CRA Insights
Knowledge on the Cyber Resilience Act
Evidence-based, up-to-date analyses on scope, deadlines, SBOM, product classes, roles and industry-specific guidance for the EU Cyber Resilience Act (Reg. (EU) 2024/2847).

Cyber Resilience Act: Am I Affected?
Manufacturer, importer or distributor: who falls under the CRA and who does not? Products with digital elements plus exceptions like medical and automotive.
Read more
CRA Reporting Obligation from 11 September 2026: What Manufacturers Must Prepare Now
What manufacturers must have ready by 11 September 2026: the ENISA Single Reporting Platform, a PSIRT and a 24-hour early warning process. Prepare in time.
Read more
Cyber Resilience Act for SMEs: What Manufacturers Need to Do Now
No size exemption, but clear priorities: what SME makers tackle first – reporting before SBOM before CE marking. A prioritised CRA roadmap to start today.
Read more
SBOM Requirements under the Cyber Resilience Act: Formats, Contents and Archiving
What a CRA-compliant software bill of materials must contain, which format – CycloneDX or SPDX – to choose and how the 10-year archiving duty applies.
Read more
CRA Product Classes: How Is Your Product Classified — and What Does That Mean?
Which conformity assessment does your product need? Class I via self-assessment, Class II via notified body, critical via Module B+C – with examples.
Read more
CRA Penalties & Fines: what Article 64 actually provides for
CRA penalties under Article 64: up to €15m or 2.5% of annual turnover. The three fine tiers plus carve-outs for micro enterprises and open-source stewards.
Read more
CRA vs. NIS2 vs. DORA: different subjects of regulation, sometimes the same companies
CRA, NIS2 and DORA compared: the CRA regulates products, NIS2 organisations, DORA finance. See clearly who is subject to which regime and where they overlap.
Read more
Vulnerability Handling, Reporting & CVD under the CRA
Vulnerability handling, reporting and coordinated disclosure under the CRA: the 24h, 72h and final-report cascade – how to get it right from 11 Sep 2026.
Read more
CRA Deadlines 2024–2027: The Staggered Timeline
All CRA deadlines 2024 to 2027 at a glance: entry into force, reporting from 11 Sep 2026, full application on 11 Dec 2027. What each date means and what to do.
Read more
Conformity Assessment and CE Marking under the Cyber Resilience Act
Conformity assessment under the CRA: Module A, B+C or H, when a notified body is required and how CE marking and the EU declaration of conformity fit together.
Read more
The Cyber Resilience Act and Open Source: The Steward Role and Scope
How does the CRA treat open source? Non-commercial FOSS is outside scope, open-source stewards (Art. 24) face a light regime, and makers stay responsible.
Read more
Roles under the CRA: Manufacturer, Importer and Distributor at a Glance
Who bears which duty under the CRA? Manufacturer (Art. 13), importer (Art. 19), distributor (Art. 20) and authorised representative (Art. 18), with a matrix.
Read more
Technical Documentation and EU Declaration of Conformity under the CRA
What CRA technical documentation must contain (Annex VII), how the EU declaration of conformity is structured and why you retain it all for 10+ years.
Read more
Cyber Resilience Act for IoT, Embedded & Smart Products
CRA orientation for makers of IoT, embedded and smart products: RED transition, product classes, duties and deadlines to 11 Dec 2027. Not legal advice.
Read more
Cyber Resilience Act for Machinery & Industrial Automation
The CRA for machinery: deadlines to 11 Dec 2027, product classes, overlap with the Machinery Regulation, SBOM and a practical roadmap for controls and firmware.
Read more
Cyber Resilience Act and Medical Technology: the Scope Boundary
MDR/IVDR medical devices are exempt from the CRA (Art. 2(2)) – wellness, fitness and hospital-IT software often are not. A decision structure for the boundary.
Read more
Cyber Resilience Act for Software & SaaS Makers
CRA for software and SaaS makers: standalone software is usually in scope, pure SaaS often is not (NIS2). Duties, SBOM and deadlines to 11 Dec 2027 explained.
Read more
CRA Glossary – the Central Terms of the Cyber Resilience Act
The Cyber Resilience Act made clear: product with digital elements, Annex III/IV, conformity assessment, modules, SBOM and reporting – around 24 terms defined.
Read more
Distributor Duties under the CRA (Art. 20): Due Care in the Supply Chain
What does a distributor owe under the CRA? Due care under Art. 20: verify CE marking, check manufacturer and importer duties, protect storage, correct issues.
Read more
Manufacturer Duties under the CRA: What Art. 13 Really Requires
Manufacturers carry the main burden under the CRA: essential requirements, vulnerability handling, technical docs, conformity assessment, CE and reporting.
Read more
Importer Duties under the CRA (Art. 19): the Gatekeeper to the EU Market
The importer as gatekeeper to the EU market: which duties does it bear under Art. 19 of the CRA? Verify, don't manufacture – conformity, technical docs and CE.
Read more
CRA risk assessment & threat modeling
The CRA risk assessment is the most documentation-critical duty: how STRIDE, attack trees and data-flow diagrams deliver the Annex I / Art. 13 evidence.
Read more
CRA support period, EOL & update duty
How long must a product get CRA-compliant security updates? The support period, the 5-year guidance, EOL communication and the update duty. Set your span now.
Read more
CRA × NIS2 × DORA × AI Act: the convergence
How the CRA, NIS2, DORA and AI Act interact: product vs. operations vs. finance vs. AI use — the multi-regulation map for manufacturers. Map your duties now.
Read more
Implementing security-by-design in the CRA
Security-by-design and security-by-default per Annex I of the CRA: the concrete requirements, a secure development lifecycle and implementation levers.
Read more
What does CRA compliance cost?
CRA compliance cost depends on product class, SBOM maturity and process maturity. The cost drivers and three illustrative effort scenarios. Estimate it now.
Read moreKontakt aufnehmen
Request a CRA readiness assessment
Gap analysis of current vs. target state against Annex I – concrete, evidence-based and mapped to your product portfolio.