On 24 June 2026, ENISA's First SME Survey Found High CRA Awareness but Low Readiness
On 24 June 2026, ENISA published its first SME Cyber Resilience Act Survey Report, a snapshot of how small and medium-sized enterprises are preparing for the CRA. The headline is uncomfortable but not surprising: most SMEs know the regulation is coming, yet few are ready to meet it. With the first hard deadline, mandatory vulnerability reporting, arriving on 11 septembrie 2026 and full application on 11 December 2027, the survey is a useful reality check on where the gaps actually are.
What ENISA measured
The survey was conducted in February and March 2026 and drew responses from 194 organisations across 31 countries. It set out to gauge four things: how familiar SMEs are with the CRA, how well they understand its practical requirements, what they are already doing on cybersecurity, and what challenges they expect on the road to compliance. ENISA scored maturity across five domains, giving a structured picture rather than a single yes-or-no readiness figure. A companion study, the SBOM Adoption State of Play report published on 9 June 2026, covers the related question of software transparency.
Read the awareness figure with care
The central finding is a gap between knowing and doing, but the awareness number itself deserves a caveat. A voluntary survey is answered by the people who already care. An SME that takes the time to complete an ENISA questionnaire about the CRA is, almost by definition, already aware of it, so the sample skews toward the engaged. The real picture across the wider SME population, including the many firms that never opened the email, is very likely worse than the report's relatively high awareness score suggests. Seen that way, the survey is less a reassurance that awareness is solved and more a best-case snapshot. Even among the switched-on, practical implementation is where SMEs struggle: many understand that the regulation is approaching without having the resources, technical expertise, documentation processes or cybersecurity governance to reach full compliance. The problem is no longer getting SMEs to pay attention. It is turning that attention into the concrete artefacts the CRA requires: risk assessments, technical documentation, and a working vulnerability-handling process.
The weakest links
Two areas stand out as the biggest gaps between what SMEs do today and what the CRA expects: threat modelling și software bill of materials (SBOM). Only about 35 percent of respondents (67 of the 194) reported using an SBOM, despite its central role in tracking third-party components and known vulnerabilities. The gap is narrower than it looks, because an SBOM is more approachable than many SMEs assume: our SBOM and vulnerability analysis guide walks through producing a compliant, machine-readable SBOM covering at least top-level dependencies and screening every component against the NVD and EUVD, which is exactly the loop Annex I requires. ENISA also flagged incident response as one of the weakest capability areas, which matters directly: the 24-hour reporting duty that begins on 11 September 2026 assumes an organisation can detect, triage and escalate an actively exploited vulnerability quickly. An SME that is weak on incident response today is precisely the one that will struggle to hit that clock. Our Article 14 reporting guide sets out the 24, 72 and 14-day sequence so the process can be built before a real incident tests it.
Why company size matters
Size was the most consistent predictor of maturity. Medium-sized companies scored roughly one point higher than microcompanies, on average, across all five domains. That is intuitive, larger firms have more staff and budget, but it also identifies where support should be aimed. The organisations least ready for the CRA are the smallest ones, which are also the least able to absorb the cost of getting ready. ENISA has said its follow-up work, practical guidance and tools, will be tailored to smaller organisations for exactly this reason.
Two pieces of the CRA machinery SMEs will rely on are not yet in place. The Single Reporting Platform that manufacturers must use for Article 14 notifications is not yet operational; ENISA has scheduled it to be live by 11 septembrie 2026. And no CRA harmonised standard has yet been cited in the Official Journal, so the Article 27 presumption of conformity is not available for any product category. SMEs preparing now are doing so before either the reporting tool or the standards they can build against are finalised.
What SMEs should take from it
The survey is a self-portrait of the engaged end of the market, and even there the honest reading is that awareness has outrun implementation. For an SME, the practical priorities follow directly from the weakest areas ENISA found. Start an SBOM for your product, even a basic one, because it underpins vulnerability handling; our free analysis tooling will generate and screen it for you. Stand up an incident-response process that can meet a 24, 72 and 14-day reporting rhythm, since incident response is the capability most likely to fail under a real deadline. And build the technical documentation now, because it is the same work whether the product self-assesses or later goes through a notified body; our matricea de conformitate maps every lifecycle obligation to its article reference so nothing is missed. The regulation's dates are fixed. The survey shows the readiness to meet them still has to be built, and that the smallest firms have the furthest to go.
