New requirements for product security

Cyber Resilience Act

The EU Cyber Resilience Act (CRA) introduces mandatory cybersecurity requirements for "products with digital elements" placed on the EU market. From secure-by-design to vulnerability handling and CE marking, manufacturers must demonstrate, and maintain, the security of their products across the entire lifecycle. Drawing on our experience in both regulatory consulting and product development, we can help you securing your products.

Talk to us
Dec 2024
Entered into force
Sep 2026
Reporting obligations apply
Dec 2027
All requirements apply
Cyber Resilience Act

The core themes of the CRA

The CRA touches your products, processes and documentation. These are the building blocks you need to cover.

Secure Product Design

Build security in from the start and prove your product meets the essential requirements.

  • Product Requirements (secure by design & default)
  • Risk Assessment
  • Supply Chain / Third-Party Due Diligence

Vulnerability Management & Updates

Handle vulnerabilities and keep products patched across the whole support period.

  • Vulnerability Handling
  • Support Period / Security Updates

Conformity & CE Marking

Classify your product, run the right assessment and declare conformity.

  • Product Classification
  • Conformity Assessment
  • CE Marking & EU Declaration of Conformity

Documentation & Information

Keep the required technical documentation and inform your users.

  • Technical Documentation (Annex VII)
  • User Information (Annex II)

Reporting & Market Surveillance

Report incidents in time and cooperate with the authorities.

  • Reporting Obligations (24h / 72h)
  • Single Point of Contact & Market Surveillance
Coming soon

CRA GAP-analysis tool

We are building a free self-assessment tool that lets you determine your CRA readiness in a few minutes and receive a prioritised GAP analysis with concrete recommended actions. Leave your email address and we will let you know as soon as the tool is available.

  • Readiness score across the 12 core themes of the CRA
  • Prioritised GAP list with measures and CRA references
  • Result as a individual PDF report

By signing up you consent to receiving our newsletter by email; you can unsubscribe at any time. For more information, see our privacy policy. Privacy Policy

Services

How we help

Pragmatic, engineering-minded support. From first orientation to CE marking, reusing your existing security work wherever possible.

Gap analysis

Where do you stand against the CRA today? We assess your products, processes and documentation and prioritise the gaps.

Classification & conformity route

We help you classify your products and select the conformity assessment procedure that fits.

Processes & documentation

We help you put in place the vulnerability management, technical documentation, and reporting processes the CRA demands.

Training & awareness

We enable your teams on secure-by-design, SBOM and threat modeling so compliance sticks.

FAQ

Frequently asked questions

We're already ISO 27001 certified – do we even need this?

ISO 27001 is an excellent foundation, but it doesn't cover the CRA. The CRA is product legislation (for products with digital elements); ISO 27001 is a management system for your organisation. Much of your ISMS carries over — risk management, processes, governance — but product-specific duties such as conformity assessment, CE marking, vulnerability handling and incident reporting come on top. We show you what you can reuse and where the real gaps are.

Will anyone actually notice if we ignore it?

Yes. The CRA is enforced through EU market surveillance, like the CE obligations for other products. Authorities may order that products be removed from the market and impose fines of up to €15 million or 2.5% of global annual turnover. On top of that, customers, distributors and tenders increasingly require proof of conformity — and from 2027 affected products without CE marking may no longer be sold in the EU.

Our IT department handles cybersecurity — we're well set up.

That's valuable, but it addresses a different layer. Your IT department typically protects your internal infrastructure. The CRA is about the security of the products you place on the market — across their whole lifecycle, from secure-by-design through vulnerability handling to reporting obligations towards authorities. That needs product, development and regulatory expertise, not just IT operations.

When does the CRA apply?

The CRA entered into force at the end of 2024. The reporting obligations start in September 2026 and the full set of requirements applies from December 2027. Because conformity takes lead time — processes, documentation, possibly a notified body — now is the time to start.

Are we even in scope?

In principle the CRA covers all "products with digital elements" placed on the EU market — hardware with software as well as standalone software. Some products already regulated sector-specifically (e.g. certain medical devices) are exempt. We clarify your scope in a short initial call.

Get CRA-ready

Contact us for an initial consultation and gap analysis tailored to your products.

info@actsecure.eu