Regulatory compliance
The Cyber Resilience Act (CRA) is the European cybersecurity regulation for products with digital elements. If you develop or sell hardware or software, it requires you to apply security by design and CE marking for cybersecurity. We prepare you for the whole cycle: essential requirements, vulnerability management, technical documentation and conformity assessment.
Certified team (CISA, CISSP, CISM) with experience in product security and conformity assessment.
The timeline
The CRA entered into force in December 2024 and applies in phases. The final date is far off, but there are obligations that are already close, and getting ready takes months.
11 sep 2026
Obligation to notify exploited vulnerabilities and serious incidents, with an early warning within 24 hours. It reaches even products already on the market.
The closest one11 dec 2026
The conformity assessment bodies begin to be designated, the ones that will be able to certify the products that require it.
11 dec 2027
All requirements in force: security by design, documentation, conformity assessment and CE marking for new products.
The September 2026 date is the most pressing one, because it requires having the detection and reporting processes ready, and it also applies to what you already have on the market. Building that capability cannot be improvised.
Who it applies to
The CRA reaches products with digital elements that are placed on the European Union market, both hardware and software. And not only the manufacturer: importers and distributors have their share of responsibility.
If you are not sure whether your product is in scope or which category it falls into, the applicability analysis clarifies it: not all products have the same level of demand.
Service
Product classification: whether it falls under the CRA and at what level of demand, according to its criticality.
Gap analysis against the essential requirements of Annex I, in product and in processes.
Security by design: requirements built into development, not added at the end.
Vulnerability management: detection and handling processes and the 24 and 72 hour reports required by article 14.
Technical documentation and SBOM: the component inventory and the documentation the regulation requires.
Support period: definition and communication of security support throughout the product's life.
Conformity assessment and CE marking preparation, with the route that matches your product.
Supply chain: requirements for your component suppliers so they do not break your conformity.
Method
We determine whether the product is in scope, which category it falls into and the distance from Annex I, in product and processes.
A prioritized roadmap that cross-references requirements with your product roadmap and the CRA dates.
Security in development, vulnerability management, technical documentation, SBOM and support period.
Conformity assessment through the matching route and CE marking preparation.
Synergies
The CRA is not separate paperwork: it lives inside how you build the product. We integrate it into your secure development cycle, so that requirements are met by working, not by filling in documents at the end. If you already have security practices in development or an ISMS, much of the groundwork is done. And since the CRA requires proving that development is secure, our source code audit provides that evidence, reviewing the code from the inside. And for industrial products, IEC 62443 is the framework that demonstrates their security.
What sets us apart: we are auditors as well as implementers, and we combine the compliance view with the technical one. We know what evidence a conformity assessment will ask for because we work with that logic every day.
Questions
The Cyber Resilience Act is the European regulation that sets cybersecurity requirements for products with digital elements, hardware and software, sold in the European Union. It requires security by design, managing vulnerabilities throughout the product's life and demonstrating it with documentation and CE marking.
To almost any product with digital elements that connects directly or indirectly to another device or to a network: software, hardware and their components. There are limited exclusions (for example, products already covered by other sector-specific regulations), and within the scope there are different levels of criticality that determine how conformity is assessed. The applicability analysis clarifies it for your case.
In phases. It entered into force in December 2024 and applies in full on 11 December 2027, but there are obligations before that: the reporting of vulnerabilities and incidents under article 14 from 11 September 2026, which reaches even products already on the market, and the designation of notified bodies in late 2026. It is worth starting early, because building the processes takes time.
Failure to meet the essential cybersecurity requirements or the reporting obligations can lead to fines of up to 15 million euros or 2.5% of annual worldwide turnover, whichever is higher. For manufacturers selling in the EU, it is a first-order business risk.
The SBOM is the inventory of your software's components, the list of everything that makes it up, including third-party libraries. The CRA requires it because you cannot protect or report vulnerabilities of what you do not know you use. We help you generate it and keep it alive as part of vulnerability management.
It is the same CE marking, but certifying compliance with the CRA cybersecurity requirements. It is not a sticker you slap on: it is the visible consequence of having done the work, the conformity assessment, the technical documentation and security by design. We prepare you to obtain it through the route that matches your product.
Shall we talk?
The applicability analysis settles the question in a few days: whether your product falls under the CRA, at what level and what stands between you and CE marking.
Get in touch