In conversations with clients, a topic that sounded abstract just a year ago is coming up more and more frequently — the Cyber Resilience Act. Software manufacturers, companies developing IoT devices, distributors of hardware with digital components — everyone is starting to ask the same question: what exactly do I need to do, and how much will it cost me? The answer to the second question just became easier.
On January 28, 2026, the European Commission launches the first call for proposals under the SECURE program (Strengthening EU SMEs Cyber Resilience). Budget: EUR 5 million. Maximum grant: EUR 30,000 per project with 50% co-financing. Beneficiaries: micro, small, and medium-sized enterprises from the European Union that manufacture, import, or distribute products with digital elements. Deadline: March 29, 2026. This is not another framework program with a two-year application horizon — this is real money for real actions, available within the next two months.
What is the Cyber Resilience Act and why does it change the rules of the game?
The Cyber Resilience Act (CRA) is a European Union regulation that entered into force on December 10, 2024, introducing mandatory security requirements for all products with digital elements available on the EU market. It is the first regulation that places direct responsibility for cybersecurity on manufacturers — not on users, not on operators, but on those who create and place products on the market.
The scope of the CRA is broad. It covers virtually every hardware and software product whose intended or foreseeable use involves a direct or indirect connection to a network. A mobile application, a home router, an industrial controller, a smart lightbulb, an ERP system, fleet management software — if it connects to a network, it falls under the CRA. The European Commission estimates that the regulation will cover approximately 90% of digital products available on the European market.
For many small and medium-sized software companies, this is a fundamental shift. Until now, product security was largely a matter of the manufacturer’s good will — a client could demand certifications, but the law did not mandate them. The CRA changes this. From December 2027, every product with digital elements placed on the EU market must meet specific security requirements, undergo a conformity assessment, and be supported — including security updates — for at least five years from the date of market placement.
The question I get most frequently is: “does this apply to my company?” If you develop software, manufacture devices with a digital component, or import or distribute such products on the EU market — the answer is yes. Company size doesn’t matter. The CRA applies to a sole proprietorship developing a SaaS application just as it does to a corporation manufacturing routers.
What are the key deadlines and when does the CRA start to apply?
The CRA takes effect in stages — and this is information that many companies still miss. We don’t have until December 2027. The first significant deadline falls much sooner.
June 11, 2026 marks the start of provisions concerning the notification of conformity assessment bodies. This is a technical date that directly concerns certification institutions, but indirectly affects manufacturers — from this point, the conformity assessment ecosystem in which companies will need to operate begins to take shape.
September 11, 2026 — this is the critical deadline for manufacturers. From this date, the requirement to report actively exploited vulnerabilities and serious security incidents to ENISA (the European Union Agency for Cybersecurity) and the relevant national authority takes effect. The notification must be made without undue delay, no later than 24 hours after the manufacturer becomes aware of the vulnerability or incident. This means the company must have an implemented process for identifying, assessing, and reporting vulnerabilities — not in two years, but in eight months.
December 11, 2027 — full application of all CRA requirements. From this date, every new product with digital elements placed on the EU market must meet all security requirements, undergo the appropriate conformity assessment, and have complete technical documentation.
Many companies think they have until the end of 2027. In practice, the vulnerability reporting requirement from September 2026 means that security processes must be in order much sooner. You cannot implement a vulnerability management process overnight — it requires analysis, documentation, tools, and team training. That’s why the SECURE program arrives at the perfect moment.
Key takeaway: Critical CRA deadlines
- December 10, 2024 — CRA enters into force
- June 11, 2026 — provisions on conformity assessment bodies
- September 11, 2026 — mandatory vulnerability and incident reporting (24h)
- December 11, 2027 — full application of all CRA requirements
- Products placed on the market before December 2027 do not require certification unless substantially modified
How does the CRA classify products and what does this mean for your company?
The CRA divides products with digital elements into three risk categories — and this classification directly determines how complex the conformity assessment process will be for your product.
The default category covers approximately 90% of products under the CRA. These are standard applications, consumer electronics, lower-risk IoT devices — everything not explicitly listed in Annexes III and IV of the regulation. For these products, the manufacturer can conduct a self-assessment of conformity — no external certification body is needed. This is good news for most SMEs, as it means lower costs and a faster process. But self-assessment does not mean no requirements — technical documentation, risk analysis, vulnerability management processes, and security update procedures must be complete and auditable.
