Strengthen Cybersecurity capacities of European SMEs in line with CRA requirements and obligations

Deliverables:

• Financial support for SMEs and other stakeholders for CRA compliance.
• Openly available platform with CRA-related resources (such as guidelines and supporting documents), providing supporting community building and upskilling
• Workshops, events, networking and exchange of experience of stakeholders
• Contributions to CRA standardisation

The objective of this topic is to support European SMEs, with a focus on micro and small enterprises, to strengthen their cybersecurity capacities and to support the implementation of the proposed Regulation on the Cyber Resilience Act (CRA).

In synergy with other actions launched under this WP which will be developing compliance tools for the CRA, the action should distribute cascade financing grants to European SMEs, with a focus on micro and small enterprises, though remaining open to other stakeholders, to support achieving compliance with requirements and obligations stemming from the CRA.

Applicants are encouraged to identify categories of cascade financing recipients, including at least the following:

• Manufacturers of products with digital components, including software developers.
• Providers of tools and solutions that facilitate compliance with CRA obligations.
• Other well-justified categories in line with CRA (e.g., distributors, importers, open-source community).

For each identified stakeholder category, a dedicated set of activities should be devised taking into consideration the specific needs of target consumers, business users, and other relevant stakeholders.

The proposed project should include actions addressing the following:

• Awareness raising, dissemination and other stakeholder engagement actions with the focus on the cascade financing to European SMEs, with a focus on micro and small enterprises.
• Managing an open call process to distribute cascade funding, including impartial evaluation of proposals and monitoring the implementation of grants.
• Establish an openly available platform providing links to CRA-related resources that the proposed project itself would collect or develop or which would be available from external sources and supporting community building and upskilling. This includes for example a dedicated central repository website to allow easy finding of internal and external resources, step-by-step guidelines, compliance tools, training materials, free and open-source code implementations, and other relevant resources to achieve CRA compliance. This should include, amongst others, tools procured for this purpose under this work programme.
• In close coordination with the EU Cybersecurity Skills Academy, perform trainings and upskilling of stakeholders to achieve CRA compliance, i.e. organise workshops, training sessions, and events, draft guidelines, supporting actions to facilitate interaction among European SMEs, including drafting reports or other material discussing the implementation of CRA compliance requirements and promoting awareness, including by contributing to relevant deliverables of standardisation bodies e.g. through a sectoral perspective and informed by the needs of companies on the ground.
• Facilitate and share CRA compliance best-practices and use-cases.
• Contribute to standardisation efforts, as appropriate, considering the activities of European and international standardisation that are directly relevant to the CRA implementation.

Third parties receiving grants should, in particular:

• Engage in testing, detecting and addressing vulnerabilities, producing documentation, carrying out conformity assessment and implementing other measures necessary to comply with the CRA.
• Participate in workshops, training sessions, and events that facilitate interaction among European SMEs, with a focus on micro and small enterprises, to discuss and implement CRA compliance.
• Contribute to the proposed project’s efforts in collecting the needs and perspectives of SMEs towards CRA-related standardisation deliverables.

Priority should be given to solutions available to use free of charge or free and open-source software (FOSS) solutions both when setting up the openly available platform and when distributing cascading finance grants.

These activities should be carried out in close coordination, and where possible collaboration, with the European Cybersecurity Competence Centre (ECCC), the Network of National Coordination Centres (NCCs), the European Digital Innovation Hubs (EDIHs) network, other relevant European and National cybersecurity entities, and other projects of this work programme.

The operational involvement of NCCs in implementing and running such actions is strongly recommended.

Indicatively one proposal is expected to be financed via this topic. Proposed projects should foresee at least 75% of the budget to be distributed for cascade financing grants.

This action includes the creation of a central platform that serves as a reference point, and hence will enable interactions between providers of essential services and critical infrastructures, as well as other actors, regarding their cybersecurity measures and possible vulnerabilities. Also third parties receiving funding will engage in solutions for testing, detecting and addressing vulnerabilities. As such information could be exploited by malicious actors, the central entity handling such must be protected against possible dependencies and vulnerabilities in cybersecurity to pre-empt foreign influence and control. As previously noted, participation of non-EU entities entails the risk of highly sensitive information about security infrastructure, risks and incidents being subject to legislation or pressure that obliges those non-EU entities to disclose this information to non-EU governments, with an unpredictable security risk. Therefore, based on the outlined security reasons, the actions relating to these technologies are subject to Article 12(5) of Regulation (EU) 2021/694.