CRA Cyber Resilience Act Market Surveillance
BSI oversees CRA conformity as national market surveillance authority. Learn about inspection procedures, corrective actions and potential sanctions.
- ✓Proactive preparation for CRA market surveillance procedures
- ✓Continuous compliance monitoring and surveillance
- ✓Structured documentation for authority audits
- ✓Minimization of sanction risks and enforcement measures
Your strategic success starts here
Our clients trust our expertise in digital transformation, compliance, and risk management
30 Minutes • Non-binding • Immediately available
For optimal preparation of your strategy session:
- Your strategic goals and objectives
- Desired business outcomes and ROI
- Steps already taken
Or contact us directly:
Certifications, Partners and more...
CRA Cyber Resilience Act Market Surveillance
Our Expertise
- In-depth knowledge of CRA market surveillance procedures
- Experience in preparing for authority audits
- Practical support with compliance monitoring systems
- Comprehensive consulting from preparation through to implementation
Legal Notice
CRA market surveillance begins when the regulation enters into force. Authorities receive extensive powers for product audits, sanctions, and market measures. Early preparation is essential.
ADVISORI in Numbers
11+
Years of Experience
120+
Employees
520+
Projects
We systematically prepare you for CRA market surveillance and establish solid compliance monitoring systems.
Our Approach:
Assessment of current compliance readiness
Establishment of monitoring and surveillance systems
Development of incident response processes
Preparation for specific audit scenarios
Ongoing support and optimization
"As a reliable partner, we prepare our clients in a targeted manner for CRA market surveillance. Our systematic methodology and continuous monitoring give them the confidence to be audit-ready at all times."
Sarah Richter
Head of Information Security, Cyber Security
Expertise & Experience:
10+ years of experience, CISA, CISM, Lead Auditor, DORA, NIS2, BCM, Cyber and Information Security
Our Services
We offer you tailored solutions for your digital transformation
Compliance Monitoring Systems
Design and implementation of systems for continuous monitoring of CRA compliance.
- Design of compliance monitoring frameworks
- Automated monitoring dashboards
- Early warning systems and alert mechanisms
- Continuous performance measurement and reporting
Market Surveillance Readiness
Comprehensive preparation for authority audits and market surveillance procedures under the CRA.
- Audit simulations and mock audits
- Documentation readiness and evidence preservation
- Incident response and crisis management
- Ongoing support and compliance assistance
Our Competencies in CRA Cyber Resilience Act
Choose the area that fits your requirements
BSI oversees CRA conformity of digital products as market surveillance authority in Germany. Vulnerability reporting obligations begin September 2026, and all manufacturers must be fully compliant by December 2027. We guide you through every BSI CRA requirement.
The Cyber Resilience Act mandates cybersecurity standards for all manufacturers of digital products in the EU. Vulnerability reporting from September 2026, full compliance by December 2027. ADVISORI supports your gap analysis, SBOM creation and conformity assessment.
Systematic CRA audits verify compliance with all Cyber Resilience Act requirements. From gap analysis through conformity assessment under Module A, B, C or H to market surveillance preparation — with a clear roadmap for the deadlines starting June 2026.
From 2027, BSI will enforce CRA conformity for all digital products in Germany as the designated market surveillance authority. Spot checks, document audits and penalties up to EUR 15 million await non-compliant manufacturers. We prepare you for BSI inspections.
CRA certification ensures conformity of your digital products with the Cyber Resilience Act. From self-assessment to third-party conformity assessment.
Complete CRA compliance for digital product manufacturers. From security by design through vulnerability management to CE marking. Deadline: December 2027.
The EU Cyber Resilience Act (Regulation (EU) 2024/2847) imposes binding cybersecurity standards on all manufacturers, importers, and distributors of products with digital elements. From September 2026, reporting obligations apply for actively exploited vulnerabilities (24-hour deadline to ENISA); from December 2027, all products must be fully CRA-compliant — otherwise fines of up to €15 million or 2.5% of global annual turnover and loss of EU market access are at risk. ADVISORI ensures you are compliant in time.