Important products listed in Annex III are divided into two classes. Class I includes, among others: web browsers, password managers, SIEM systems, and smart home virtual assistants. Class II — products with a higher level of criticality: hypervisors, firewalls, and processors with security features. For Class I products, the manufacturer can choose between self-assessment and assessment by an external body. For Class II — external assessment is mandatory.
Critical products listed in Annex IV — smart cards, smart meter gateways in smart metering systems, hardware devices with security modules — mandatorily require conformity assessment by an external notified body.
In conversations with clients, I see that many companies don’t know which category their product falls into. This should be the starting point — before you begin planning your compliance budget, you need to know which category you’re in. The difference between self-assessment and mandatory external certification is a difference of thousands of euros and months of additional time.
The European Commission has adopted Implementing Regulation (EU) 2025/2392, which contains detailed technical descriptions of important and critical product categories. This is the document every manufacturer should start with — it allows you to unambiguously determine which category a specific product falls under.
What is the SECURE program and who can apply?
SECURE (Strengthening EU SMEs Cyber Resilience) is a European Union-funded project aimed at supporting micro, small, and medium-sized enterprises in adapting to Cyber Resilience Act requirements. The program’s total budget is nearly EUR 22 million, of which EUR 16 million is allocated to cascade funding — meaning direct grants to SMEs.
The first call, launching on January 28, 2026, makes EUR 5 million available. The maximum grant per individual project is EUR 30,000 with a required 50 percent co-financing from the beneficiary. This means the company implements a project worth up to EUR 60,000, with the grant covering half.
Who can apply? Micro, small, and medium-sized enterprises from the EU that are manufacturers, importers, or distributors of products with digital elements, as well as software developers. In practice, this is a broad category — from a one-person software house developing a web application, to a startup manufacturing IoT sensors, to a networking equipment distributor.
In addition to the funding itself, the SECURE program offers additional support: free training courses and workshops prepared by the Centre for Cybersecurity Belgium (CCB), networking events with industry stakeholders, and a repository of selected resources on CRA compliance. The first training materials were completed in October 2025 and are available on the program’s platform.
Contact for those interested: general inquiries should be directed to info@secure4sme.eu, and questions about application submission to submission-support@secure4sme.eu. An Info Day for potential applicants was held on January 19, 2026 — materials from this meeting should be available at secure4sme.eu.
What activities can the SECURE funding be used for?
This is a question that virtually every client who has heard about the program asks me. The answer is broader than most people assume — SECURE is not limited to purchasing software or conducting an audit.
The program funds activities that directly increase an SME’s ability to meet CRA requirements and the overall cybersecurity level of the organization. In practice, this covers several key areas.
First — establishing security processes. For many SMEs, the CRA means the need to formalize what has previously existed as informal practices. Vulnerability management processes, incident response procedures, security update policies — all of this must be documented, repeatable, and auditable. A SECURE grant can cover the costs of a consultant to help design and implement these processes.
Second — formalizing technical documentation. The CRA requires the manufacturer to prepare and maintain technical documentation covering cybersecurity risk analysis, a description of security measures applied, information about the product development process, and evidence of conformity assessment. For a company that has never documented security processes, this is a significant effort — but also an effort that can be financed through SECURE.
Third — implementing risk management mechanisms. The CRA requires the manufacturer to conduct a comprehensive cybersecurity risk assessment, identifying potential threats throughout the product’s lifecycle. This is not a one-time exercise — risk management must be an ongoing process integrated with the product development cycle.
Fourth — building a security-by-design culture. The CRA requires that security be built into the product from the design phase, not added after the fact. For many SMEs, this is a change in mindset — and the SECURE program can fund developer team training in secure software development (secure SDLC).
Fifth — preparing for the vulnerability reporting process. From September 2026, the manufacturer must have the capability to report actively exploited vulnerabilities within 24 hours. This requires monitoring tools, triage processes, and defined communication channels with ENISA. Implementing these mechanisms entails real costs that qualify for funding.
How much time and money does a typical SME need to adapt to the CRA?
It’s not about fearmongering — it’s about making an informed decision and a realistic assessment of the investment. The costs and time for CRA adaptation depend on three variables: product category, current maturity level of security processes, and the scale of the company’s operations.
For an SME producing software in the default category (self-assessment of conformity), the realistic cost range is EUR 15,000 to 60,000, with an implementation timeline of 6–12 months. This includes: gap analysis between the current state and CRA requirements, preparation of technical documentation, implementation of a vulnerability management process, team training in secure SDLC, and conducting a self-assessment of conformity.
