top of page

Cyber Resilience Act

Security as a Mandatory: The Cyber Resilience Act (CRA) is coming

With the Cyber Resilience Act, the EU is, for the first time, creating uniform requirements for the cybersecurity of products with digital elements – from software to connected devices. Manufacturers and suppliers will be legally obligated to comply with security standards throughout the entire product lifecycle.

Get started now – we'll support you.

Are your products CRA Ready? Find out with our free CRA Readiness Check - Self Assessment:

Our Services for the Cyber Resilience Act

 

CRA – Readiness Check

 

We analyze your company's current position with regard to the CRA requirements:

  • Auditing your products and processes for compliance

  • Identifying areas of action and risks Understandable recommendations for action to meet CRA requirements

Goal: An understanding of your starting point, situation, and necessary preparatory measures.

Advice on meeting CRA requirements

 

We accompany you step by step on the path to compliance:

  • Support with the technical and organizational implementation of CRA requirements

  • Development of a risk-based vulnerability management system

  • Establishment of reporting processes to authorities Integration of secure-by-design and secure-by-default principles

  • Advice on CE marking and documentation requirements

Goal: Sustainable and legally compliant implementation of the requirements – efficient, practical, and tailored to your products.

Why act now?

 

The CRA requirements will come into effect gradually – with some short transition periods. Those who act early will not only secure market access but also gain a competitive advantage through increased trust among customers and partners.

Key dates at a glance

  • November 20, 2024 - Publication of the CRA in the Official Journal of the EU

  • December 10, 2024 - Entry into force of the regulation – publication after 20 days

  • June 11, 2026 - Start of requirements for conformity assessment bodies (18 months)

  • September 11, 2026 - Start of the reporting obligation for exploitable vulnerabilities and cyber incident reporting (21 months)

  • December 11, 2027 - Full application of the regulation – from now on, only CRA-compliant products may be marketed (36 months)

Recommendation for action

  • By mid-2026: Evaluate your products, processes, and employee training – especially for reporting structures.

  • From late summer 2026: Establish an effective vulnerability reporting system.

  • By the end of 2027: Ensure full compliance (CE marking, SBOM, security updates, secure-by-design).

  • Additionally: The BSI IT Security Label makes cybersecurity a selling point and increases trust in digital products. The requirements are aligned with the CRA, making the label the ideal complement.

Would you like to know how well your company is prepared for the CRA?

Contact us for a no-obligation initial consultation!

Together, we'll bring your products up to the latest cybersecurity standards.

 

Contact
bottom of page