In October of 2025, a first batch of training materials was developed by the Centre for Cybersecurity Belgium to assist European mSMEs kickstart their CRA compliance.
Three guidelines were produced with the aim of providing European SMEs with:
- accessibility to the CRA obligations; and,
- a preliminary set of practical and technical suggestions and recommendations.
The guidelines are available on the online repository and SECURE website, and we warmly invite you to consult them.
The CRA obligations are made accessible through a beginner-friendly guideline offering a simplified overview of the CRA obligations based on the CRA legal text – CRA 101: Understanding CRA Obligations. The translation of these obligations into hands-on practical suggestions is achieved through (1) a technical guideline focused explicitly on the requirements of Annex I, Part I (points 1 and 2) of the CRA – The CRA’s Essential Cybersecurity Requirements: Annex I, Part I; (2) a step-by-step guide for SMEs to evaluate and improve their compliance with CRA obligations – The CRA Methodological Compliance Assessment Framework.
The three guidelines are the result of collaboration between the Centre for Cybersecurity Belgium (CCB) and the Autoritatea Pentru Digitalizarea Romaniei-NCC-RO (ADR-NCC-RO). The CCB was first author for both the beginner-friendly guideline and technical guideline on Annex I, Part I. ADR-NCC-RO was first author for the methodological compliance assessment framework.
Content
Although logically intertwined, each guideline has a different focus and aim. This allows mSMEs to select which guidelines to consult, if not all, depending on their expertise and needs.
The beginner-friendly guideline is crucial for the understanding of mSMEs and especially for those with, as of yet, limited knowledge on the CRA and/or difficulties in navigating the legal environment of the CRA. To make the CRA legal text more tangible, it provides a simplified overview of the key CRA obligations. This overview does not cover all obligations, nor does it include all exceptions to the legislation. Rather, the guideline focuses on five key categories of obligations to be considered at minimum – (1) the cybersecurity risk assessment; (2) vulnerability handling and security updates; (3) user information, instructions and a Single Point of Contact; (4) reporting obligations: vulnerabilities and incident reporting; (5) conformity assessment. Without going into technical details, the guideline clarifies these legal obligations and is thereby aimed at improving awareness, accessibility, and understanding at a basic level.
After reading the beginner-friendly guideline, or for those mSMEs with more expertise, the remaining two documents can be consulted for a more technical translation of CRA obligations into practice. This can be done, first, through the technical guideline focused on the essential cybersecurity requirements of Annex I, Part I of the CRA. It translates the obligations of Annex I, Part I – points 1 and 2 into non-exhaustive and tentative practical suggestions to support compliance with the CRA, based on recognised best practices, common approaches, and existing standards in the cyber domain. It focuses on four components: (1) a risk-based cybersecurity approach, which sets out possible approaches to the risk assessment, tailored security measures, and a reflection on threat models, attack surfaces and impacts; (2) the secure-by-design/default principle; (3) security management duties throughout a product’s lifecycle; (4) supply chain considerations and controls.
Aligned with this first technical guideline, mSMEs can consult the CRA Methodological Compliance Assessment Framework to evaluate and refine their overall CRA compliance. This framework goes beyond Annex I. It considers five criteria1: (1) Essential Cybersecurity Requirements Compliance, (2) Certification of Products with Digital Elements, (3) Classification of Products as Class I or Class II and Corresponding Actions, (4) Technical Documentation Completeness, and (5) Overall Conformity Assessment Procedures. Each section is enriched with in-depth guidance, practical examples, case studies, checklists, references to templates, tools, and standards, ensuring mSMEs can effectively navigate CRA obligations with actionable strategies tailored to their resource constraints.
It is crucial to disclaim the suggestive nature of this first batch of guidelines. They are not intended to stipulate mandatory steps to be undertaken by mSMEs for compliance, nor should they be read as the ‘only correct’ pathway for compliance. The aim of these guidelines is to support you in the most tangible way possible – i.e. by offering suggestions that mSMEs can apply in practice – yet, bearing in mind the currently still-under-development context of the CRA.
Keep an eye on the SECURE website and open repository for more training material and updates!