For a company manufacturing IoT devices classified as important products Class I, costs increase — external conformity assessment adds an additional EUR 10,000–30,000, and the entire process may take 12–18 months. For Class II and critical products, external certification costs can exceed EUR 50,000.
A SECURE grant of up to EUR 30,000 with 50% co-financing thus covers a significant portion of costs for companies in the default category — potentially even half of the total compliance budget. For companies in higher categories, the grant covers the preparatory phase: gap analysis, documentation, and processes.
Many companies think that the CRA is a problem for next year. In practice, September 2026 — the vulnerability reporting deadline — is eight months away. Companies that begin preparations in Q1 2026 have a realistic chance of meeting the deadline. Those that postpone the decision until Q3 will be rushing and overpaying for consulting services that will become more expensive and harder to obtain at the peak of compliance season.
Key takeaway: Realistic CRA compliance costs
- Default category (self-assessment): EUR 15,000–60,000, 6–12 months
- Important products Class I: +EUR 10,000–30,000 for certification, 12–18 months
- Important products Class II / critical: external certification EUR 50,000+
- SECURE grant: up to EUR 30,000 (50% co-financing = project up to EUR 60,000)
- Most costly elements: technical documentation, gap analysis, SDLC process implementation
What does the CRA require from manufacturers in practice — and what doesn’t it?
The question I get most frequently from smaller companies is: “do I need ISO 27001 certification?” The answer: no, the CRA does not require ISO 27001. But CRA requirements overlap with this standard in many areas — a company that has implemented ISO 27001 has a significant head start.
What does the CRA require in practice? Above all, a security-by-design approach — security must be an integral part of the product design and development process, not an add-on implemented after development is complete. The manufacturer must ensure that the product meets an appropriate security level at the design stage and in its default configuration.
The manufacturer must conduct a comprehensive cybersecurity risk assessment — identifying potential threats throughout the product’s lifecycle and implementing appropriate mitigation measures. The risk assessment must be documented and kept up to date.
The CRA imposes an obligation to provide security updates for at least five years from the date of market placement or throughout the expected product lifetime — whichever is shorter. This means the company must plan product support years in advance and have processes in place to deliver it.
Technical documentation must include: a description of the product and its intended purpose, cybersecurity risk analysis, a description of security measures applied, information about the development process, conformity assessment data, and security instructions for the user. Documentation must be retained for 10 years from market placement or for the duration of support — whichever is longer.
What doesn’t the CRA require? It does not require any specific certification or standard — a company does not need ISO 27001, IEC 62443, or any other certification. It does not require an external audit for 90% of products (the default category). It does not require retroactive adaptation of products placed on the market before December 2027 (unless they are substantially modified). Nor does it require the company to have a dedicated security team — but it does require that security processes exist and are documented, regardless of who carries them out.
How does the SECURE program fit into the broader EU regulatory context?
The CRA does not exist in a vacuum. It is part of a broader European Union cybersecurity regulatory ecosystem that has been taking shape since 2024 with unprecedented intensity. Understanding this context is key to planning a compliance strategy — because companies that treat each regulation separately miss synergies and pay twice.
NIS2 (in force since October 2024) — imposes security obligations on operators of essential and important services, including the obligation to manage supply chain risk. For a software manufacturer subject to the CRA, the supply chain is not just its own suppliers — it also includes its customers, who as operators of essential services will require CRA compliance from their vendors. The CRA and NIS2 mutually reinforce each other — a company compliant with the CRA will more easily meet NIS2 requirements imposed by its clients.
DORA (in force since January 2025) — regulates digital operational resilience in the financial sector. Companies supplying software to banks, insurers, and investment funds fall under DORA as ICT providers. At the same time, if that software has digital elements connecting to a network, it falls under the CRA. Dual regulation — but requirements overlap in many areas, meaning that investment in CRA compliance simultaneously covers part of DORA requirements.
The AI Act — for companies producing software with AI components, the CRA and the AI Act create a complementary set of requirements. AI components in products with digital elements are subject to both regulations simultaneously.
The SECURE program is dedicated exclusively to the CRA — but activities financed through the grant (risk management processes, documentation, secure SDLC) have a direct impact on NIS2 and DORA compliance. A company that uses a SECURE grant to organize its security processes simultaneously builds the foundations for the remaining regulations.
