Secure Product Design
Build security in from the start and prove your product meets the essential requirements.
- Product Requirements (secure by design & default)
- Risk Assessment
- Supply Chain / Third-Party Due Diligence
The EU Cyber Resilience Act (CRA) introduces mandatory cybersecurity requirements for "products with digital elements" placed on the EU market. From secure-by-design to vulnerability handling and CE marking, manufacturers must demonstrate, and maintain, the security of their products across the entire lifecycle. Drawing on our experience in both regulatory consulting and product development, we can help you securing your products.
Talk to usThe CRA touches your products, processes and documentation. These are the building blocks you need to cover.
Build security in from the start and prove your product meets the essential requirements.
Handle vulnerabilities and keep products patched across the whole support period.
Classify your product, run the right assessment and declare conformity.
Keep the required technical documentation and inform your users.
Report incidents in time and cooperate with the authorities.
We are building a free self-assessment tool that lets you determine your CRA readiness in a few minutes and receive a prioritised GAP analysis with concrete recommended actions. Leave your email address and we will let you know as soon as the tool is available.
By signing up you consent to receiving our newsletter by email; you can unsubscribe at any time. For more information, see our privacy policy. Privacy Policy
Pragmatic, engineering-minded support. From first orientation to CE marking, reusing your existing security work wherever possible.
Where do you stand against the CRA today? We assess your products, processes and documentation and prioritise the gaps.
We help you classify your products and select the conformity assessment procedure that fits.
We help you put in place the vulnerability management, technical documentation, and reporting processes the CRA demands.
We enable your teams on secure-by-design, SBOM and threat modeling so compliance sticks.
ISO 27001 is an excellent foundation, but it doesn't cover the CRA. The CRA is product legislation (for products with digital elements); ISO 27001 is a management system for your organisation. Much of your ISMS carries over — risk management, processes, governance — but product-specific duties such as conformity assessment, CE marking, vulnerability handling and incident reporting come on top. We show you what you can reuse and where the real gaps are.
Yes. The CRA is enforced through EU market surveillance, like the CE obligations for other products. Authorities may order that products be removed from the market and impose fines of up to €15 million or 2.5% of global annual turnover. On top of that, customers, distributors and tenders increasingly require proof of conformity — and from 2027 affected products without CE marking may no longer be sold in the EU.
That's valuable, but it addresses a different layer. Your IT department typically protects your internal infrastructure. The CRA is about the security of the products you place on the market — across their whole lifecycle, from secure-by-design through vulnerability handling to reporting obligations towards authorities. That needs product, development and regulatory expertise, not just IT operations.
The CRA entered into force at the end of 2024. The reporting obligations start in September 2026 and the full set of requirements applies from December 2027. Because conformity takes lead time — processes, documentation, possibly a notified body — now is the time to start.
In principle the CRA covers all "products with digital elements" placed on the EU market — hardware with software as well as standalone software. Some products already regulated sector-specifically (e.g. certain medical devices) are exempt. We clarify your scope in a short initial call.
Contact us for an initial consultation and gap analysis tailored to your products.
info@actsecure.eu