CRA Cyber Resilience Act Conformity Assessment
CRA conformity assessment demonstrates your product meets all cybersecurity requirements. Different modules by risk class through to CE marking.
- ✓Systematic assessment according to harmonised standards
- ✓Legally sound declarations of conformity and CE marking
- ✓Optimised time-to-market through structured procedures
- ✓Continuous compliance monitoring and adaptation
Your strategic success starts here
Our clients trust our expertise in digital transformation, compliance, and risk management
30 Minutes • Non-binding • Immediately available
For optimal preparation of your strategy session:
- Your strategic goals and objectives
- Desired business outcomes and ROI
- Steps already taken
Or contact us directly:
Certifications, Partners and more...
CRA Cyber Resilience Act Conformity Assessment
Our Strengths
- Comprehensive expertise in EU conformity assessment procedures
- Many years of experience with cybersecurity standards and norms
- Close collaboration with notified bodies
- Comprehensive approach from product development to market launch
Expert Tip
Choosing the right conformity assessment procedure is decisive for costs and time expenditure. Depending on the product category and risk level, different modules are applied.
ADVISORI in Numbers
11+
Years of Experience
120+
Employees
520+
Projects
We develop a tailored conformity assessment strategy with you that is optimally aligned with your product portfolio and business requirements.
Our Approach:
Detailed product analysis and classification
Selection of the optimal conformity assessment module
Systematic execution of all assessment steps
Preparation of complete compliance documentation
Continuous monitoring and adaptation
"With our structured approach and well-founded expertise in CRA conformity assessment, we enable clients to meet all regulatory requirements on time and bring their products to market smoothly and promptly."
Sarah Richter
Head of Information Security, Cyber Security
Expertise & Experience:
10+ years of experience, CISA, CISM, Lead Auditor, DORA, NIS2, BCM, Cyber and Information Security
Our Services
We offer you tailored solutions for your digital transformation
Conformity Assessment Procedure Selection
We determine the applicable conformity assessment procedure for your products under CRA Annex V.
- Product classification by risk level
- Module selection for optimal cost-benefit ratios
- Assessment of self-declaration vs. third-party certification
- Schedule and cost optimisation of assessment procedures
Technical Documentation and Testing
Complete preparation and review of technical documentation in accordance with CRA requirements.
- Technical specifications and security analyses
- Risk assessments and vulnerability analyses
- Test reports and certification documentation
- Harmonised standards compliance evidence
Our Competencies in CRA Cyber Resilience Act
Choose the area that fits your requirements
BSI oversees CRA conformity of digital products as market surveillance authority in Germany. Vulnerability reporting obligations begin September 2026, and all manufacturers must be fully compliant by December 2027. We guide you through every BSI CRA requirement.
The Cyber Resilience Act mandates cybersecurity standards for all manufacturers of digital products in the EU. Vulnerability reporting from September 2026, full compliance by December 2027. ADVISORI supports your gap analysis, SBOM creation and conformity assessment.
Systematic CRA audits verify compliance with all Cyber Resilience Act requirements. From gap analysis through conformity assessment under Module A, B, C or H to market surveillance preparation — with a clear roadmap for the deadlines starting June 2026.
From 2027, BSI will enforce CRA conformity for all digital products in Germany as the designated market surveillance authority. Spot checks, document audits and penalties up to EUR 15 million await non-compliant manufacturers. We prepare you for BSI inspections.
CRA certification ensures conformity of your digital products with the Cyber Resilience Act. From self-assessment to third-party conformity assessment.
Complete CRA compliance for digital product manufacturers. From security by design through vulnerability management to CE marking. Deadline: December 2027.
The EU Cyber Resilience Act (Regulation (EU) 2024/2847) imposes binding cybersecurity standards on all manufacturers, importers, and distributors of products with digital elements. From September 2026, reporting obligations apply for actively exploited vulnerabilities (24-hour deadline to ENISA); from December 2027, all products must be fully CRA-compliant — otherwise fines of up to €15 million or 2.5% of global annual turnover and loss of EU market access are at risk. ADVISORI ensures you are compliant in time.
