Article 33 requires member states and the European Commission to support microenterprises and small and medium-sized enterprises in meeting their Cyber Resilience Act obligations. The support covers awareness raising, training, testing assistance, dedicated communication channels, and a simplified technical documentation format. It reduces the cost of complying. It does not reduce the obligations themselves.
What Article 33 Obliges States and the Commission to Do
Article 33 is addressed to member states and the European Commission rather than to manufacturers. Member states must organise awareness raising and training on the application of the regulation, support small manufacturers in strengthening their cybersecurity skills, and may establish dedicated channels for SME communication with market surveillance authorities. Member states may also provide financial support and testing assistance for conformity assessment activities. The obligations run toward the small manufacturer as the beneficiary, which means the practical question for an SME is what support exists in its own member state and how to claim it.
The Simplified Technical Documentation Format
The most concrete benefit for a small manufacturer is the simplified technical documentation form. The Commission is empowered to specify, by implementing act, a simplified format that microenterprises and small enterprises can use to satisfy the Annex VII technical documentation requirement. The content obligations remain, covering the product description, the cybersecurity risk assessment, the vulnerability handling documentation, and the declaration content, but the format is designed so a small team can complete it without a compliance department. Until the implementing act is adopted, small manufacturers should structure their technical file against Annex VII directly.
Regulatory Sandboxes
Article 33 connects to the regulation's provisions on regulatory sandboxes, controlled environments in which innovative products can be tested against CRA requirements with guidance from authorities before being placed on the market. For a startup with a novel connected product, a sandbox offers a route to resolve classification and conformity questions with the authority rather than discovering problems in market surveillance after launch. Availability varies by member state.
What Article 33 Does Not Do
Article 33 provides support measures only. The essential cybersecurity requirements of Annex I, the vulnerability handling obligations, the technical documentation duty, the EU Declaration of Conformity, CE marking, and the Article 14 reporting obligations apply to a two-person company exactly as they apply to a multinational. A small manufacturer that relies on informal practices rather than documented processes carries the same exposure to the Article 64 penalty regime, with fines reaching 15 million euros or 2.5 percent of worldwide annual turnover for breaches of the essential obligations. The correct reading of Article 33 is that the cost of compliance is reduced where support exists, while the standard of compliance is unchanged.
How SMEs Should Use the Support in Practice
Three steps extract the value. First, check what your national cybersecurity authority and market surveillance authority have published for CRA support, including training programmes, guidance documents, and any dedicated SME contact channel. Second, plan your technical documentation against Annex VII now and adopt the simplified format when the implementing act lands, rather than waiting for it. Third, if your product raises novel classification or conformity questions, ask your authority about sandbox participation before you commit to a conformity route. Combined with the Module A self-assessment route that most default-class products qualify for, the support measures make an in-house compliance process realistic for a small team.
CRA Portal helps you comply with Article 33 automatically.
Public submission portal, 48-hour acknowledgment tracking, Article 14 deadline alerts, and CSAF advisory generation. Receiving and tracking reports is free for all manufacturers placing products with digital elements on the EU market. Article 14 filing with the SRP-ready package is on Pro.
Start your free portalFrequently asked
Does Article 33 exempt small companies from any CRA obligations?+
No. Article 33 provides support measures such as training, guidance, dedicated channels, and a simplified technical documentation format. Every substantive obligation, from the Annex I essential requirements through the EU Declaration of Conformity to Article 14 reporting, applies to manufacturers of every size.
What is the simplified technical documentation format?+
The Commission is empowered to adopt an implementing act specifying a simplified technical documentation form for microenterprises and small enterprises. It covers the same Annex VII content in a lighter format. Until it is adopted, small manufacturers should structure their technical file directly against Annex VII.
Who counts as an SME under Article 33?+
The regulation uses the standard EU definitions. Microenterprises employ fewer than 10 people with annual turnover or balance sheet total below 2 million euros. Small enterprises stay under 50 people and 10 million euros. Medium-sized enterprises stay under 250 people and 50 million euros turnover.
What is a regulatory sandbox and can my startup use one?+
A regulatory sandbox is a controlled environment operated with the authorities in which an innovative product with digital elements can be tested against CRA requirements before being placed on the market. Availability depends on your member state, so ask your national market surveillance or cybersecurity authority whether a CRA sandbox exists and how to apply.
Where do I find the support available in my country?+
Start with your national cybersecurity authority and the market surveillance authority designated for the CRA. Member states organise their own awareness, training, and financial support programmes under Article 33, so the offer differs between countries. ENISA guidance and the Commission's CRA pages track the wider support landscape.
Related CRA Articles
Need a CVD policy that satisfies Article 33?
Download a free CRA-compliant template and deploy it in minutes.