CRA Directive
Comprehensive guide to the Cyber Resilience Act. All requirements, deadlines, product categories and implementation steps clearly explained.
- ✓Strategic CRA Directive implementation planning
- ✓Systematic organizational transformation for CRA compliance
- ✓Integrated governance structures and control mechanisms
- ✓Continuous compliance monitoring and optimization
Your strategic success starts here
Our clients trust our expertise in digital transformation, compliance, and risk management
30 Minutes • Non-binding • Immediately available
For optimal preparation of your strategy session:
- Your strategic goals and objectives
- Desired business outcomes and ROI
- Steps already taken
Or contact us directly:
Certifications, Partners and more...
CRA Directive Implementation
Our CRA Directive Expertise
- Extensive experience in strategic compliance transformation
- Proven methodologies for organizational development and change management
- Integrated approach from strategy to operational implementation
- Continuous support and sustainable optimization
Strategic Note
CRA Directive implementation requires a comprehensive view of strategic, organizational, and technical aspects. An early and systematic approach is critical for sustainable compliance success.
ADVISORI in Numbers
11+
Years of Experience
120+
Employees
520+
Projects
We develop a tailored CRA Directive implementation strategy with you that optimally connects regulatory requirements with strategic business objectives and organizational conditions.
Our Approach:
Comprehensive organizational analysis and strategy development
Structured transformation planning and change management
Building solid governance and control structures
Integration into existing business and IT processes
Continuous monitoring and strategic adjustment
"The strategic implementation of the CRA Directive goes far beyond pure compliance — it creates the foundation for future-ready, cybersecure corporate governance. Our clients benefit from a comprehensive transformation approach that not only fulfills regulatory requirements but also generates sustainable business value and competitive advantages."
Sarah Richter
Head of Information Security, Cyber Security
Expertise & Experience:
10+ years of experience, CISA, CISM, Lead Auditor, DORA, NIS2, BCM, Cyber and Information Security
Our Services
We offer you tailored solutions for your digital transformation
CRA Directive Strategy Development
Development of a comprehensive strategy for the systematic implementation of the CRA Directive into your organizational structures.
- Strategic analysis and goal setting
- Organizational readiness assessment
- Implementation roadmap with milestones
- Resource planning and budgeting
Organizational Transformation
Systematic transformation of your organization for sustainable CRA compliance through structured change management processes.
- Governance structures and responsibilities
- Process optimization and integration
- Employee qualification and awareness
- Continuous improvement processes
Our Competencies in CRA Cyber Resilience Act
Choose the area that fits your requirements
BSI oversees CRA conformity of digital products as market surveillance authority in Germany. Vulnerability reporting obligations begin September 2026, and all manufacturers must be fully compliant by December 2027. We guide you through every BSI CRA requirement.
The Cyber Resilience Act mandates cybersecurity standards for all manufacturers of digital products in the EU. Vulnerability reporting from September 2026, full compliance by December 2027. ADVISORI supports your gap analysis, SBOM creation and conformity assessment.
Systematic CRA audits verify compliance with all Cyber Resilience Act requirements. From gap analysis through conformity assessment under Module A, B, C or H to market surveillance preparation — with a clear roadmap for the deadlines starting June 2026.
From 2027, BSI will enforce CRA conformity for all digital products in Germany as the designated market surveillance authority. Spot checks, document audits and penalties up to EUR 15 million await non-compliant manufacturers. We prepare you for BSI inspections.
CRA certification ensures conformity of your digital products with the Cyber Resilience Act. From self-assessment to third-party conformity assessment.
Complete CRA compliance for digital product manufacturers. From security by design through vulnerability management to CE marking. Deadline: December 2027.
The EU Cyber Resilience Act (Regulation (EU) 2024/2847) imposes binding cybersecurity standards on all manufacturers, importers, and distributors of products with digital elements. From September 2026, reporting obligations apply for actively exploited vulnerabilities (24-hour deadline to ENISA); from December 2027, all products must be fully CRA-compliant — otherwise fines of up to €15 million or 2.5% of global annual turnover and loss of EU market access are at risk. ADVISORI ensures you are compliant in time.
