ENISA introduces cybersecurity assessment tool for SMEs

Many SMEs require additional guidance and financial support to meet Cyber Resilience Act requirements, ENISA found.

ENISA launches cyber resilience model for SMEs

The European Union Agency for Cybersecurity (ENISA) has introduced a Cyber Resilience Maturity Assessment Model to help micro, small and medium-sized enterprises (SMEs) strengthen cybersecurity and prepare for the EU’s Cyber Resilience Act (CRA). The framework offers a structured way for organisations to assess their current cyber resilience, identify weaknesses and improve product security over time.

Designed primarily for manufacturers of products with digital elements, the framework provides a structured way for organisations to assess their cyber resilience, identify weaknesses and improve product security over time. It evaluates five areas, such as governance, risk management, vulnerability management, product lifecycle management and cybersecurity skills.

Businesses are classified as having basic, intermediate or advanced cybersecurity maturity. A downloadable assessment tool allows organisations to track progress through repeated self-assessments, although ENISA notes that achieving a higher maturity level does not replace compliance with the CRA.

Alongside the framework, ENISA published the results of a survey of 194 organisations across 31 countries. While 66% of respondents were aware of the CRA, many said they had only a limited understanding of its practical requirements. Medium-sized companies generally demonstrated stronger cybersecurity maturity than micro-enterprises, with incident response and product lifecycle management emerging as the weakest areas.

More than 70% of SMEs said they needed practical support, including technical guidance and secure development templates. Respondents also cited limited budgets, staff and time as major barriers to compliance, prompting ENISA to recommend targeted guidance, financial support and stronger outreach to smaller businesses.

Why does it matter?

SMEs make up a large share of Europe’s digital economy and supply chains, yet many lack the resources needed to meet increasingly demanding cybersecurity requirements. ENISA’s maturity model gives organisations a practical way to assess their readiness, strengthen product security and prepare for compliance with the Cyber Resilience Act.

The findings also highlight that regulation alone is unlikely to improve cybersecurity. Smaller businesses will need practical guidance, technical support and investment to meet new standards, making implementation as important as the legislation itself.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our chatbot!