← Back to News
Industry News

CRA Now Driving 2026 Security Spend: What SMEs Need to Know

The EU Cyber Resilience Act is becoming a primary driver of security investment decisions across Europe.

Board-Level Focus on CRA Compliance

According to Red Hat's 2026 State of Cloud-Native Security Report, 64% of organizations expect the CRA to be a primary influence on their 2026 security investments.

SME Readiness Gaps Widening

At the CRA Europe 2026 conference held in Bucharest, Romania, discussions highlighted a widening gap between regulatory requirements and operational readiness - particularly for small and medium-sized enterprises.

  • Translating requirements into day-to-day workflows
  • Resourcing consistent execution across engineering and governance
  • SBOM generation and maintenance
  • End-of-life product security obligations
  • Incident reporting structures

As reported by Cyprus Mail, smaller businesses face challenges not in understanding the regulation, but in having the governance structures and engineering capacity to consistently deliver on it.

For many smaller businesses, the challenge lies not in understanding the regulation, but in having the governance structures and engineering capacity to consistently deliver on it.

— Columbia Group at CRA Europe 2026

Two Areas to Watch: EOL Devices and Open Source

End-of-Life Devices

Cisco's policy analysis highlights that neither the CRA nor NIS2 directly addresses how to manage devices once their lifecycle expires. With 40% of the top targeted vulnerabilities in 2025 impacting end-of-life devices - often unpatchable - this gap poses significant risks. Cisco advocates for explicit European-level guidance on managing obsolete devices.

Open Source Liability

The CRA deliberately excludes open-source software from liability obligations to avoid chilling effects on the ecosystem. However, this exclusion does not negate responsibility. Manufacturers who commercialize products using open-source code still bear full obligation - they must still generate SBOMs, track vulnerabilities, and be transparent about security practices related to their open-source dependencies.

How CVD Portal Can Help

CVD Portal helps SME manufacturers meet CRA Article 13 requirements with a free vulnerability disclosure portal that includes:

  • Branded security contact at yourcompany.cvdportal.com
  • Automated 48-hour acknowledgment tracking
  • Full audit trail for compliance documentation
  • ENISA-aligned reporting when needed

Get started free - no credit card required.

Get started free