The EU Cyber Resilience Act explained for the German market. From September 2026, manufacturers must report actively exploited vulnerabilities within 24 hours. By December 2027, all digital products must be CRA-compliant. Learn how BSI enforces CRA requirements in Germany.
BSI oversees CRA conformity as national market surveillance authority. Learn about inspection procedures, corrective actions and potential sanctions.
The EU Cyber Resilience Act (CRA) Annex I defines 13 mandatory product security requirements for digital products. From security by design to SBOM documentation and vulnerability handling � these requirements become mandatory from December 2027 for all manufacturers. ADVISORI supports you in fully implementing the Annex I obligations.
Frequently Asked Questions about CRA Cyber Resilience Act Conformity Assessment
What is the CRA conformity assessment and why is it mandatory?
The CRA conformity assessment is the legally required procedure under the EU Cyber Resilience Act through which manufacturers demonstrate that their product with digital elements meets the essential cybersecurity requirements. Without a completed conformity assessment, no product may bear the CE marking or be placed on the EU single market. Full application starts in December 2027.
What conformity assessment procedures does the CRA define (Module A, B+C, H)?
The CRA defines four assessment procedures in Annex VIII: Module A is internal production control (self-assessment without a notified body). Module B is EU type examination where a notified body evaluates a prototype. Module C is subsequent internal production control for series production and is always combined with Module B. Module H is comprehensive quality assurance where a notified body assesses the manufacturer entire quality management system.
Which CRA conformity assessment module applies to my product?
Default products (approximately
90 percent of all products) can use Module A (self-assessment). Important products Class I (e.g. operating systems, routers, password managers) require Module A only when applying harmonised standards, otherwise Module B+C or H with a notified body. Important products Class II (e.g. firewalls, intrusion detection systems) and critical products (e.g. smart cards, smart meter gateways) must undergo mandatory third-party assessment.
What is the difference between self-assessment (Module A) and third-party assessment?
In the self-assessment under Module A, the manufacturer independently creates the technical documentation, conducts the risk assessment and declares conformity without external review. In third-party assessment (Module B+C or H), a notified body designated by an EU member state examines either the product type or the quality assurance system. Third-party assessment is mandatory for important products Class II and critical products.
What is a notified body and when do I need one for CRA conformity?
A notified body is a conformity assessment body accredited by an EU member state that is authorised to perform third-party assessments under the CRA. You need a notified body when your product is classified as important (Class II) or critical, or when you do not apply harmonised standards for Class I products. Notification of these bodies starts from June
2026 via the NANDO database.
What are the deadlines for CRA conformity assessment?
The CRA entered into force on
10 December 2024. Notification of conformity assessment bodies begins from
11 June 2026. Vulnerability reporting obligations apply from
11 September 2026. Full application of all CRA requirements including conformity assessment and CE marking obligations starts from
11 December 2027.
How does ADVISORI support the CRA conformity assessment process?
ADVISORI guides you through the entire conformity assessment process: We determine your product category and the appropriate assessment module, prepare the technical documentation according to Annex VII, conduct the cybersecurity risk assessment and prepare you for examination by notified bodies. For Module A we support the self-assessment, for Module B+C and H we prepare you for the third-party examination.
Success Stories
Discover how we support companies in their digital transformation
Digitalization in Steel Trading
Klöckner & Co
Digital Transformation in Steel Trading
Results
AI-Powered Manufacturing Optimization
Siemens
Smart Manufacturing Solutions for Maximum Value Creation
Results
AI Automation in Production
Festo
Intelligent Networking for Future-Proof Production Systems
Results
Generative AI in Manufacturing
Bosch
AI Process Optimization for Improved Production Efficiency
Results
Let's
Work Together!
Is your organization ready for the next step into the digital future? Contact us for a personal consultation.
Your strategic success starts here
Our clients trust our expertise in digital transformation, compliance, and risk management
Ready for the next step?
Schedule a strategic consultation with our experts now
30 Minutes • Non-binding • Immediately available
For optimal preparation of your strategy session:
Prefer direct contact?
Direct hotline for decision-makers
Strategic inquiries via email
Detailed Project Inquiry
For complex inquiries or if you want to provide specific information in advance