Cyber Resilience Act services for connected products and software.

The CRA applies to products with digital elements placed on the EU market commercially: hardware and software that connect to networks, either directly or indirectly. This covers a wide range of products, from consumer devices and industrial equipment to operating systems, applications, firmware, and software components. The Regulation applies regardless of whether the product is sold to consumers or businesses.

Several categories fall outside scope, including products already covered by sector-specific EU regulations with equivalent cybersecurity requirements, such as certain medical devices and civil aviation equipment. Open source software released in a genuinely non-commercial context is also excluded. The boundaries are not always obvious, particularly for software components, embedded firmware, and products that connect only indirectly to networks. The five-day CRA Diagnostic works through these questions against your specific portfolio.

The CRA was adopted in October 2024 and applies in stages. Vulnerability reporting obligations apply from 11 September 2026. Provisions on notified bodies and conformity assessment apply from 11 June 2026. The full Regulation, including all security requirements, technical documentation obligations, and the CE marking requirement, applies from 11 December 2027.

The 2027 date is when products placed on the EU market must comply. It is not the deadline to begin work. Building a secure product lifecycle, producing technical documentation, and establishing a functioning vulnerability handling capability each require significant lead time. Organisations that begin in late 2026 will not reach a credible compliance position before the enforcement date.

Manufacturers carry the heaviest obligations: meeting the essential cybersecurity requirements, producing technical documentation, conducting the conformity assessment, applying CE marking, and maintaining vulnerability handling throughout the product's support period. The support period must cover the product's expected lifetime, with a minimum of five years.

Importers and distributors carry lighter but real obligations. Both must verify that the manufacturer has met its requirements before placing or making a product available on the EU market. Critically, both can be treated as manufacturers if they place a product under their own name or make a substantial modification. In some portfolios, a single organisation acts in different roles for different products, and the obligations that follow from each need to be tracked separately.

The essential cybersecurity requirements in Annex I cover two areas. The first covers the product: it must be free of known exploitable vulnerabilities in default configuration, have a secure default configuration, implement appropriate access controls and cryptographic protections, minimise attack surfaces, and provide security updates throughout the support period.

The second area covers vulnerability handling. Manufacturers must identify and document vulnerabilities in the product and its components, address them without delay, and report actively exploited vulnerabilities to ENISA and the relevant national authority within 24 hours of becoming aware. This is the most operationally demanding part of the CRA for most organisations: it requires a live, staffed process that can respond at any hour, not a documentation exercise.

CRA compliance requires coordinated changes across product development, engineering, security, legal, and procurement functions. Each team has primary responsibilities elsewhere, and without someone who has run programmes of this type before, coherence across workstreams is difficult to sustain. The diagnostic provides an independent starting point that establishes what the programme actually needs before internal resource is committed to building it.

For organisations where the CRA is the first structured engagement with product security, the gap between current practice and what the Regulation requires is often difficult to see clearly from the inside. External involvement surfaces gaps that familiarity with existing processes tends to mask, and produces an assessment record that carries more weight with a notified body or market authority than internal self-certification.

Yes. The three engagements are designed for different starting positions. The CRA Readiness Verification is specifically for organisations that have done substantive work and need an independent view of whether the compliance position is credible, well-evidenced, and ready for senior leadership, audit, or notified body review. It is not a restart: it works with what already exists, identifies where the gaps are, and produces a prioritised remediation view.

Where the work underway is a programme that needs better structure, governance, or delivery design, the Programme Design engagement can provide that without displacing what has already been built. The starting point is a conversation about where things currently stand.

Yes. The work covers manufacturers, importers, and distributors across a wide range of product types, including connected consumer and industrial hardware, embedded systems, enterprise and consumer software, firmware, and software components. The CRA questions that matter most differ by product type, and engagements are structured accordingly rather than applied as a template.

Size is not a barrier. The CRA applies to organisations of all sizes for in-scope products, and the diagnostic is designed to run proportionately. A portfolio of two products requires a different scale of work than a portfolio of forty. Multi-jurisdiction product launches are a regular part of the work.

The starting point is a 20-minute advisory call to understand the product portfolio, the organisation's current position, and which engagement makes sense. There is no obligation following that call.

The diagnostic takes five working days, typically spread across two to three weeks to fit around the schedules of the people involved. It requires time from product, engineering, security, and legal leads in targeted sessions rather than continuous commitment. Most participants are involved for two to four hours across the five days. A full programme may run for a few months or considerably longer, depending on the number of products, the maturity of existing secure development practices, and the complexity of the supply chain.