Smaller firms struggle to meet tough European cybersecurity laws

Columbia Group has warned that a growing gap between cyber regulation and operational readiness is holding back industry progress, after discussions at CRA Europe 2026 in Bucharest brought renewed focus to the practical demands of the EU’s Cyber Resilience Act.

Held at the Romanian Parliament beginning of March, the conference was organised by I-ENERGYLINK and the CYBERFORT consortium, with the support of the Romanian National Cyber Security Directorate (DNSC).

It brought together more than 150 policymakers, regulators, supervisory authorities, industry leaders, cybersecurity experts, technology providers and academics to look at how the Cyber Resilience Act can move from legal text to practical implementation.

And that was, in many ways, the central issue running through the event.

While there was broad alignment on what the CRA is designed to achieve, discussions made clear that the harder task lies in turning those requirements into clear guidance, workable compliance models and systems that can be applied in practice, particularly by SMEs, manufacturers, integrators and operators in critical sectors.

In that context, vulnerability management and security updates emerged as a constant theme throughout the conference. Far from being technical matters left in the background, they are increasingly becoming central to whether organisations can meet compliance expectations at all.

As a result, companies are being pushed to rethink how security is built into the full lifecycle of digital products, from design and development to end-of-support.

The conference itself was structured around three strategic strands. The first focused on setting the CRA compliance framework, bringing together institutional and industry voices to clarify roles, responsibilities and support mechanisms.

The second turned to operational delivery, examining such issues as vulnerability handling procedures, incident reporting obligations, CE marking documentation requirements and pilot use cases in sectors including energy, finance, maritime and cybersecurity SMEs.

The final session looked beyond compliance itself, exploring how secure-by-design principles, public-private partnerships and long-term support structures can help turn regulatory obligations into market advantage.

Columbia Group took part through its involvement in the EU-funded CYBERGUARD and CYBERFORT projects, contributing practical insight from the maritime sector.

Marios Ioannou, Business Information Security Officer at Columbia Group, said there is “a lot of alignment on what the CRA is trying to achieve”, but added that “the real challenge is operationalising it at the product and process level”.

“The regulation sets clear expectations around vulnerability disclosure, software bill of materials and end-of-life security obligations and that’s forcing organisations based on their market role to rethink how security is embedded across the full development lifecycle,” he said.

Ioannou added that “For many, particularly smaller businesses, the gap isn’t knowledge of the regulation; it’s having the governance structures and engineering capacity to deliver on it consistently.”

That challenge, he added, comes down in large part to vulnerability management and lifecycle security, adding that “If the processes aren’t straightforward and workable, it becomes challenging, especially for smaller businesses trying to keep up.”

At the same time, the conference also pointed to a broader concern. Multiple initiatives and guidance frameworks are evolving in parallel, raising the risk of fragmentation and duplication.

As a result, there was a clear sense in Bucharest that stronger cooperation between EU-funded projects, national authorities and industry will be needed if organisations are to be given clearer and more consistent routes to compliance.

That is also where the wider importance of CRA Europe 2026 lay. Beyond the regulatory discussion, the event set out to show how Cyber Resilience Act requirements can be translated into practical methodologies, structured compliance models and actionable tools.

It also reflected a wider European push to build a coordinated and sustainable support ecosystem, while strengthening Romania’s role as an active contributor to that effort and as a regional anchor for SME-focused cyber resilience initiatives.

The CYBERGUARD and CYBERFORT projects, funded under the European Union’s Cybersecurity and Trust Programme and Digital Europe Programme, are intended to support that direction by developing practical tools and pilot use cases across sectors including maritime, energy and finance.

Mark O’Neil, CEO of Columbia Group, said what is now becoming clear is that this is “no longer just about regulation on paper”, but “about how it works in practice across different industries”.

He added that industry has “a vital role to play in closing that gap”.

“By bringing operational insight and real-world experience into the conversation, we can help ensure cyber resilience is something organisations can actually deliver, not just something they’re expected to achieve,” O’Neil concluded.