The EU Cyber Resilience Act (CRA), formally Regulation (EU) 2024/2847, introduces sweeping cybersecurity requirements for manufacturers of products with digital elements. From secure-by-design development to vulnerability management, incident reporting, and conformity assessments — the obligations are substantial.
For small and medium-sized enterprises (SMEs), this raises a critical question: does the regulation account for the fact that a 15-person IoT startup and a multinational corporation face fundamentally different realities when it comes to compliance capacity?
The short answer is yes — but with important caveats. The CRA includes a targeted set of SME relief measures. However, they are unevenly distributed across company size categories, and several of the most impactful ones exclude medium-sized enterprises entirely. This article breaks down every relief measure, the eligibility criteria, and the practical implications manufacturers should be aware of.
How the CRA Defines Micro, Small, and Medium-Sized Enterprises
The CRA does not create its own SME definitions. Instead, Article 3(19) and Recital 5 of the regulation refer directly to Commission Recommendation 2003/361/EC, which establishes three categories based on headcount and financial thresholds:
Micro-enterprises employ fewer than 10 people, with an annual turnover or balance sheet total not exceeding EUR 2 million.
Small enterprises employ fewer than 50 people, with an annual turnover or balance sheet total not exceeding EUR 10 million.
Medium-sized enterprises employ fewer than 250 people, with an annual turnover not exceeding EUR 50 million or a balance sheet total not exceeding EUR 43 million.
Classification Rules That Manufacturers Often Get Wrong
Two aspects of these definitions deserve particular attention, as they frequently lead to misclassification.
The headcount threshold is mandatory; the financial threshold is alternative. To qualify for a given category, a company must be below the staff headcount ceiling — this is non-negotiable. For the financial criteria, however, a company only needs to fall below either the annual turnover or the balance sheet total. A company with 40 employees, EUR 12 million in turnover, but only EUR 8 million in total assets still qualifies as a small enterprise, because the balance sheet figure is below the EUR 10 million threshold.
Corporate structures matter — significantly. Recital 5 of the CRA explicitly requires that thresholds be calculated in accordance with Article 6 of the Annex to Recommendation 2003/361/EC. This means that partner enterprises and linked enterprises (i.e., group structures, parent companies, subsidiaries) must be taken into account. A 20-person subsidiary of a large corporation does not qualify as a small enterprise under the CRA. Manufacturers embedded in larger corporate structures should verify their classification carefully before assuming SME status.
The Complete Map of CRA Relief Measures for SMEs
The following is a comprehensive overview of every SME-specific relief measure and support provision contained in the CRA, mapped against the three enterprise size categories.
Overview
| Relief Measure | Micro | Small | Medium |
|---|---|---|---|
| Exemption from fines for missing the 24h early warning deadline (Art. 14) | ✅ | ✅ | ❌ |
| Simplified technical documentation format (Art. 33(5)) | ✅ | ✅ | ❌ |
| Proportionally reduced conformity assessment fees | ✅ | ✅ | ✅ |
| Targeted training and awareness programmes by Member States | ✅ | ✅ | Partially |
| Dedicated implementation helpdesks | ✅ | ✅ | ❌ |
| CSIRT helpdesk support for incident reporting (Art. 14) | ✅ | ✅ | ✅ |
| Priority access to regulatory sandboxes | ✅ | ✅ | ❌ |
| Enterprise size as mitigating factor in fine calculations | ✅ | ✅ | ✅ |
The pattern is clear: micro and small enterprises benefit from the full range of relief measures, while medium-sized enterprises are excluded from several of the most impactful ones — including the fine exemption, simplified documentation, dedicated helpdesks, and sandbox access. The sections below examine each measure in detail.
1. Exemption From Fines for Missing the 24-Hour Early Warning Deadline
Eligible: Micro ✅ | Small ✅ | Medium ❌
Article 14 of the CRA requires manufacturers to submit an early warning to the relevant CSIRT within 24 hours of becoming aware of an actively exploited vulnerability or a severe incident. This is one of the regulation's tightest deadlines.
Micro and small enterprises are explicitly exempt from administrative fines if they fail to meet this specific 24-hour window. This is a meaningful concession: the early warning obligation remains in place, but the financial penalty for non-compliance is removed. Medium-sized enterprises, however, receive no such exemption and face the same enforcement regime as large corporations.
2. Simplified Technical Documentation Format
Eligible: Micro ✅ | Small ✅ | Medium ❌
The CRA requires manufacturers to produce comprehensive technical documentation covering their product's cybersecurity properties, risk assessments, and conformity evidence. For smaller companies without dedicated regulatory affairs teams, this can be a significant burden.
To address this, Article 33(5) of the CRA mandates the European Commission to establish a simplified documentation template by means of delegated acts, specifically designed for micro and small enterprises. Once published, notified bodies — the third-party organisations that conduct conformity assessments — will be legally obligated to accept documentation submitted in this simplified format. This is not optional guidance; it is a binding requirement.
However, as of March 2026, this simplified template has not yet been published. The Commission is still in the process of developing its delegated acts and implementation guidance. Micro and small enterprises should monitor the Commission's progress on this front and assert their right to use the simplified format as soon as it becomes available.
Medium-sized enterprises will need to use the standard documentation format regardless.
