CRA for Small Companies: What Article 33 Actually Gives You

If you run a small software or hardware company selling into the EU, you have probably read something about the Cyber Resilience Act and thought: this was written for Siemens, not for us. That instinct is understandable. The regulation is long, the obligations are real, and the fines are eye-watering. But the instinct is only half right.
The CRA - Regulation (EU) 2024/2847 - applies to every manufacturer that places a product with digital elements on the EU market, regardless of company size. There is no blanket exemption for small businesses. What there is, however, is a dedicated article - Article 33 - that builds specific, legally enforceable relief and support measures into the regulation for microenterprises, small enterprises, and start-ups. This post explains what those measures are, which tier of company gets which relief, and what you should be doing about it right now.
This article is general guidance on the Cyber Resilience Act, not legal advice. Confirm specifics against Regulation (EU) 2024/2847 and, where needed, a qualified adviser.
TL;DR
Key points for small teams
- The CRA's full obligations apply from 11 December 2027; Article 14 reporting obligations from 11 September 2026.
- Article 33 gives microenterprises and small enterprises: simplified technical documentation, access to regulatory sandboxes, a dedicated national helpdesk, and fine relief on the 24-hour reporting deadline.
- Medium-sized enterprises get some of these measures (helpdesk, sandboxes, guidance) but not the simplified documentation format or the reporting-penalty relief — those are micro and small only.
- None of this reduces the substantive security obligations. You still have to build a secure product and handle vulnerabilities properly. What is lighter is the paperwork format and one specific penalty.
Does the CRA even apply to my small company?
Almost certainly yes, if you sell software or hardware with a data connection into the EU market. The CRA defines "making available on the market" as the supply of a product with digital elements for distribution or use on the EU market in the course of a commercial activity, whether in return for payment or free of charge. That covers SaaS-adjacent embedded products, IoT devices, desktop software, firmware, and connected hardware - sold or given away.
The only meaningful size-based question is which tier you fall into, because the relief measures differ by tier.
The three size tiers under EU law
The CRA uses the standard EU SME definition from Commission Recommendation 2003/361/EC:
| Tier | Staff headcount | Annual turnover | Balance sheet total |
|---|---|---|---|
| Microenterprise | < 10 | ≤ €2 million | ≤ €2 million |
| Small enterprise | < 50 | ≤ €10 million | ≤ €10 million |
| Medium-sized enterprise | < 250 | ≤ €50 million | ≤ €43 million |
One important nuance: if your company is part of a larger group - through a parent company, investor, or linked enterprise - the headcount and financial figures may need to be aggregated across the group. A ten-person spin-out that is 100% owned by a large corporation does not qualify as a microenterprise for CRA purposes. Check the Annex to Recommendation 2003/361/EC carefully if you have complex ownership.
What Article 33 actually gives you
Article 33 of Regulation (EU) 2024/2847 is titled "Support measures for microenterprises and small and medium-sized enterprises, including start-ups." It is not a vague aspiration. It imposes concrete obligations on Member States and the Commission, and it creates specific entitlements for qualifying companies. Here is what each measure means in practice.
1. Simplified technical documentation (micro and small enterprises only)
Technical documentation under Annex VII is one of the heaviest compliance tasks in the CRA. It covers everything from your cybersecurity risk assessment and secure development processes to your SBOM and vulnerability-handling procedures.
Under Article 33(5), microenterprises and small enterprises may provide all elements of the Annex VII technical documentation using a simplified format, which the Commission specifies by implementing act. Notified bodies - the independent conformity assessment bodies - must accept that simplified form. You do not need to produce the same volume of documentation as a large manufacturer.
A few important caveats:
- The simplified format is for micro and small enterprises only. Medium-sized enterprises do not get this relief.
- The substance of Annex VII still has to be covered. The format is lighter; the underlying content - risk assessment, SBOM, vulnerability-handling process - is not optional.
- The Commission's implementing act specifying the exact simplified format has not yet been published. Watch the EUR-Lex implementing acts tracker for updates.
Start documenting now in plain language. Even before the simplified format is published, you can begin capturing your risk assessment, design decisions, and vulnerability process in straightforward prose. When the implementing act arrives, you will be translating existing work into the approved format — not starting from scratch.
