Home/Services/Cyber Resilience Act

Cyber Resilience Act Readiness

Navigate the EU's landmark cybersecurity regulation with confidence. We help manufacturers prepare their products and processes for CRA compliance.

What Is the Cyber Resilience Act?

The Cyber Resilience Act (CRA) — Regulation (EU) 2024/2847 — is the EU's horizontal cybersecurity regulation for products with digital elements. It establishes mandatory cybersecurity requirements covering the entire product lifecycle, from design and development through to end-of-life.

The CRA applies to virtually all hardware and software products with digital elements placed on the EU market, with specific obligations for manufacturers, importers, and distributors.

Key CRA Requirements

Security by Design

  • Products must be designed and developed with appropriate cybersecurity measures
  • Default configurations must be secure
  • Vulnerabilities must be handled systematically throughout the support period

Vulnerability Handling

  • Manufacturers must establish coordinated vulnerability disclosure policies
  • Security updates must be provided for at least 5 years (or the product lifetime)
  • Actively exploited vulnerabilities must be reported to ENISA within 24 hours

Software Bill of Materials (SBOM)

  • Manufacturers must document and maintain an SBOM for each product
  • SBOMs must be machine-readable and include all top-level dependencies
  • Enables rapid vulnerability identification across the software supply chain

Conformity Assessment

  • Default products: Self-assessment (Module A)
  • Important products (Class I): Harmonised standard or third-party assessment
  • Important products (Class II) & Critical products: Third-party assessment required

Our CRA Readiness Services

CRA Gap Analysis

We assess your current product security posture and development processes against every essential requirement in Annex I of the CRA. You receive a prioritised roadmap to compliance.

Vulnerability Handling Process Design

We help you design and implement vulnerability handling procedures that meet CRA Article 13 requirements, including coordinated disclosure, incident response, and ENISA notification workflows.

SBOM Management

We help establish SBOM generation, maintenance and distribution processes that satisfy CRA documentation requirements and enable effective supply-chain risk management.

Conformity Assessment Preparation

Whether your product falls under default, Class I or Class II — we prepare you for the appropriate conformity assessment route, including Notified Body examination where required.

CRA Timeline

The CRA entered into force on 10 December 2024. Key dates:

  • 11 June 2026: Conformity assessment body provisions apply
  • 11 September 2026: Vulnerability reporting obligations apply
  • 11 December 2027: All provisions apply in full
"The CRA is the most significant horizontal cybersecurity regulation the EU has ever introduced. Manufacturers who start preparing now will have a clear competitive advantage."

See also our EN 18031-1 compliance testing for products that also fall under the Radio Equipment Directive, and our risk assessment services to support your CRA security-by-design obligations.

Get a CRA Readiness Quote