Files (potentially) impacted

The European Union Agency for Cybersecurity (ENISA) has published a Micro, Small and Medium-sized Enterprises (SME) Cyber Resilience Maturity Assessment Model, a practical tool to help smaller firms assess their readiness for the Cyber Resilience Act (CRA). The model, released on 13 July 2026, provides a structured approach for SMEs to evaluate and improve their cyber resilience across five domains: governance and documentation, risk management and security by design, vulnerability and patch management, product life cycle management, and awareness and skills. It offers three maturity profiles—basic, intermediate, advanced—and includes a downloadable Excel tool for self-assessment. ENISA stresses that an advanced maturity level does not replace legal obligations or serve as evidence of compliance.

The model is part of the European Commission’s SME cybersecurity strategy and targets organisations that manufacture or place products with digital elements on the market, as well as integrators and service providers. It follows a survey conducted by ENISA in February and March 2026, whose findings were published on 24 June 2026. The survey, covering 194 organisations from 31 countries (including 25 EU member states), revealed a gap between awareness and practical readiness: 66% of respondents had heard of the CRA, but understanding of its requirements remained limited. Medium-sized companies scored about one point higher than microcompanies across all domains, and incident response and product life cycle management emerged as the weakest areas, especially for micro-firms. The most requested support was practical templates—technical documentation and secure development templates were each requested by over 70% of respondents. Financial support was highlighted by 142 respondents as a key need.

The maturity model and survey aim to address these challenges by offering a manageable path for SMEs to strengthen product security and cyber resilience over time. ENISA recommends focusing on documentation and conformity assessment, developing technical documentation templates, improving incident response and product life cycle management, and providing financial support, with specific measures for microcompanies. The agency plans to continue developing practical guidance and tools as part of the EU's broader cybersecurity framework.

← Atlas › News › Digital & Communication