Knowledge · Cyber Resilience Act

CRA Insights

Knowledge on the Cyber Resilience Act

Evidence-based, up-to-date analyses on scope, deadlines, SBOM, product classes, roles and industry-specific guidance for the EU Cyber Resilience Act (Reg. (EU) 2024/2847).

Cyber Resilience Act: Am I Affected?

Cyber Resilience Act: Am I Affected?

Manufacturer, importer or distributor: who falls under the CRA and who does not? Products with digital elements plus exceptions like medical and automotive.

Read more
CRA Reporting Obligation from 11 September 2026: What Manufacturers Must Prepare Now

CRA Reporting Obligation from 11 September 2026: What Manufacturers Must Prepare Now

What manufacturers must have ready by 11 September 2026: the ENISA Single Reporting Platform, a PSIRT and a 24-hour early warning process. Prepare in time.

Read more
Cyber Resilience Act for SMEs: What Manufacturers Need to Do Now

Cyber Resilience Act for SMEs: What Manufacturers Need to Do Now

No size exemption, but clear priorities: what SME makers tackle first – reporting before SBOM before CE marking. A prioritised CRA roadmap to start today.

Read more
SBOM Requirements under the Cyber Resilience Act: Formats, Contents and Archiving

SBOM Requirements under the Cyber Resilience Act: Formats, Contents and Archiving

What a CRA-compliant software bill of materials must contain, which format – CycloneDX or SPDX – to choose and how the 10-year archiving duty applies.

Read more
CRA Product Classes: How Is Your Product Classified — and What Does That Mean?

CRA Product Classes: How Is Your Product Classified — and What Does That Mean?

Which conformity assessment does your product need? Class I via self-assessment, Class II via notified body, critical via Module B+C – with examples.

Read more
CRA Penalties & Fines: what Article 64 actually provides for

CRA Penalties & Fines: what Article 64 actually provides for

CRA penalties under Article 64: up to €15m or 2.5% of annual turnover. The three fine tiers plus carve-outs for micro enterprises and open-source stewards.

Read more
CRA vs. NIS2 vs. DORA: different subjects of regulation, sometimes the same companies

CRA vs. NIS2 vs. DORA: different subjects of regulation, sometimes the same companies

CRA, NIS2 and DORA compared: the CRA regulates products, NIS2 organisations, DORA finance. See clearly who is subject to which regime and where they overlap.

Read more
Vulnerability Handling, Reporting & CVD under the CRA

Vulnerability Handling, Reporting & CVD under the CRA

Vulnerability handling, reporting and coordinated disclosure under the CRA: the 24h, 72h and final-report cascade – how to get it right from 11 Sep 2026.

Read more
CRA Deadlines 2024–2027: The Staggered Timeline

CRA Deadlines 2024–2027: The Staggered Timeline

All CRA deadlines 2024 to 2027 at a glance: entry into force, reporting from 11 Sep 2026, full application on 11 Dec 2027. What each date means and what to do.

Read more
Conformity Assessment and CE Marking under the Cyber Resilience Act

Conformity Assessment and CE Marking under the Cyber Resilience Act

Conformity assessment under the CRA: Module A, B+C or H, when a notified body is required and how CE marking and the EU declaration of conformity fit together.

Read more
The Cyber Resilience Act and Open Source: The Steward Role and Scope

The Cyber Resilience Act and Open Source: The Steward Role and Scope

How does the CRA treat open source? Non-commercial FOSS is outside scope, open-source stewards (Art. 24) face a light regime, and makers stay responsible.

Read more
Roles under the CRA: Manufacturer, Importer and Distributor at a Glance

Roles under the CRA: Manufacturer, Importer and Distributor at a Glance

Who bears which duty under the CRA? Manufacturer (Art. 13), importer (Art. 19), distributor (Art. 20) and authorised representative (Art. 18), with a matrix.

