Introduction

This survey is conducted as part of the OCCTET Project (Open CyberSecurity Compliance Toolkit), an EU-funded initiative aimed at helping Small and Medium Enterprises (SMEs) comply with the Cyber Resilience Act (CRA). The OCCTET project develops open-source tools and resources to streamline compliance with cybersecurity requirements for Free and Open Source Software (FOSS) used in digital products.

Learn more about the OCCTET project: https://occtet.eu/

The CRA establishes cybersecurity requirements for products with digital elements, including software and hardware. This survey aims to identify the challenges and needs of SMEs in achieving compliance. Your responses will directly contribute to the development of practical tools and resources to support SMEs in navigating these regulations.

By participating, you will:

Learn about CRA requirements.
Prepare for compliance.
Be the first to access OCCTET tools.
Reduce cost (cost saving through the adoption of open-source tools, reduction in manual effort for compliance documentation and assessment).

Participation is free, and the results of the OCCTET project are licensed as open source.

DISCLAIMER:

Your responses will be used solely for research and analysis purposes to develop tools and resources supporting SME compliance with the CRA. All responses will be handled in compliance with the privacy policies of the Eclipse Foundation and the OCCTET project. No personal or identifiable information will be shared.

Consent Statement

I agree to the processing of my survey responses for research and analysis purposes, in compliance with the privacy policies of the Eclipse Foundation and the OCCTET project.

Allow me to be contacted by the OCCTET project if needed.

Contact Email

Section 1: Participant Information

What is your role in the organization? *

How many employees does your organization have? *

Micro (1-9)

Small (10-49)

Medium (50-249)

Large (250+)

CRA requirements can vary based on the size and resources of an organization.

Do you develop or sell products with digital elements on the EU market? *

Yes

No

Not Sure

Products with digital elements include IoT devices, software applications, or embedded systems. This question helps determine CRA applicability.

Annual Revenue:

Less than €2M

€2M - €10M

€10M - €43M

More than €43M

Products with digital elements include IoT devices, software applications, or embedded systems. This question helps determine CRA applicability.

Location(s) of operation: *

What sector or industry does your organization operate in? *

(Examples: Healthcare, Manufacturing, Retail, IT Services, IoT Development) Different sectors may face unique cybersecurity challenges.

In which region does your organization primarily operate? *

What is your activity type? *

To which European countries do you sell your products? *

How long have your products been on the market? (Select all that apply) *

Section 2: Awareness and Readiness for CRA

How familiar are you with the Cyber Resilience Act (CRA)? *

Not familiar at all

Somewhat familiar

Very familiar

Have you implemented cybersecurity measures for your products before? *

Yes

No

Partially covered within other roles

This helps us understand resource allocation for compliance efforts.

Do you have a dedicated team or individual responsible for cybersecurity compliance? *

Yes

No

Partially covered within other roles

This helps us understand resource allocation for compliance efforts.

What are the biggest challenges your organization faces in complying with CRA? (Select all that apply) *

Lack of budget

Lack of internal expertise

Difficulty understanding regulatory requirements

Lack of suitable tools

Complexity of integrating cybersecurity into product development

Compliance costs and resources

Other

If you selected 'Other' in the previous question, please specify.

Section 3: Secure Product Design (CRA Article 8)

Do you consider cybersecurity during the product design phase? *

Yes

No

Partially

CRA Article 8 requires integrating security measures into the design and development of products.

What challenges do you face in designing secure products? (Select all that apply) *

Lack of expertise in secure development practices

Limited resources to dedicate to cybersecurity

High costs associated with implementing security measures

Difficulty identifying and mitigating vulnerabilities

Other

If you selected 'Other' in the previous question, please specify.

What tools or practices do you use to enhance cybersecurity during product design? *

Secure coding guidelines (e.g., OWASP Secure Coding Practices)

Threat modeling tools (e.g., STRIDE, PASTA)

Code review tools (e.g., SonarQube, GitHub CodeQL)

Automated vulnerability scanning (e.g., Snyk, Dependency-Check, OpenVAS)

None

Other

(secure coding guidelines, threat modeling, code review tools, automated vulnerability scanning.)

