CRA Compliance

CRA compliance refers to meeting the requirements of the EU Cyber Resilience Act (Regulation 2024/2847). It applies to all manufacturers, importers, and distributors of products with digital elements placed on the EU market. This includes connected hardware, standalone software, and remote data processing solutions. Exemptions exist for medical devices, vehicles, aviation products, and certain open-source software. ADVISORI helps manufacturers determine whether their products fall under the CRA and which product category (Default, Class I, or Class II) applies.

The Cyber Resilience Act entered into force on

10 December

2024 and becomes applicable in stages: From

11 June 2026, conformity assessment bodies must be notified. From

11 September 2026, manufacturers must report actively exploited vulnerabilities to ENISA and national authorities within

24 hours. From

11 December 2027, all CRA requirements apply fully, including essential cybersecurity requirements, vulnerability handling, and CE marking. Companies should start their gap analysis now to meet these deadlines.

Core CRA requirements include: security by design in development and production, vulnerability handling throughout the product lifecycle, creation of a Software Bill of Materials (SBOM), free security updates for at least

5 years, reporting actively exploited vulnerabilities within

24 hours, technical documentation and EU declaration of conformity, and CE marking before placing products on the market. ADVISORI guides implementation of all requirements from initial assessment through audit readiness.

The CRA defines three product categories: Default products (self-assessment possible, e.g., smart home devices, games), Class I products (elevated risk, harmonised standards or third-party assessment, e.g., VPN software, routers, operating systems), and Class II products (high risk, mandatory third-party assessment, e.g., firewalls, smartcards, industrial control systems). Correct classification determines the required conformity assessment procedure. ADVISORI assists with product classification and the appropriate assessment path.

The CRA conformity assessment involves: internal risk analysis of the product, verification against the essential cybersecurity requirements in Annex I, preparation of technical documentation including SBOM, completion of the conformity assessment procedure (self-assessment for default products or third-party assessment for Class I/II), issuance of the EU declaration of conformity, and affixing the CE marking. For Class I products, applying harmonised standards can replace third-party assessment. The BSI serves as the German market surveillance authority overseeing compliance.

The Cyber Resilience Act imposes significant penalties: Up to EUR

15 million or 2.5% of global annual turnover for violations of essential cybersecurity requirements, up to EUR

10 million or 2% for other CRA obligations, and up to EUR

5 million or 1% for providing false or incomplete information to authorities. Additionally, market surveillance authorities can order the recall or prohibition of non-compliant products. Early compliance investment protects against these financial and reputational risks.

ADVISORI guides companies through every phase of CRA compliance: gap analysis to determine current maturity, product classification and scope definition, building security-by-design processes in development, implementing vulnerability management and SBOM creation, preparing conformity assessments and technical documentation, establishing reporting processes for vulnerabilities and incidents, and ongoing compliance monitoring. Our approach harmonises CRA requirements with existing standards such as IEC 62443, ISO 27001, and NIS-2.