CRA EU
The Cyber Resilience Act (CRA) is EU Regulation 2024/2847, establishing the first mandatory cybersecurity requirements for all products with digital elements in the European single market. By December 2027, manufacturers, importers, and distributors must meet full CRA requirements � vulnerability reporting obligations apply from September 2026. ADVISORI supports your strategic CRA EU compliance journey.
Your strategic success starts here
Our clients trust our expertise in digital transformation, compliance, and risk management
30 Minutes • Non-binding • Immediately available
For optimal preparation of your strategy session:
- Your strategic goals and objectives
- Desired business outcomes and ROI
- Steps already taken
Or contact us directly:
Certifications, Partners and more...
What is the CRA EU and who does the regulation affect?
ADVISORI in Numbers
11+
Years of Experience
120+
Employees
520+
Projects
We take a comprehensive approach to CRA EU compliance that combines technical excellence with strategic business understanding and creates sustainable competitive advantages in the European market.
Our Approach:
Strategic EU market analysis and regulatory assessment
Tailored compliance architecture for EU requirements
Integrated implementation with business processes
Cross-border coordination and local adaptation
Continuous optimization and market monitoring
"CRA EU compliance is the key to sustainable success in the European single market. Our strategic approach transforms regulatory requirements into competitive advantages and builds trust with European customers and business partners through excellent cybersecurity standards."
Sarah Richter
Head of Information Security, Cyber Security
Expertise & Experience:
10+ years of experience, CISA, CISM, Lead Auditor, DORA, NIS2, BCM, Cyber and Information Security
Our Services
We offer you tailored solutions for your digital transformation
CRA EU Strategic Assessment
Comprehensive assessment of your CRA EU readiness with a strategic roadmap for successful compliance in the European single market.
- EU-wide regulatory analysis and market assessment
- Product classification according to CRA EU standards
- Cross-border compliance gap analysis
- Strategic implementation roadmap
EU Harmonized Standards Integration
Practical implementation of harmonized EU standards and integration into your product development and quality management systems.
- EN/ISO/ETSI standards implementation
- CE marking and conformity assessment
- Cross-border documentation management
- Continuous standards monitoring
Our Competencies in CRA Cyber Resilience Act
Choose the area that fits your requirements
BSI oversees CRA conformity of digital products as market surveillance authority in Germany. Vulnerability reporting obligations begin September 2026, and all manufacturers must be fully compliant by December 2027. We guide you through every BSI CRA requirement.
The Cyber Resilience Act mandates cybersecurity standards for all manufacturers of digital products in the EU. Vulnerability reporting from September 2026, full compliance by December 2027. ADVISORI supports your gap analysis, SBOM creation and conformity assessment.
Systematic CRA audits verify compliance with all Cyber Resilience Act requirements. From gap analysis through conformity assessment under Module A, B, C or H to market surveillance preparation — with a clear roadmap for the deadlines starting June 2026.
From 2027, BSI will enforce CRA conformity for all digital products in Germany as the designated market surveillance authority. Spot checks, document audits and penalties up to EUR 15 million await non-compliant manufacturers. We prepare you for BSI inspections.
CRA certification ensures conformity of your digital products with the Cyber Resilience Act. From self-assessment to third-party conformity assessment.
Complete CRA compliance for digital product manufacturers. From security by design through vulnerability management to CE marking. Deadline: December 2027.
The EU Cyber Resilience Act (Regulation (EU) 2024/2847) imposes binding cybersecurity standards on all manufacturers, importers, and distributors of products with digital elements. From September 2026, reporting obligations apply for actively exploited vulnerabilities (24-hour deadline to ENISA); from December 2027, all products must be fully CRA-compliant — otherwise fines of up to €15 million or 2.5% of global annual turnover and loss of EU market access are at risk. ADVISORI ensures you are compliant in time.
CRA conformity assessment demonstrates your product meets all cybersecurity requirements. Different modules by risk class through to CE marking.
The EU Cyber Resilience Act explained for the German market. From September 2026, manufacturers must report actively exploited vulnerabilities within 24 hours. By December 2027, all digital products must be CRA-compliant. Learn how BSI enforces CRA requirements in Germany.