If you selected 'Other' in the previous question, please specify.

Section 4: Lifecycle Management (CRA Article 10)

CRA Article 10 requires manufacturers to manage product cybersecurity throughout its lifecycle, including vulnerability handling, regular updates, and notifying users of critical security issues.

Do you have a process for issuing security updates for your products? *

Yes

No

Planning to implement one

How do you track vulnerabilities in your products post-sale? (Select all that apply) *

Manual tracking of vulnerabilities (e.g., through customer feedback)

Automated tools like Software Bill of Materials (SBOM) generators or vulnerability scanners

Dependency management tools for third-party components

I don't track vulnerabilities

Other

If you selected 'Other' in the previous question, please specify.

Do you have a formal vulnerability disclosure and incident response process? *

Yes

No

I don't know

Are vulnerabilities reported and managed according to Coordinated Vulnerability Disclosure (CVD) principles? *

Yes

No

I don't know

Do you conduct cybersecurity risk assessments? *

Yes

No

I don't know

Do you provide cybersecurity training for employees? *

Yes

No

I don't know

How often is training conducted? *

If you selected 'Other' in the previous question, please specify.

What challenges do you face in managing cybersecurity over a product’s lifecycle?

(Examples: Lack of automated tools, limited resources, challenges in coordinating updates with end users.)

Section 5: Documentation and Transparency (CRA Article 10(3))

The CRA mandates manufacturers to provide clear documentation to users about the cybersecurity aspects of a product, including instructions for secure use and details about the product’s security support period.

Do you currently provide cybersecurity documentation with your products? *

Yes

No

Planning to do so

Which cybersecurity standards does your organization comply with? (Select all that apply) *

ISO/IEC 27001

NIS2 Directive

ENISA Guidelines

Other

If you selected 'Other' in the previous question, please specify.

Have you conducted a self-assessment against CRA requirements? *

Yes

No

I don't know

What type of documentation do you think would help you comply with CRA requirements? (Select all that apply) *

Templates for user instructions and secure use

Automated tools for generating compliance documentation

Examples of compliant documentation from similar products

Other

If you selected 'Other' in the previous question, please specify.

What challenges do you face in preparing and providing such documentation?

(Examples: Limited technical writing expertise, unclear regulatory requirements, lack of templates.)

Section 6: Use of Open-Source Tools

Many SMEs use Free and Open Source Software (FOSS) tools to manage vulnerabilities, generate SBOMs, or streamline compliance. The CRA applies to such tools if integrated into a product with digital elements.

Do you use open-source tools or components in your product development? *

Yes

No

I don't know

What types of open-source tools do you currently use?

(Examples: SBOM generators, vulnerability scanners, dependency tracking tools, secure coding libraries.)

What challenges do you face in ensuring the security of open-source components in your products?

(Examples: Rapid updates, lack of documentation, complex dependency management.)

Section 8: Recommendations

What additional tools, training, or resources would help you comply with CRA requirements?

(Examples: Automated vulnerability tracking tools, simplified templates for compliance documentation, training on secure development practices.)

If you could receive one type of support to simplify compliance, what would it be? *

(Examples: Financial support, free tools, compliance consulting, sample templates.)

Framaforms

Shaping CRA compliance for SMEs with OCCTET project

Début : 1 / 2

Introduction

By participating, you will:

DISCLAIMER:

Section 1: Participant Information

Section 2: Awareness and Readiness for CRA

Section 3: Secure Product Design (CRA Article 8)

Section 4: Lifecycle Management (CRA Article 10)

Section 5: Documentation and Transparency (CRA Article 10(3))

Section 6: Use of Open-Source Tools

Section 8: Recommendations

Contacter l'auteur⋅rice de ce formulaire

Propulsé par Yakforms