2. National helpdesks and dedicated communication channels
Member States are required to establish a dedicated communication channel for microenterprises and small enterprises to get advice and answers on CRA implementation. This is not a general government website - it is a specific obligation to provide a responsive channel for your size class.
Additionally, the CSIRTs designated as coordinators under the CRA are required to provide helpdesk support specifically on Article 14 reporting obligations, with particular priority given to manufacturers that qualify as microenterprises or small or medium-sized enterprises. When your first vulnerability report is due, you are not expected to figure out the process alone.
ENISA is also running the Single Reporting Platform (SRP) - the central tool for filing Article 14 notifications - and is tasked with operating a helpdesk for that platform, with particular attention to SMEs.
3. Awareness-raising, training, and conformity assessment support
Member States are required to organise specific awareness-raising and training activities tailored to the needs of microenterprises and small enterprises, and to support testing and conformity assessment activities - including, where relevant, with the support of the European Cybersecurity Competence Centre (ECCC).
In practice this means: government-funded training, subsidised conformity assessment support, and - eventually - national programmes to help small manufacturers understand what they need to do and how to do it. The quality and availability of these programmes will vary by Member State, but the obligation to provide them is in the regulation.
4. Regulatory sandboxes
Under Article 33(2), Member States may establish cyber resilience regulatory sandboxes - controlled testing environments for innovative products with digital elements, to facilitate their development, design, validation, and testing for the purpose of complying with the CRA, for a limited period before placing on the market.
Member States must ensure open, fair, and transparent access to these sandboxes, and in particular must facilitate access by microenterprises and small enterprises, including start-ups. The Commission and ENISA may provide technical support and tools for the establishment and operation of sandboxes.
Sandboxes are not yet widely available - they depend on Member States setting them up - but they are a genuine mechanism for innovative small companies to test novel products in a supervised environment before full market release.
5. Fine relief on the 24-hour reporting deadline
This is the relief that surprises most small teams. Under the CRA, manufacturers that qualify as microenterprises or small enterprises may not be fined for failures to meet the 24-hour early-warning deadline for reporting actively exploited vulnerabilities or severe incidents.
To be precise about what this means and does not mean:
- What it covers: The specific 24-hour early-warning notification under Article 14. If you are a micro or small enterprise and you miss that 24-hour window, you cannot be fined for that specific failure.
- What it does not cover: The obligation to report still exists. You must still file the early warning, the 72-hour detailed notification, and the final report. The fine relief applies to the timing of the first notification, not to the reporting obligation as a whole.
- Medium-sized enterprises are not covered. This relief is micro and small only.
Fine relief ≠ no obligation. Missing the 24-hour window without a fine does not mean you can ignore Article 14 reporting. Persistent non-reporting, or failing to file the 72-hour and final reports, remains enforceable. The relief is a proportionality measure for the tightest deadline — not a general exemption from vulnerability disclosure.
6. Proportionate conformity assessment fees
Notified bodies - the independent bodies that assess conformity for Important and Critical products - are required to take due account of the size of undertakings, in particular microenterprises and SMEs, including in relation to fees. This does not mean free assessments, but it does mean that a notified body cannot apply the same fee schedule to a five-person start-up as to a multinational.
7. Commission guidance with an SME focus
Article 26(1) of the CRA requires the Commission to publish guidance to assist economic operators in applying the regulation, with a particular focus on facilitating compliance by microenterprises and small and medium-sized enterprises.
On 3 March 2026, the Commission published its first draft guidance under this obligation - a roughly 70-page document covering scope, remote data processing, support periods, substantial modification, and reporting. The consultation closed on 31 March 2026. The guidance has not yet been formally adopted, and when finalised it will remain non-binding (authoritative interpretation rests with the Court of Justice of the EU). But it is the clearest signal yet of how the Commission expects the rules to be applied in practice, and it is worth reading.
ENISA has also published a Security by Design and Default Playbook (v0.4, March 2026) - the first official EU guidance translating CRA security requirements into practical engineering checklists aimed specifically at SMEs, covering the full product lifecycle from requirements through decommissioning.
What is NOT reduced for small companies
This is the most important section to read carefully.
