CRA Consulting

The Cyber Resilience Act (CRA) is an EU regulation that has been in force since November

2024 and establishes, for the first time, binding cybersecurity requirements for products with digital elements. The regulation affects an extremely broad range of companies: manufacturers, importers, and distributors of virtually all products that have digital functions. This includes IoT devices such as smart home systems, industrial controls, and connected sensors, as well as standalone software products, operating systems, firmware, and hardware components with embedded software. Crucially, the CRA does not only affect large technology companies, but also mid-sized manufacturers that integrate digital elements into their products – such as machinery manufacturers with networked controls or medical technology companies with software components. The regulation distinguishes between standard products, important products (Class I and II), and critical products, with conformity assessment requirements increasing with the criticality level. For standard products, a self-assessment is sufficient, while critical products require assessment by a notified body. Exceptions apply to already-regulated sectors such as medical devices, aviation, and motor vehicles, which are subject to their own cybersecurity regulations. Companies should assess at an early stage whether and how their products fall under the CRA, as the transition periods are already running and the first reporting obligations take effect from September 2026.

The Cyber Resilience Act provides for staggered transition periods that companies must be fully aware of. The regulation has been in force since

10 November 2024. From September

2026 – less than a year away – reporting obligations apply to manufacturers: actively exploited vulnerabilities and serious security incidents must be reported to ENISA within

24 hours, followed by detailed reports within

72 hours and a final report within one month. From 2027, all CRA requirements must be fully met. This means: products placed on the EU market from that point onwards must have completed the full conformity assessment and bear the CE marking. The penalties for non-compliance are substantial and follow the GDPR model: violations of essential cybersecurity requirements can result in fines of up to €

15 million or 2.5 percent of global annual turnover. Violations of other obligations can be sanctioned with up to €

10 million or

2 percent of turnover. In addition, market surveillance authorities can order product recalls or restrict market access. The economic consequences therefore extend well beyond fines: production downtime, reputational damage, and revenue losses due to market bans can be existentially threatening. Given the complexity of the requirements and the lead times needed for technical and organizational adjustments, we recommend beginning systematic CRA implementation at the latest now. Companies that already operate an information security management system (ISMS) in accordance with ISO 27001 have a head start.

A Software Bill of Materials (SBOM) is a machine-readable inventory of all software components contained in a product – including open-source libraries, proprietary modules, frameworks, and their dependencies. The CRA makes the creation and maintenance of an SBOM mandatory for all products with digital elements. The importance of the SBOM stems from its central role in vulnerability management: only if a manufacturer has complete knowledge of which components are in its products can it identify affected products when a new vulnerability is discovered in a component. A clear example is the Log4j vulnerability of 2021: companies without an SBOM sometimes needed weeks to determine which of their products contained the vulnerable library. With an up-to-date SBOM, this analysis is possible within minutes. The SBOM must be created in a standardized format – the most common are SPDX (from the Linux Foundation) and CycloneDX (from OWASP). It should be integrated into the build process in an automated manner so that a current SBOM is generated with each release. In addition, the CRA requires that the SBOM be kept up to date throughout the entire product lifecycle – for at least the expected product lifetime or five years, whichever is shorter. The integration of a vulnerability feed (for example based on NVD or OSV) enables proactive monitoring: as soon as a new vulnerability in a used component is published, you receive an automatic notification. Advisori supports you in selecting suitable SBOM tools, integrating them into your CI/CD pipelines, and establishing sustainable processes for SBOM maintenance.

CRA, NIS2, and DORA are three central EU regulations for cybersecurity that complement each other and overlap in important areas. The CRA regulates product security and is directed at manufacturers of digital products. NIS 2 regulates the cybersecurity of companies and organizations in critical sectors and their supply chains. DORA (Digital Operational Resilience Act) specifically addresses the financial sector and its ICT service providers. The synergies are considerable: all three regulations require systematic risk management, incident response processes, and consideration of supply chain security. A company that, for example, acts as a manufacturer of software for the financial sector may fall under all three regulations. Here it is essential not to build isolated compliance silos for each regulation, but to create an integrated framework. In concrete terms, this means: the vulnerability management that the CRA requires for products can be linked to the risk management framework of NIS2. The reporting obligations of all three regulations can be covered through a unified incident response process – even if the reporting deadlines and recipients vary. The ISMS in accordance with ISO 27001, which many companies have already established for NIS2, provides a solid foundation for the organizational CRA requirements. The EU AI Act is also increasingly relevant: products with AI components must meet both CRA and AI Act requirements. Advisori is one of the few consulting partners that covers all relevant EU regulations from a single source. Instead of engaging separate consultants for CRA, NIS2, DORA, and the AI Act, you receive from us a consistent, collaboration-optimized compliance program with clear responsibilities and without redundant measures.

The CRA conformity assessment is the formal proof that a product with digital elements meets all requirements of the Cyber Resilience Act. It is a prerequisite for the CE marking and thus for market access in the EU internal market. The process depends on the classification of the product. For standard products (the large majority), the manufacturer can carry out an internal assessment (Module A). In doing so, the manufacturer documents compliance with all essential requirements and issues an EU declaration of conformity. For important products of Class I (e.g., password managers, network interfaces, operating systems), a self-assessment is also possible, provided that harmonized standards or a European cybersecurity certificate are applied. Otherwise, assessment by a notified body is required. For important products of Class II (e.g., firewalls, hypervisors, CPUs) and critical products, involvement of a notified body is generally required. The technical documentation, which must be prepared for all variants, includes: a general product description, a description of design and development, a risk assessment of cybersecurity risks, information on applied harmonized standards, test results, the SBOM, and a description of the vulnerability management process. The EU declaration of conformity contains the identification of the product and the manufacturer, the declaration of conformity with the essential requirements, and the indication of the standards applied. After a successful assessment, the CE marking is affixed to the product. Advisori accompanies the entire process: from initial product classification through the preparation of technical documentation to the final declaration of conformity. Where required, we coordinate cooperation with notified bodies and prepare you optimally for their audit.

Choosing the right CRA consulting partner is strategically important, as implementation is complex and deadlines are tight. Large consulting firms such as KPMG, Deloitte, or PwC offer broad capacity, but have structural disadvantages when it comes to CRA implementation. With Advisori, you get a partner that combines the advantages of both worlds. First: specialized expertise rather than a generalist approach. While large consulting firms treat CRA as one of hundreds of topics, cybersecurity and regulatory compliance is our core business. Our consultants work with the relevant standards and regulations on a daily basis – not just occasionally. We have in-depth technical expertise in SSDLC, security testing, and penetration testing, which is essential for practical CRA implementation. Second: speed and personal support. With around

150 employees, we are large enough for complex projects, yet lean enough for short decision-making paths. Your points of contact are senior experts who directly manage your project – not junior consultants working from a handbook. The result: faster implementation, more pragmatic solutions, and a better price-performance ratio. Third: the unique combination of CRA, NIS2, and DORA from a single source. Most consulting firms treat each regulation as a separate project with its own teams. At Advisori, you receive an integrated team that actively exploits synergies and avoids duplication of effort. Fourth: technological innovation. Our own AI platform for compliance monitoring enables continuous monitoring of your CRA conformity – not just a snapshot. Fifth: demonstrated quality. Our certifications in accordance with ISO 27001, 9001, and

14001 demonstrate that we practice the standards we implement at our clients. We do not merely advise on information security – we practice it. Arrange a no-obligation initial consultation and see our approach for yourself.