CRA knowledge: articles & guides
In-depth articles on the Cyber Resilience Act — clearly explained, with sources. Technical-organizational information, not legal advice.
Cyber Resilience Act: Am I Affected?
Manufacturer, importer, or distributor: who falls under the CRA and who does not? Products with digital elements, exceptions (medical, automotive) and systematic assessment steps.
CRA Reporting Obligation from 11 September 2026: What Manufacturers Must Prepare Now
What manufacturers must have in place by 11 September 2026: ENISA Single Reporting Platform, PSIRT setup, 24-hour early warning under the Cyber Resilience Act.
Cyber Resilience Act for SMEs: What Manufacturers Need to Do Now
No size exemption, but clear priorities: what SME manufacturers should tackle first — reporting before SBOM before CE marking. Prioritised CRA roadmap.
SBOM Requirements under the Cyber Resilience Act: Formats, Contents and Archiving
What a CRA-compliant software bill of materials must contain, which format (CycloneDX ≥ 1.6 / SPDX ≥ 3.0.1) to choose, and how the 10-year archiving obligation applies.
CRA Product Classes: How Is Your Product Classified — and What Does That Mean?
Which conformity assessment does your product require? Class I (self-assessment possible), Class II (notified body required), critical (Module B+C). With examples from IR 2025/2392.
Conformity Assessment and CE Marking under the Cyber Resilience Act
Conformity assessment under the Cyber Resilience Act: Module A, B+C or H, when a notified body is needed, CE marking and the EU declaration of conformity.
CRA Deadlines 2024–2027: The Staggered Timeline
All CRA deadlines from 2024 to 2027 at a glance: entry into force 10 Dec 2024, reporting obligations from 11 Sep 2026, full application 11 Dec 2027. What each date means – and what to do by when.
Technical Documentation and EU Declaration of Conformity under the CRA
What the CRA technical documentation must contain (Annex VII), how the EU Declaration of Conformity (Art. 28, Annex V) is structured, what CE marking involves, and why you must retain everything for ≥ 10 years. Practical checklist.
CRA vs. NIS2 vs. DORA: different subjects of regulation, sometimes the same companies
CRA, NIS2 and DORA compared: the CRA regulates products, NIS2 organisations, DORA the financial sector. Who is subject to what — explained clearly.
The Cyber Resilience Act and Open Source: The Steward Role and Scope
How does the Cyber Resilience Act treat open source? Non-commercial FOSS is out of scope, open-source stewards (Art. 24) face a light regime, and manufacturers remain fully responsible. Practical guidance from Blackfort Technology.
Roles under the CRA: Manufacturer, Importer and Distributor at a Glance
Who bears which duty under the Cyber Resilience Act? Manufacturer (Art. 13), importer (Art. 19), distributor (Art. 20) and authorised representative (Art. 18) compared — with a duty-allocation matrix. Technical-organisational orientation from Blackfort Technology, Bonn.
CRA Penalties & Fines: what Article 64 actually provides for
CRA penalties under Article 64: up to €15m or 2.5% of total worldwide annual turnover. The three fine tiers, carve-outs for micro/small enterprises and open-source stewards – explained in technical-organisational terms.
Vulnerability Handling, Reporting & CVD under the CRA
Vulnerability handling (Annex I Part II), reporting (Art. 14) and coordinated vulnerability disclosure under the CRA. The 24h → 72h → final-report cascade (14 days for vulnerabilities, one month for incidents) – from 11 September 2026, also for products already on the market.