The relief measures in Article 33 are about process and documentation format, and one specific penalty. They do not touch the substantive security obligations. Every manufacturer - micro, small, medium, or large - must:
- Design products to be secure by default and secure by design (Annex I, Part I)
- Identify and handle vulnerabilities effectively throughout the support period (Annex I, Part II)
- Provide security updates for a defined support period
- Carry out a cybersecurity risk assessment
- Draw up an EU Declaration of Conformity and affix CE marking before placing the product on the market
- Report actively exploited vulnerabilities and severe incidents (the timing relief for micro/small does not remove this obligation)
As one analysis of the regulation puts it, the CRA's SME measures "don't make the cybersecurity criteria any less strict; they just change how they can be satisfied." A small company that ships an insecure product is just as exposed to market surveillance action - product recalls, market access restrictions - as a large one.
Where does your company sit? Use this checker
Start here this quarter: a checklist for a small team
The first CRA deadline with real enforcement teeth is 11 September 2026, when Article 14 reporting obligations for actively exploited vulnerabilities and severe incidents come into force. That is not far away. Here is what a small team should be doing now.
Use the checker above or work through Commission Recommendation 2003/361/EC directly. If you have investors, a parent company, or linked enterprises, check whether group aggregation applies. Your tier determines which Article 33 reliefs you can use.
This is the authority you will notify under Article 14. It is determined by your main establishment in the EU (or your authorised representative's location if you are outside the EU). Find your country's designated CSIRT coordinator now — do not wait until you have an incident.
You need to be able to recognise an actively exploited vulnerability or a severe incident, and to assemble an early-warning notification within 24 hours of becoming aware. Even a simple written runbook — who decides, who files, what information is needed — is better than nothing. ENISA's Security by Design and Default Playbook has SME-focused checklists.
Begin capturing your cybersecurity risk assessment, design decisions, SBOM (even a basic one), and vulnerability-handling process now. When the Commission publishes the simplified format implementing act for micro and small enterprises, you will be reformatting existing work — not starting from scratch.
The Commission has not yet published the implementing act specifying the simplified technical documentation format for micro and small enterprises. Subscribe to updates from EUR-Lex or the Commission's CRA implementation page so you know when it lands.
Article 33(1) requires Member States to set up awareness-raising programmes, training, and dedicated helpdesks for micro and small enterprises. Contact your national market surveillance authority or digital ministry to find out what support is already available — some Member States are ahead of others.
Stay current on CRA developments. The Article 33(5) implementing act, the finalised Commission guidance, and Member State sandbox programmes are all still in progress. Subscribe to The CRA Brief at /subscribe to get plain-English updates the moment anything changes — no jargon, no noise.
The bottom line
The CRA was not written only for large vendors. Article 33 is a genuine set of concessions - lighter documentation, helpdesk priority, fine relief on the tightest deadline, and access to sandboxes - that the regulation's drafters built in specifically because they knew small companies would struggle with a compliance framework designed at enterprise scale.
What Article 33 does not do is excuse small companies from building secure products. The substantive obligations - secure by design, vulnerability handling, security updates, risk assessment - apply to everyone. The relief is in the paperwork format and one specific penalty, not in the security bar itself.
If you are a micro or small enterprise making products with digital elements for the EU market, you have more support available than you probably realise. The task now is to find out what your Member State is offering, get your documentation started, and be ready for the September 2026 reporting deadline - with the knowledge that the 24-hour fine clock is not your biggest risk if you are in the right size tier.
This article is general guidance on the Cyber Resilience Act, not legal advice. Confirm specifics against Regulation (EU) 2024/2847 and, where needed, a qualified adviser.
Related reading

RED Cybersecurity Done - What Does the CRA Add? A Practical Guide for Wireless Product Makers
Already compliant with RED EN 18031? Here's exactly what the CRA adds, what carries over, and what you need to do before December 2027. Plain-English, no fluff.

CRA Technical Documentation: What Annex VII Requires and How to Build Your Technical File
A plain-English guide to the CRA technical file: what Annex VII requires, how it differs from Annex I, the 10-year retention rule, and how to build it now from artefacts you already have.

CRA Substantial Modification: When Does a Software Update Re-Trigger Your Conformity Assessment?
Not every software update restarts your CRA conformity work. Here's where the line sits, what the Commission's 2026 draft guidance says, and how to build a lightweight gate into your release process.