CRA conformity assessment demonstrates your product meets all cybersecurity requirements. Different modules by risk class through to CE marking.
The EU Cyber Resilience Act explained for the German market. From September 2026, manufacturers must report actively exploited vulnerabilities within 24 hours. By December 2027, all digital products must be CRA-compliant. Learn how BSI enforces CRA requirements in Germany.
BSI oversees CRA conformity as national market surveillance authority. Learn about inspection procedures, corrective actions and potential sanctions.
The EU Cyber Resilience Act (CRA) Annex I defines 13 mandatory product security requirements for digital products. From security by design to SBOM documentation and vulnerability handling � these requirements become mandatory from December 2027 for all manufacturers. ADVISORI supports you in fully implementing the Annex I obligations.
Frequently Asked Questions about CRA Directive
Is the Cyber Resilience Act a directive or a regulation?
The Cyber Resilience Act (CRA) is an EU Regulation (2024/2847), not a directive. The term 'CRA directive' is commonly used in searches but legally inaccurate. As a regulation, the CRA applies directly in all EU member states without requiring transposition into national law – unlike a directive. It entered into force on
11 December 2024.
What products fall under the Cyber Resilience Act?
The CRA covers all products with digital elements placed on the EU market – both hardware and software. This includes connected consumer goods, B2B software, IoT devices and industrial control systems. Medical devices, vehicles and products already subject to sector-specific cybersecurity rules are excluded.
What are the CRA compliance deadlines?
The CRA has three key deadlines: By
11 June 2026, conformity assessment bodies must be designated. From
11 September 2026, mandatory vulnerability and incident reporting obligations apply. From
11 December 2027, all requirements must be fully met. Manufacturers should start implementation now, as adapting product development processes typically takes 12–18 months.
What are the main obligations for manufacturers under the CRA?
Manufacturers must ensure cybersecurity throughout the entire product lifecycle: conduct security assessments, establish vulnerability handling processes, provide automatic security updates and inform users about risks. Products are classified into risk categories – Default, Important and Critical – with increasing conformity assessment requirements.
What penalties apply for CRA non-compliance?
CRA violations can result in fines of up to EUR
15 million or 2.5% of global annual turnover, whichever is higher. Market surveillance authorities can withdraw products from the market for missing or incorrect CE marking, incomplete technical documentation or failure to report vulnerabilities.
How does the CRA differ from NIS2 and the AI Act?
The CRA regulates product security (cybersecurity of hardware and software), while NIS 2 addresses organizational security (network and information security of critical entities). The AI Act specifically governs AI systems. Companies may be subject to all three regulations simultaneously – CRA for their products, NIS 2 for their IT infrastructure and the AI Act for AI components.
How does ADVISORI support CRA implementation?
ADVISORI guides companies through full CRA compliance: gap analysis against CRA requirements, risk classification of product portfolios, establishing vulnerability management processes, preparing for conformity assessments and training development teams in security-by-design. We combine regulatory expertise with technical know-how for pragmatic implementation.
Success Stories
Discover how we support companies in their digital transformation
Digitalization in Steel Trading
Klöckner & Co
Digital Transformation in Steel Trading
Results
AI-Powered Manufacturing Optimization
Siemens
Smart Manufacturing Solutions for Maximum Value Creation
Results
AI Automation in Production
Festo
Intelligent Networking for Future-Proof Production Systems
Results
Generative AI in Manufacturing
Bosch
AI Process Optimization for Improved Production Efficiency
Results
Let's
Work Together!
Is your organization ready for the next step into the digital future? Contact us for a personal consultation.
Your strategic success starts here
Our clients trust our expertise in digital transformation, compliance, and risk management
Ready for the next step?
Schedule a strategic consultation with our experts now
30 Minutes • Non-binding • Immediately available
For optimal preparation of your strategy session:
Prefer direct contact?
Direct hotline for decision-makers
Strategic inquiries via email
Detailed Project Inquiry
For complex inquiries or if you want to provide specific information in advance