Blackfort TechnologyBlackfort Technology

CRA knowledge: articles & guides

In-depth articles on the Cyber Resilience Act — clearly explained, with sources. Technical-organizational information, not legal advice.

Cyber Resilience Act: Am I Affected?

Manufacturer, importer, or distributor: who falls under the CRA and who does not? Products with digital elements, exceptions (medical, automotive) and systematic assessment steps.

CRA Reporting Obligation from 11 September 2026: What Manufacturers Must Prepare Now

What manufacturers must have in place by 11 September 2026: ENISA Single Reporting Platform, PSIRT setup, 24-hour early warning under the Cyber Resilience Act.

Cyber Resilience Act for SMEs: What Manufacturers Need to Do Now

No size exemption, but clear priorities: what SME manufacturers should tackle first — reporting before SBOM before CE marking. Prioritised CRA roadmap.

SBOM Requirements under the Cyber Resilience Act: Formats, Contents and Archiving

What a CRA-compliant software bill of materials must contain, which format (CycloneDX ≥ 1.6 / SPDX ≥ 3.0.1) to choose, and how the 10-year archiving obligation applies.

CRA Product Classes: How Is Your Product Classified — and What Does That Mean?

Which conformity assessment does your product require? Class I (self-assessment possible), Class II (notified body required), critical (Module B+C). With examples from IR 2025/2392.

Conformity Assessment and CE Marking under the Cyber Resilience Act

Conformity assessment under the Cyber Resilience Act: Module A, B+C or H, when a notified body is needed, CE marking and the EU declaration of conformity.

CRA Deadlines 2024–2027: The Staggered Timeline

All CRA deadlines from 2024 to 2027 at a glance: entry into force 10 Dec 2024, reporting obligations from 11 Sep 2026, full application 11 Dec 2027. What each date means – and what to do by when.

Technical Documentation and EU Declaration of Conformity under the CRA

What the CRA technical documentation must contain (Annex VII), how the EU Declaration of Conformity (Art. 28, Annex V) is structured, what CE marking involves, and why you must retain everything for ≥ 10 years. Practical checklist.

CRA vs. NIS2 vs. DORA: different subjects of regulation, sometimes the same companies

CRA, NIS2 and DORA compared: the CRA regulates products, NIS2 organisations, DORA the financial sector. Who is subject to what — explained clearly.

The Cyber Resilience Act and Open Source: The Steward Role and Scope

How does the Cyber Resilience Act treat open source? Non-commercial FOSS is out of scope, open-source stewards (Art. 24) face a light regime, and manufacturers remain fully responsible. Practical guidance from Blackfort Technology.

Roles under the CRA: Manufacturer, Importer and Distributor at a Glance

Who bears which duty under the Cyber Resilience Act? Manufacturer (Art. 13), importer (Art. 19), distributor (Art. 20) and authorised representative (Art. 18) compared — with a duty-allocation matrix. Technical-organisational orientation from Blackfort Technology, Bonn.

CRA Penalties & Fines: what Article 64 actually provides for

CRA penalties under Article 64: up to €15m or 2.5% of total worldwide annual turnover. The three fine tiers, carve-outs for micro/small enterprises and open-source stewards – explained in technical-organisational terms.

Vulnerability Handling, Reporting & CVD under the CRA

Vulnerability handling (Annex I Part II), reporting (Art. 14) and coordinated vulnerability disclosure under the CRA. The 24h → 72h → final-report cascade (14 days for vulnerabilities, one month for incidents) – from 11 September 2026, also for products already on the market.

The content on this website provides general technical and organizational information on the Cyber Resilience Act (Regulation (EU) 2024/2847) and does not constitute legal advice. Blackfort Technology provides technical/organizational IT-security and compliance consulting, not legal services.