upstream decision propagates: if your gap assessment misclassifies a product as out-of-scope, you'll redo the policy, the templates, the training, and the tabletop. Correlation across tasks would widen the realistic upper bound by 30–50%.
A more honest planning number for SME boards is therefore: budget €40k for the expected case, hold €15–20k of contingency, and don't be surprised if the all-in lands closer to €55–60k once you account for staff opportunity cost on top of direct labour.
What moves the number
The biggest single lever is starting maturity. An SME that already has:
- A security inbox and basic triage process. Cut ~€8k.
- A SOC 2 or ISO 27001 programme. Cut ~€10k (most of the documentation exists).
- An existing customer support function that can absorb intake. Cut ~€3k.
…can plausibly land below €25k. An SME starting from absolute zero, with multi-country distribution and no in-house security capability, will land north of €60k and should plan for that.
The second lever is build versus buy on tooling. A homegrown audit-trail and notification workflow built around shared inboxes and spreadsheets is technically possible and superficially cheap. It usually fails the first time it has to produce evidence under regulatory scrutiny, which is the only time it matters. SaaS tooling that's purpose-built for Article 14 (including the free tier of CVD Portal) is designed to do this exact job and removes Task 10 as a meaningful cost line.
The third lever is whether you're a manufacturer of one product or many. The estimate above assumes a single product line. Each additional product line in CRA scope adds roughly €2–4k to the marginal cost, mostly in templates, training, and the tabletop.
What this estimate deliberately excludes
To keep the scope honest, three categories are not in the €40k figure.
- Annex I conformity work for the December 2027 deadline (SBOM generation, secure-by-design controls, technical file, CE marking). That's a separate, much larger budget, typically 3–5× this number for the same SME profile.
- Notified body engagement for Important or Critical products under Annex III/IV. Not triggered by Article 14.
- Incident response cost if you actually have to file an Article 14 notification. The cost of being ready is what's modelled here; the cost of running a real one is incident-specific and uncapped.
The proportionality dividend
One under-appreciated feature of the CRA for SMEs: the regulation explicitly mandates proportionate enforcement. Article 47 requires market surveillance authorities to take SME status into account; Recital 120 requires it again when calibrating fines; and microenterprises and small enterprises are exempted entirely from fines for the 24-hour early warning failure. The GDPR enforcement pattern (guidance and corrective action first, fines later for repeat offenders) is the realistic baseline.
This doesn't reduce the cost of being ready. It does mean the downside of being slightly imperfect is much lower than the headline €10m / 2% turnover number suggests. An SME that has visibly invested €40k in a credible Article 14 process, documented its decisions, and engaged in good faith is in a very different enforcement posture than one that has done nothing.
Methodological notes
PERT was chosen here over Monte Carlo or simple expert estimates because (a) it forces structured three-point thinking on each task, (b) it produces a defensible expected value plus σ without simulation tooling, and (c) it's reproducible. Anyone reading this post can swap in their own O/M/P numbers and rerun. The downsides are the independence assumption (real tasks correlate) and the normal-approximation confidence interval (real cost distributions are right-skewed). Treat the central €40k as the planning number and the upper bound as a soft floor, not a ceiling.
Numbers are in 2026 euros, exclude VAT, and assume Western European labour rates. Eastern European SMEs can typically halve the labour lines; UK and Nordics push 20–30% higher.
Next steps if you're an SME planning this work
- Run a 1-day scoping workshop now to confirm scope and refresh these estimates with your own O/M/P numbers.
- Commit a budget line of €40–60k for Article 14 readiness separately from the larger 2027 conformity programme.
- Decide build vs buy on tooling early. It changes the shape of the rest of the plan.
- Schedule the tabletop for Q2 2026 at the latest. You want the dress rehearsal at least three months before go-live.
If you want a way to model your own SME's PERT numbers against this baseline, the free CRA Readiness Assessment walks through the relevant Article 14 obligations and produces a personalised gap list that maps directly to the WBS above.
Have your own numbers from running this process? Push back on the estimates, particularly the variance figures, by replying or via the contact channel. This post is intentionally a starting point, not a finished forecast.