Ghid independent privind Regulamentul (UE) 2024/2847 · Statut: în vigoare
Această pagină este o traducere automată (IA) și nu a fost revizuită de o persoană. Articolele de blog sunt disponibile numai în limba engleză.
← All news
Perspective CRA16 July 2026

On 13 July 2026, ENISA Published a Free Maturity Model So SMEs Can Score Their CRA Readiness

On 13 July 2026, ENISA Published a Free Maturity Model So SMEs Can Score Their CRA Readiness

On 13 July 2026, ENISA published the SME Cyber Resilience Maturity Assessment Model, a free, structured tool that lets micro, small and medium-sized enterprises measure how ready they are for the Actul privind reziliența cibernetică. It arrives three weeks after ENISA's SME CRA Survey Report of 24 June 2026 found that most SMEs know the CRA exists but few have turned that awareness into practical readiness. The new model is ENISA's answer to that gap: a way for an SME to see, concretely, where it stands.

What the model measures

The tool scores an organisation across five domains: governance and documentation, risk management and security by design and by default, vulnerability management, product lifecycle management, and cybersecurity skills. Each criterion is rated on a maturity scale from 1 to 5, and the results roll up into an overall profile of basic, intermediate or advanced. ENISA has released it as a downloadable Excel questionnaire that scores itself automatically and is meant to be reused, so an SME can re-run the same assessment periodically and track whether it is actually closing gaps over time, not just documenting them once.

Built on a survey that found awareness outrunning readiness

The model leans on the same underlying data as the June survey: 194 organisations across 31 countries. About 66 percent said they were aware of the CRA, but many described only a limited grasp of what it actually requires of them in practice. Incident response și product lifecycle management came out as the weakest capability areas, and medium-sized firms consistently scored higher than micro-enterprises. More than 70 percent of respondents said they needed practical support, technical guidance and secure-development templates, and cited limited budget, staff and time as the main barriers to compliance.

A maturity score is not a compliance certificate

ENISA is explicit on this point: reaching a higher maturity level does not replace compliance with the CRA. The model is a diagnostic, not a conformity assessment. An SME still has to classify its product correctly, default, Annex III Class I or II, or Annex IV, and follow the assessment route that classification requires under Article 32. Our classification tool și matricea de conformitate map that separate, mandatory step.

Status at publication, 16 July 2026

Two pieces of CRA machinery the maturity model points toward are still not in place. ENISA's Single Reporting Platform, which manufacturers will use for Article 14 vulnerability and incident notifications, is not yet operational; it is scheduled to be live by 11 septembrie 2026, the date the reporting duty itself begins. And no CRA harmonised standard has yet been cited in the Official Journal, so the Article 27 presumption of conformity is not available for any product category. A high maturity score today cannot yet be backed by either tool.

Why the weakest domain matters most right now

Incident response is the survey's weakest area, and it is also the domain the CRA will test first. From 11 septembrie 2026, Article 14 requires an early warning within 24 de ore of becoming aware of an actively exploited vulnerability, a fuller notification within 72 de ore, and a final report within 14 zile of a fix being available. An SME that scores itself low on vulnerability management or incident response in ENISA's model is, in effect, identifying the exact capability that will be under a legal clock in under two months. Our Article 14 reporting guide sets out that sequence, and our free analysis tooling can generate and screen an SBOM, the building block the product lifecycle and vulnerability domains both depend on.

What SMEs should do with it

Run the assessment, but treat the score as a to-do list rather than a scoreboard. Start with the domains ENISA flagged as weakest across the sector, incident response and product lifecycle management, since those are the ones most likely to fail under a real deadline. Re-run the questionnaire every few months rather than once, so the basic to intermediate to advanced movement is visible. And keep the maturity model and the formal conformity route separate in your own planning: one tells you how prepared you feel, the other is what the law actually requires before 11 December 2027.

Published 16 July 2026 · CRA Insights. Part of the CRA insights blog on cyberresilienceact.eu.