ENISA launches cybersecurity maturity model to help SMEs prepare for Cyber Resilience Act
ENISA has introduced a self-assessment framework to help smaller businesses evaluate their cybersecurity practices and prepare for the EU Cyber Resilience Act. An accompanying survey found that many organisations need further technical guidance, funding and practical support.
The European Union Agency for Cybersecurity (ENISA) has launched a Cyber Resilience Maturity Assessment Model for micro, small and medium-sized enterprises.
The framework is intended primarily for manufacturers of products with digital elements. It allows organisations to assess their cybersecurity practices, identify weaknesses and monitor improvements over time.
The model covers five areas: governance, risk management, vulnerability management, product lifecycle management and cybersecurity skills. Businesses are assessed at basic, intermediate or advanced maturity levels.
ENISA has also released a downloadable tool that organisations can use for repeated self-assessments. The agency notes that reaching a higher maturity level does not, by itself, demonstrate compliance with the EU Cyber Resilience Act.
The framework was published alongside findings from an ENISA survey of 194 organisations in 31 countries. According to the results, 66% of respondents were aware of the Cyber Resilience Act, but many had limited knowledge of its practical requirements.
Medium-sized companies generally reported stronger cybersecurity maturity than micro-enterprises. Incident response and product lifecycle management were among the weakest areas identified.
More than 70% of surveyed SMEs said they needed practical assistance, including technical guidance and templates for secure product development. Limited budgets, staffing and time were also cited as barriers.
ENISA recommended more targeted guidance, financial assistance and outreach to smaller businesses. The findings indicate that practical support will be important as SMEs work to improve product security and meet the requirements of the Cyber Resilience Act.