CRA conformity assessment demonstrates your product meets all cybersecurity requirements. Different modules by risk class through to CE marking.
The EU Cyber Resilience Act explained for the German market. From September 2026, manufacturers must report actively exploited vulnerabilities within 24 hours. By December 2027, all digital products must be CRA-compliant. Learn how BSI enforces CRA requirements in Germany.
The EU Cyber Resilience Act (CRA) Annex I defines 13 mandatory product security requirements for digital products. From security by design to SBOM documentation and vulnerability handling � these requirements become mandatory from December 2027 for all manufacturers. ADVISORI supports you in fully implementing the Annex I obligations.
Frequently Asked Questions about CRA Cyber Resilience Act Market Surveillance
What is CRA market surveillance and who carries it out?
CRA market surveillance is the EU-wide enforcement system under the Cyber Resilience Act. Each EU Member State designates a national market surveillance authority empowered to inspect products with digital elements for CRA conformity. In Germany the BSI fulfils this role. Authorities can inspect products, request evidence and order corrective actions where non-compliance is found.
What penalties apply for CRA non-compliance?
Violations of the essential cybersecurity requirements can result in fines of up to EUR
15 million or 2.5% of global annual turnover, whichever is higher. For less serious infringements the cap is EUR
10 million or 2% of turnover. Additionally, authorities can withdraw products from the market or order recalls.
When do CRA market surveillance rules take effect?
CRA market surveillance is phased in: by June
2026 Member States must designate their notifying authorities. From September
2026 reporting obligations for exploited vulnerabilities and severe incidents apply. The full market surveillance framework takes effect from December
2027 for all in-scope products.
What happens during a CRA product recall?
When a market surveillance authority determines that a product fails to meet CRA requirements and poses a cybersecurity risk, it can require the manufacturer to bring the product into conformity, restrict or prohibit its availability on the market, or order a recall. The manufacturer must then notify all affected users and implement corrective measures.
How does CRA market surveillance differ across EU Member States?
The CRA establishes a uniform EU-wide framework defining penalty ceilings, reporting obligations and corrective powers. Each Member State then designates its own national authority to implement these rules locally. For example Germany appointed the BSI while other countries designate their own cybersecurity or consumer protection agencies. Coordination happens through ADCO groups and the EU Safeguard Clause procedure.
What reporting obligations start in September 2026?
From
11 September
2026 manufacturers must report actively exploited vulnerabilities and severe security incidents to ENISA and the relevant national authority. This applies even to products already on the EU market before December 2027. Reports must be submitted within
24 hours of becoming aware of an incident.
How does ADVISORI prepare companies for CRA market surveillance?
ADVISORI conducts a readiness assessment of your current CRA compliance posture, identifies gaps and builds monitoring systems. We develop incident response processes for reporting obligations, prepare documentation for audit scenarios and establish continuous surveillance mechanisms so you are ready for authority inquiries and market checks.
Success Stories
Discover how we support companies in their digital transformation
Digitalization in Steel Trading
Klöckner & Co
Digital Transformation in Steel Trading
Results
AI-Powered Manufacturing Optimization
Siemens
Smart Manufacturing Solutions for Maximum Value Creation
Results
AI Automation in Production
Festo
Intelligent Networking for Future-Proof Production Systems
Results
Generative AI in Manufacturing
Bosch
AI Process Optimization for Improved Production Efficiency
Results
Let's
Work Together!
Is your organization ready for the next step into the digital future? Contact us for a personal consultation.
Your strategic success starts here
Our clients trust our expertise in digital transformation, compliance, and risk management
Ready for the next step?
Schedule a strategic consultation with our experts now
30 Minutes • Non-binding • Immediately available
For optimal preparation of your strategy session:
Prefer direct contact?
Direct hotline for decision-makers
Strategic inquiries via email
Detailed Project Inquiry
For complex inquiries or if you want to provide specific information in advance