CRA Consulting — Cyber Resilience Act

Systematic assessment of your product portfolio against all requirements of CRA Annexes I and II. We classify each product into the correct category (Standard, Important Class I/II, Critical), identify the applicable conformity assessment procedures, and deliver a prioritised measures roadmap with concrete work packages, responsibilities, and a timeline through to December 2027. Deliverable: gap report with product classification matrix and compliance roadmap.

Development of a comprehensive Software Bill of Materials (SBOM) in machine-readable formats such as CycloneDX or SPDX. We integrate SBOM generation into your CI/CD pipeline, establish automated vulnerability matching against CVE databases, and implement the vulnerability handling process required by the CRA throughout the entire support period (typically 5 years). This means that in the next Log4Shell-type situation, you can identify which products are affected within minutes. Deliverable: SBOM toolchain, vulnerability management process, policy for free security updates.

Integration of cybersecurity from the concept phase of your product development — not as a retrospective add-on. We establish threat modelling (STRIDE/PASTA), define security requirements for your architecture, implement secure default configurations (no weak default passwords, automatic security updates, minimal attack surface), and embed security gates into your development process. Deliverable: Secure Development Lifecycle (SDL) framework, threat modelling documentation, security requirements catalogue.

From 11 September 2026, manufacturers must report actively exploited vulnerabilities to the competent CSIRT authority and ENISA within 24 hours — with a follow-up report within 72 hours and a final report within 14 days. We build your reporting process, define escalation paths, create report templates for the ENISA platform, and train your team through tabletop exercises. This ensures you are operationally ready by the deadline. Deliverable: incident response playbook, report templates, escalation matrix, training delivery.

Preparation and support throughout the entire conformity assessment procedure — from self-assessment for standard products, to assessment against harmonised standards (EN 303 645, IEC 62443) for Class I products, through to collaboration with notified bodies for Class II and critical products. We prepare the technical documentation, the EU declaration of conformity, and support the CE marking process. Deliverable: technical documentation in accordance with Annex VII, EU declaration of conformity, CE marking approval.

Tailored workshops for management, product management, development, and procurement. Content: CRA requirements in detail, product classification based on your specific product range, obligations by role (manufacturer, importer, distributor), penalty risks (up to €15 million / 2.5% of turnover), distinction from NIS2 and the EU AI Act, and concrete next steps. For SMEs, we offer compact formats that address the relief measures provided for small companies under the CRA. Deliverable: workshop delivery, management summary, individual action plan.