3. Proportionally Reduced Conformity Assessment Fees
Eligible: Micro ✅ | Small ✅ | Medium ✅
When a product falls into the "important" or "critical" category and requires third-party conformity assessment, the associated fees can be substantial. The CRA mandates that these fees be proportionally reduced for all SME categories, including medium-sized enterprises.
This is one of only three relief measures that extend across all three SME tiers. The exact fee reductions will depend on the notified bodies and the implementing guidance from Member States.
4. Targeted Training and Awareness Programmes
Eligible: Micro ✅ | Small ✅ | Medium: Partially
Member States are required to organise targeted training and awareness activities to help SMEs understand and comply with the CRA. For micro and small enterprises, this support is comprehensive. For medium-sized enterprises, the commitment is qualified — they benefit partially, with the scope and depth of support left to Member State discretion.
5. Dedicated Implementation Helpdesks
Eligible: Micro ✅ | Small ✅ | Medium ❌
The CRA provides for dedicated communication channels — essentially helpdesks — where micro and small enterprises can direct questions about practical implementation of the regulation's requirements. Medium-sized enterprises are excluded from this dedicated support infrastructure.
6. CSIRT Helpdesk Support for Incident Reporting Obligations
Eligible: Micro ✅ | Small ✅ | Medium ✅
Separate from the general helpdesks, CSIRTs (Computer Security Incident Response Teams) are required to provide specific support to all SME categories in fulfilling their reporting obligations under Article 14. This includes guidance on how to structure notifications, what information to include, and how to navigate the reporting process.
This is a practical and welcome measure, given that incident reporting processes — with their layered timelines (24-hour early warning, 72-hour incident notification, 14-day final report) — can be procedurally complex for organisations without established security operations.
7. Priority Access to Regulatory Sandboxes
Eligible: Micro ✅ | Small ✅ | Medium ❌
The CRA encourages Member States to establish regulatory sandboxes — controlled environments where manufacturers can test innovative products under regulatory supervision before full market entry. Micro and small enterprises receive preferential access to these sandboxes.
For companies developing novel connected products, this could be a valuable opportunity to validate compliance approaches early, reduce go-to-market risk, and gain regulatory certainty without the full cost of formal conformity assessment. Medium-sized enterprises do not receive priority access.
8. Enterprise Size as a Mitigating Factor in Fine Calculations
Eligible: Micro ✅ | Small ✅ | Medium ✅
When market surveillance authorities determine fines for CRA non-compliance, they are required to take the size of the enterprise into account as a mitigating circumstance. This applies to all three SME categories and is distinct from the specific fine exemption under point 1 — it is a general principle of proportionality in enforcement.
The Bigger Picture: What SME Relief Does and Does Not Change
It is worth being explicit about what these measures do not do: they do not reduce the substantive cybersecurity requirements of the CRA. Every manufacturer — regardless of size — must still ensure that products with digital elements are designed and developed securely, that known vulnerabilities are handled and patched, that security updates are provided for the expected product lifetime, and that conformity with essential requirements is declared.
The relief measures reduce the procedural and financial burden of compliance, not the compliance standard itself. For a complete overview of all CRA requirements, see our CRA guide.
A Note on Support Periods
One practical area where SMEs often express uncertainty is the determination of support periods — how long a manufacturer must continue providing security updates after a product is placed on the market. The CRA requires that this period reflect the expected product lifetime, but does not prescribe exact durations.
To help SMEs navigate this, the Administrative Cooperation Group (ADCO) is mandated to publish statistics on average support periods across product categories. These figures can serve as a market benchmark, giving smaller manufacturers a defensible reference point rather than having to determine appropriate durations from scratch.
Recommendations for SME Manufacturers
Verify your SME classification rigorously. Do not rely on informal headcount estimates. Calculate thresholds properly, including any partner or linked enterprise relationships. Misclassification could mean relying on relief measures you are not entitled to.
If you qualify as micro or small: prepare to leverage the simplified documentation format. Once the Commission publishes the delegated act establishing the simplified template, notified bodies will be required to accept it. Monitor the Commission's progress and assert this right as soon as the format becomes available.
If you are medium-sized: plan as if you were a large enterprise. Most of the meaningful procedural relief measures (fine exemptions, simplified documentation, helpdesks, sandbox access) do not extend to your category. The reduced conformity assessment fees and CSIRT support are helpful, but the compliance workload will be largely equivalent to that of larger organisations.
Engage early with your national market surveillance authority. The training programmes, helpdesks, and awareness measures outlined in the CRA depend on Member State implementation. Establishing contact early ensures you are aware of available resources as they become operational.
Further Reading
- CRA Summary: Key Facts
- CRA Requirements: Complete Overview
- CRA Penalties for Non-Compliance
- CRA Countdown: Compliance Roadmap 2026–2027
- Conformity Assessment and CE Marking
- Vulnerability Management Under the CRA
- How to Create an SBOM for IoT Products
- CRA Scope: Which Products Are Affected
- Why Manual CRA Compliance Fails
- FAQ: All SME Relief Measures in Detail
This article is based on the provisions of Regulation (EU) 2024/2847 (EU Cyber Resilience Act), with specific reference to Article 3(19), Recital 5, Article 14, Article 33(5), and Commission Recommendation 2003/361/EC. It reflects the regulatory text as published and does not constitute legal advice.