BSI oversees CRA conformity as national market surveillance authority. Learn about inspection procedures, corrective actions and potential sanctions.
The EU Cyber Resilience Act (CRA) Annex I defines 13 mandatory product security requirements for digital products. From security by design to SBOM documentation and vulnerability handling � these requirements become mandatory from December 2027 for all manufacturers. ADVISORI supports you in fully implementing the Annex I obligations.
Frequently Asked Questions about CRA EU
What is the CRA EU (Regulation 2024/2847)?
The CRA EU is Regulation (EU) 2024/2847 � the Cyber Resilience Act. It establishes the first mandatory cybersecurity requirements for products with digital elements across the entire EU single market. As an EU regulation, the CRA applies directly in all member states without requiring national transposition. The regulation entered into force on
10 December
2024 and governs security requirements for hardware and software throughout the entire product lifecycle.
What are the key deadlines for CRA EU compliance?
The CRA EU regulation follows a phased timeline: entry into force on
10 December 2024, reporting obligations for actively exploited vulnerabilities from
11 September 2026, and full applicability of all main obligations from
11 December 2027. Manufacturers must observe the 21-month transition period for reporting obligations and the 36-month period for all remaining requirements.
Who does the EU Cyber Resilience Act apply to?
The EU CRA applies to three categories of economic operators: manufacturers of products with digital elements (e.g., IoT devices, software applications), importers who bring such products into the EU, and distributors who make them available on the EU market. Open-source software is generally in scope, though the regulation provides an exemption for non-commercial open-source development and introduces the new role of open source steward.
What product categories does the CRA EU regulation define?
The CRA EU regulation defines three product categories: default products (manufacturer self-assessment sufficient), important products Class I and II (e.g., password managers, firewalls � third-party assessment may be required), and critical products (e.g., smartcard systems, hardware security modules � mandatory assessment by a Notified Body). The classification determines the required conformity assessment procedure and the effort needed for CE marking.
What is a Software Bill of Materials (SBOM) under the CRA EU?
The CRA EU regulation requires manufacturers to create a Software Bill of Materials (SBOM). The SBOM documents all software components of a product, including third-party libraries and open-source components. It ensures transparency across the software supply chain and enables rapid identification of affected products when new vulnerabilities are discovered. The SBOM must be machine-readable and kept up to date throughout the product support period.
What penalties apply for non-compliance with the CRA EU regulation?
Non-compliance with the CRA EU regulation can result in fines of up to EUR
15 million or 2.5% of total worldwide annual turnover, whichever is higher. National market surveillance authorities monitor compliance and can order non-conforming products to be withdrawn from the EU market. Additionally, CE marking can be revoked, effectively blocking market access across the entire EU single market.
How does ADVISORI support CRA EU compliance?
ADVISORI guides manufacturers, importers, and distributors through complete CRA EU compliance: from product classification and gap analysis to SBOM creation and CE marking. Our consultants combine regulatory expertise with technical understanding of security-by-design, vulnerability management, and conformity assessment procedures � tailored to your product category and EU market requirements.
Success Stories
Discover how we support companies in their digital transformation
Digitalization in Steel Trading
Klöckner & Co
Digital Transformation in Steel Trading
Results
AI-Powered Manufacturing Optimization
Siemens
Smart Manufacturing Solutions for Maximum Value Creation
Results
AI Automation in Production
Festo
Intelligent Networking for Future-Proof Production Systems
Results
Generative AI in Manufacturing
Bosch
AI Process Optimization for Improved Production Efficiency
Results
Let's
Work Together!
Is your organization ready for the next step into the digital future? Contact us for a personal consultation.
Your strategic success starts here
Our clients trust our expertise in digital transformation, compliance, and risk management
Ready for the next step?
Schedule a strategic consultation with our experts now
30 Minutes • Non-binding • Immediately available
For optimal preparation of your strategy session:
Prefer direct contact?
Direct hotline for decision-makers
Strategic inquiries via email
Detailed Project Inquiry
For complex inquiries or if you want to provide specific information in advance