How does the Cyber Resilience Act affect small businesses?

Alexis Hirschhorn· CEO, Acuna16 July 2026

Direct answer

Small businesses that make products with digital elements are covered by the Cyber Resilience Act, but it includes proportionality measures: microenterprises and small enterprises can use simplified technical documentation, and the Commission and Member States must provide guidance and support. The core duties, secure design, vulnerability handling and reporting, still apply.

Key Facts

  • SMEs and microenterprises that place products on the market are in scope.
  • Article 33(5): micro and small enterprises may provide their technical documentation (Annex VII) in a simplified format, which notified bodies are required to accept.
  • The Commission and Member States must provide SME support measures including regulatory sandboxes and dedicated communication channels (Art. 33).
  • Micro and small enterprises are exempt from fines for missing the 24-hour early warning deadline; all other obligations remain.
  • Reporting from 11 September 2026 applies regardless of company size, and the 72-hour notification + final report obligations are not waived.

The CRA applies to small businesses that manufacture products with digital elements, but it is built with proportionality in mind. **Simplified technical documentation.** Under Article 33(5), micro and small enterprises may provide their technical documentation (Annex VII) in a simplified format, and notified bodies are required to accept that format. This reduces the administrative burden of demonstrating conformity without waiving any substantive security requirement. **SME support measures.** Article 33 directs the Commission and Member States to provide tailored support including regulatory sandboxes, dedicated communication channels, and sector-specific guidance. These measures are mandated, not discretionary. **Fine exemption for the 24-hour early warning.** Micro and small enterprises are exempt from administrative fines for missing the 24-hour early warning deadline specifically. The 72-hour notification and the final report are not covered by this exemption -- those obligations and their fines remain in full force. What proportionality does not do is waive the substance. A small manufacturer still has to design securely, run a vulnerability-handling process, maintain an SBOM, and submit a timely 72-hour notification. The reporting obligation from 11 September 2026 applies regardless of company size, which is why the practical advice for a small team is the same as for a large one: build the detection and escalation process before the deadline.

What's next

See how Acuna handles this