What does the application process look like and what should you watch out for?
The call for proposals under the SECURE program runs from January 28 to March 29, 2026. Two months is a relatively short period — especially for companies that are only now learning about the program. Below is a practical guide to the application process.
Step one: eligibility verification. The company must meet the definition of a micro, small, or medium-sized enterprise according to EU criteria (up to 250 employees, turnover up to EUR 50 million or balance sheet total up to EUR 43 million). It must be registered in an EU member state. It must be a manufacturer, importer, distributor of products with digital elements, or a software developer.
Step two: defining the project scope. The application should describe specific activities the company plans to finance — not a general “improving security levels” but precise steps: “conducting a CRA gap analysis for our product X,” “preparing CRA-compliant technical documentation,” “implementing a vulnerability management process,” “training the team in secure SDLC.” The more specific the application, the higher the chances of a positive evaluation.
Step three: planning the budget with 50% co-financing in mind. If you plan a project worth EUR 40,000, the grant will cover EUR 20,000 — but you need to have the remaining EUR 20,000 secured. This is important because many SMEs do not factor in the co-financing requirement in their planning.
Step four: submitting the application through the program’s platform. Detailed instructions and forms are available at secure4sme.eu. For questions about application submission — submission-support@secure4sme.eu.
Practical recommendation: don’t wait until March. Companies that submit applications earlier have more time for any required supplements. A budget of EUR 5 million with grants of up to EUR 30,000 means funding for approximately 170–250 projects (depending on the average grant value). At the EU scale, that’s not a lot — competition will be real.
How to assess your company’s readiness for the CRA — a practical maturity map?
In conversations with clients, I see that many don’t know where to start. The table below allows you to quickly assess where your company stands and what actions should be prioritized — ideally financed through a SECURE grant.
| CRA requirement area | Level 0 — absent | Level 1 — initial | Level 2 — defined | Level 3 — managed |
|---|---|---|---|---|
| Cybersecurity risk analysis | No formal risk analysis for the product | Informal risk assessment, no documentation | Documented risk analysis, ad hoc updates | Continuous risk management process integrated with SDLC, regular reviews |
| Secure-by-design | Security added after the fact or omitted | Basic practices (data validation, encryption) without a formal process | Defined security requirements at the design stage, code review | Full secure SDLC: threat modeling, SAST/DAST, security gates in CI/CD pipeline |
| Vulnerability management | No process — reactive to customer reports | CVE tracking for used components, no SBOM | SBOM (Software Bill of Materials), dependency vulnerability monitoring | Automated monitoring, coordinated disclosure process, reporting channel |
| Security updates | No update policy | Ad hoc updates, no time guarantees | Documented policy: updates within defined timelines | Automated update pipeline, 5-year support guarantee, user notification |
| Technical documentation | No security documentation | Fragmented documentation, no consistent structure | Documentation compliant with CRA requirements: risk analysis, security measures, development process | Full documentation with traceability, audit-ready, 10-year retention |
| Incident and vulnerability reporting | No process | Support email as the only channel | Defined internal process, no ENISA channel | Full process: identification → triage → 24h reporting → user notification |
| Conformity assessment | No awareness of requirements | Initial analysis of product categorization | Gap analysis completed, adaptation plan in preparation | Self-assessment or certification completed, documentation complete, repeatable process |
Most SMEs I talk to fall between Level 0 and Level 1. A SECURE grant is a real opportunity to leap to Level 2 — which is the minimum level needed to achieve CRA compliance. Level 3 is the goal for companies that treat product security as a competitive advantage, not merely a regulatory obligation.
Why is it worth treating the CRA as an opportunity, not just an obligation?
Many companies think of the CRA exclusively in terms of cost — another regulation, more requirements, another expense. This is understandable, especially for SMEs with limited budgets. But a purely cost-focused perspective misses an important aspect — the CRA levels the playing field on the European market.
Before the CRA, a manufacturer who invested in product security bore additional costs compared to a competitor who ignored security. The client was often unable to assess the difference — they chose the cheaper product, unknowingly accepting higher risk. The CRA eliminates this asymmetry. From December 2027, a minimum security baseline is mandatory for everyone — companies that already meet it gain an implementation advantage, rather than a price advantage from cutting corners on security.