Read more
Technical Documentation and EU Declaration of Conformity under the CRA

Technical Documentation and EU Declaration of Conformity under the CRA

What CRA technical documentation must contain (Annex VII), how the EU declaration of conformity is structured and why you retain it all for 10+ years.

Read more
Cyber Resilience Act for IoT, Embedded & Smart Products

Cyber Resilience Act for IoT, Embedded & Smart Products

CRA orientation for makers of IoT, embedded and smart products: RED transition, product classes, duties and deadlines to 11 Dec 2027. Not legal advice.

Read more
Cyber Resilience Act for Machinery & Industrial Automation

Cyber Resilience Act for Machinery & Industrial Automation

The CRA for machinery: deadlines to 11 Dec 2027, product classes, overlap with the Machinery Regulation, SBOM and a practical roadmap for controls and firmware.

Read more
Cyber Resilience Act and Medical Technology: the Scope Boundary

Cyber Resilience Act and Medical Technology: the Scope Boundary

MDR/IVDR medical devices are exempt from the CRA (Art. 2(2)) – wellness, fitness and hospital-IT software often are not. A decision structure for the boundary.

Read more
Cyber Resilience Act for Software & SaaS Makers

Cyber Resilience Act for Software & SaaS Makers

CRA for software and SaaS makers: standalone software is usually in scope, pure SaaS often is not (NIS2). Duties, SBOM and deadlines to 11 Dec 2027 explained.

Read more
CRA Glossary – the Central Terms of the Cyber Resilience Act

CRA Glossary – the Central Terms of the Cyber Resilience Act

The Cyber Resilience Act made clear: product with digital elements, Annex III/IV, conformity assessment, modules, SBOM and reporting – around 24 terms defined.

Read more
Distributor Duties under the CRA (Art. 20): Due Care in the Supply Chain

Distributor Duties under the CRA (Art. 20): Due Care in the Supply Chain

What does a distributor owe under the CRA? Due care under Art. 20: verify CE marking, check manufacturer and importer duties, protect storage, correct issues.

Read more
Manufacturer Duties under the CRA: What Art. 13 Really Requires

Manufacturer Duties under the CRA: What Art. 13 Really Requires

Manufacturers carry the main burden under the CRA: essential requirements, vulnerability handling, technical docs, conformity assessment, CE and reporting.

Read more
Importer Duties under the CRA (Art. 19): the Gatekeeper to the EU Market

Importer Duties under the CRA (Art. 19): the Gatekeeper to the EU Market

The importer as gatekeeper to the EU market: which duties does it bear under Art. 19 of the CRA? Verify, don't manufacture – conformity, technical docs and CE.

Read more
CRA risk assessment & threat modeling

CRA risk assessment & threat modeling

The CRA risk assessment is the most documentation-critical duty: how STRIDE, attack trees and data-flow diagrams deliver the Annex I / Art. 13 evidence.

Read more
CRA support period, EOL & update duty

CRA support period, EOL & update duty

How long must a product get CRA-compliant security updates? The support period, the 5-year guidance, EOL communication and the update duty. Set your span now.

Read more
CRA × NIS2 × DORA × AI Act: the convergence

CRA × NIS2 × DORA × AI Act: the convergence

How the CRA, NIS2, DORA and AI Act interact: product vs. operations vs. finance vs. AI use — the multi-regulation map for manufacturers. Map your duties now.

Read more
Implementing security-by-design in the CRA

Implementing security-by-design in the CRA

Security-by-design and security-by-default per Annex I of the CRA: the concrete requirements, a secure development lifecycle and implementation levers.

Read more
What does CRA compliance cost?

What does CRA compliance cost?

CRA compliance cost depends on product class, SBOM maturity and process maturity. The cost drivers and three illustrative effort scenarios. Estimate it now.

Read more

Kontakt aufnehmen

Request a CRA readiness assessment

Gap analysis of current vs. target state against Annex I – concrete, evidence-based and mapped to your product portfolio.