"We're a small mid-sized company with 80 people. The Cyber Resilience Act is for Siemens and Bosch, not for us." I hear this all the time. And it's wrong.
The CRA applies to every manufacturer of products with digital elements. 8 employees or 17,000.
Does the CRA really apply to all manufacturers?
Yes. The EU Cyber Resilience Act makes no distinction by company size when it comes to scope. Anyone placing a product with digital elements on the market, whether as a sole trader, mid-sized company, or large corporation, is a manufacturer under the regulation and bears full responsibility.
Secure product development, SBOM obligation, vulnerability management, technical documentation, and reporting obligations. Every manufacturer must deliver and prove these requirements. Regardless of size.
The idea "The CRA only hits the big players" is wrong, and dangerous when it becomes a compliance strategy.
What SME relief does the CRA provide?
The CRA does contain SME relief. But it concerns the procedure, not the security standard. Specifically:
- Simplified documentation for technical files
- Exemption from certain fines for micro and small enterprises
- Dedicated helpdesks at national and EU level
- Preferential access to regulatory sandboxes
Important: These reliefs apply almost exclusively to micro and small enterprises (under 50 employees). Medium-sized enterprises with 50 to 249 employees miss out on most reliefs, and effectively carry the full compliance burden, like a large corporation.
A detailed breakdown of SME relief measures including classification rules is available separately.
Myth vs. fact
Myth: The CRA only hits the big players.
Fact: Security requirements apply to everyone. SME relief reduces bureaucracy, not the compliance standard, and applies almost exclusively to micro and small enterprises.
Who qualifies as an SME under the CRA?
The CRA references EU Recommendation 2003/361/EC via Article 3(19) and Recital 5. Three categories:
| Category | Employees | Revenue or balance sheet |
|---|---|---|
| Micro-enterprise | under 10 | max. 2M EUR |
| Small enterprise | under 50 | max. 10M EUR |
| Medium enterprise | under 250 | max. 50M EUR revenue / 43M EUR balance |
Two often-overlooked classification rules:
Employee count is mandatory, the financial threshold is alternative. You must be below the employee ceiling. For the financial criteria, it's sufficient if one of the two values (revenue or balance sheet) is below the threshold.
Corporate structures count, significantly. Partner enterprises and affiliated companies are counted in per Article 6 of the EU Recommendation. A 20-person subsidiary of a large corporation is not a small enterprise under the CRA.
What you should concretely check
1. Run your classification cleanly. Employee count, revenue, balance sheet, including all partner and affiliated companies. Document the result.
2. Reality check on the relief. Which relief applies to my actual size category? For medium-sized companies, the honest answer is usually: not much.
3. Plan the full compliance stack. Even where relief applies: secure product development, SBOM, vulnerability management, and reporting obligations are unavoidable. The only question is how much bureaucracy gets stacked on top.
4. Use the helpdesks. If you classify as a micro or small enterprise, the national CRA helpdesks and sandboxes are real support offerings. Not using them wastes resources.
Frequently asked questions
Does the CRA also apply to small companies? Yes. The CRA applies to every manufacturer of products with digital elements, regardless of company size. Security requirements apply equally to 8-person shops and large corporations.
What SME relief does the CRA provide? Simplified documentation, exemption from certain fines, dedicated helpdesks, and preferential access to regulatory sandboxes. These reliefs apply almost exclusively to micro and small enterprises under 50 employees.
Who qualifies as an SME under the CRA? The CRA references EU Recommendation 2003/361/EC: Micro-enterprises (under 10 employees), small enterprises (under 50 employees), medium enterprises (under 250 employees). Corporate structures are counted in.
Do medium-sized companies have to do the full CRA workload? Essentially yes. SME relief measures are primarily aimed at micro and small enterprises. Medium-sized companies must implement full technical documentation, complete vulnerability management, and all reporting obligations.
Conclusion
The CRA hits the mid-market, and it hits hard. Security requirements apply to all. SME relief reduces bureaucracy, not the compliance standard.
Check your SME classification carefully before relying on relief. Corporate structures and subsidiaries are counted in. A 20-person subsidiary of a large corporation is not a small enterprise under the CRA.
A structured CRA roadmap helps mid-market manufacturers plan the effort realistically, before the cut-off date tips from theory into practice.
Every Friday I debunk a CRA myth here.