For European software companies exporting to the EU market, CRA compliance becomes a prerequisite for market access — just like CE marking for physical products. A company that achieves compliance sooner can communicate it to clients sooner as an advantage. In regulated sectors — financial (DORA), energy (NIS2), medical — clients are already starting to ask vendors about CRA compliance. Being ready first is not a cost — it’s access to contracts that the competition cannot yet fulfill.
The SECURE program lowers the barrier to entry. EUR 30,000 in grant funding with 50% co-financing is real money that covers the critical preparatory phase — gap analysis, documentation, processes. For a micro-enterprise with a 5-person team, this could be the difference between “we have to do it ourselves in overtime” and “we can hire a consultant to guide us through the process.”
It’s not about fearmongering with regulations. It’s about making a conscious business decision: do you treat the CRA as a cost to minimize, or as a strategic investment in product maturity that you can finance through an EU program?
What happens if a company fails to comply with the CRA in time?
The CRA provides for sanctions for non-compliance — and they are not symbolic. Financial penalties for placing on the market a product that does not meet the essential CRA requirements can reach EUR 15 million or 2.5% of the manufacturer’s global annual turnover — whichever is higher. For violations of other obligations — up to EUR 10 million or 2% of turnover.
But financial penalties are not the only risk. The CRA authorizes market surveillance authorities to demand the withdrawal of a product from the EU market — which for a company can effectively mean the loss of the entire European market overnight. The surveillance authority can also prohibit placing the product on the market until the non-compliance is resolved.
For SMEs, the practical consequence is simpler and more immediate than administrative penalties: losing clients. Large organizations — banks, energy companies, public institutions — are subject to NIS2 and DORA, which require supply chain risk management. A software vendor that is not CRA-compliant becomes a regulatory risk for its client. And a client that must report supply chain risk will choose a compliant vendor — even if they are more expensive.
In conversations with companies, I see that it is precisely the prospect of losing clients, not regulatory penalties, that motivates SMEs to act. Nobody wants to end up on the list of vendors that a client drops “for compliance reasons.” And the SECURE program provides a concrete tool to avoid that — finance the preparations, organize processes, and enter the CRA era from a position of compliance, not chasing a deadline.
Frequently asked questions
Does the SECURE program apply only to manufacturers, or also to distributors and importers?
The SECURE program is aimed at micro, small, and medium-sized enterprises that are manufacturers, importers, or distributors of products with digital elements, as well as software developers. A distributor who places IoT devices manufactured outside the EU on the EU market falls under the CRA as an importer — and can apply for a SECURE grant to adapt their processes to the regulation’s requirements.
How much co-financing is required?
50% of the project value. With the maximum grant of EUR 30,000, the company must secure at least EUR 30,000 from its own resources — the total project value would then be EUR 60,000. Co-financing can include both cash costs (e.g., consulting services) and in-kind contributions (e.g., time of the company’s own employees engaged in the project).
Does my sole proprietorship developing a SaaS application fall under the CRA?
Yes, if the application has digital elements connecting to a network and is available on the EU market. Company size does not exempt from CRA obligations. At the same time, micro-enterprises are subject to certain simplifications — the regulation takes into account the proportionality of requirements to the manufacturer’s size and resources.
When do I have to start reporting vulnerabilities to ENISA?
From September 11, 2026. The manufacturer must report an actively exploited vulnerability or a serious security incident within 24 hours of becoming aware of the event. This requires an implemented process for identification, assessment, and reporting — having a support email address is not sufficient.
Do products placed on the market before December 2027 have to comply with the CRA?
As a general rule, no — the CRA applies to new products placed on the market after December 11, 2027. However, a substantial modification to a product after that date may result in it being considered a new product under the CRA, triggering the full scope of requirements. The definition of “substantial modification” is critical and worth analyzing with a lawyer.
How does the CRA relate to ISO 27001 and IEC 62443?
The CRA does not require any specific certification. However, a company with ISO 27001 already has a significant portion of security processes implemented — risk management, documentation, incident response processes. IEC 62443 is particularly useful for manufacturers of OT/ICS devices — many CRA requirements overlap with this standard. Having these certifications simplifies the CRA adaptation process, but their absence is not an obstacle.
Will there be additional calls under the SECURE program?
Yes. The first call (January 28 – March 29, 2026) has a budget of EUR 5 million, but the total cascade funding budget in the SECURE program is EUR 16 million. Additional calls will be announced in 2026 and 2027. However, given the approaching vulnerability reporting deadline (September 2026), companies should consider applying in the first call — the sooner they start preparations, the greater the chance of achieving compliance on time.
