What Is the Cyber Resilience Act?

The Cyber Resilience Act is the EU regulation introducing mandatory cybersecurity requirements for products with digital elements placed on the EU market. It applies to many types of hardware and software products that can connect directly or indirectly to a device or network.

This may include:

• IoT devices
• Industrial automation systems
• Embedded controllers
• Software applications
• Mobile applications
• Web platforms supplied as part of a product
• Firmware
• Network-connected equipment
• Smart devices
• Gateways and connected components
• Remote data-processing solutions linked to a product

The CRA requires manufacturers to design, develop and maintain products in a way that reduces cybersecurity risks throughout the product lifecycle.

Why CRA Compliance Matters

The CRA introduces cybersecurity obligations that affect product compliance, engineering, software development, quality management, supplier management and post-market surveillance.

Manufacturers need to be ready to demonstrate that their products meet essential cybersecurity requirements. This includes secure-by-design principles, secure default configuration, vulnerability handling, security updates, incident reporting and technical documentation.

For companies selling products in the EU, CRA readiness is not only a regulatory requirement. It is also becoming a commercial expectation from customers, distributors, public-sector buyers and critical-sector operators.

Key CRA Deadlines

Manufacturers should prepare early because CRA compliance affects product architecture, software development, documentation, testing and post-market processes.

The most urgent milestone is the start of vulnerability and severe incident reporting obligations. Companies should have a working vulnerability handling and incident reporting process before September 2026.

How ComplyMarket Supports CRA Compliance

ComplyMarket provides a structured CRA compliance service designed to help companies move from uncertainty to implementation. Our approach combines regulatory interpretation, product compliance experience, cybersecurity testing and technical documentation support.

Our CRA service can be delivered as a focused product assessment, a portfolio-wide readiness programme or an annual support package.

1. CRA Applicability Assessment

The first step is to understand whether a product is in scope of the Cyber Resilience Act.

ComplyMarket helps clients determine:

• Whether the product qualifies as a product with digital elements
• Whether software, firmware, cloud functions or remote data-processing components are part of the CRA product boundary
• Whether the company acts as manufacturer, importer, distributor or authorised representative
• Whether exclusions or sector-specific rules may apply
• Whether the product is likely to be default category, important product or critical product

This step is essential because the conformity assessment route and testing depth depend on the correct product classification.

2. CRA Product Classification and Compliance Roadmap

Not all products have the same cybersecurity risk profile. ComplyMarket supports classification of products according to CRA categories and prepares a practical compliance roadmap.

The roadmap may include:

• Product family grouping
• Risk-based prioritisation
• CRA Annex I requirement mapping
• Required documentation
• Required testing
• Required supplier information
• Conformity assessment route
• Internal responsibilities
• Gap closure timeline

This helps management understand what must be done, by whom and by when.

3. CRA Annex I Gap Assessment

CRA Annex I contains essential cybersecurity requirements for products with digital elements and vulnerability handling.

ComplyMarket reviews product design, documentation and processes against CRA Annex I requirements, including:

• Secure-by-design and secure-by-default configuration
• Protection against unauthorised access
• Confidentiality and integrity of data
• Minimisation of attack surfaces
• Vulnerability handling
• Security update mechanisms
• Logging and monitoring capabilities
• Protection against denial-of-service risks where relevant
• Secure data processing and storage
• Product support period and end-of-life communication

The result is a gap assessment showing current compliance status, missing evidence and recommended corrective actions.

4. Cybersecurity Testing for Products with Digital Elements

ComplyMarket provides technical cybersecurity testing aligned with CRA expectations and recognised cybersecurity standards.

Testing may include:

• Web application penetration testing
• API security testing
• Mobile application security testing
• Embedded device testing
• Firmware review
• Network service testing
• Authentication and access-control testing
• Default credential testing
• Secure configuration review
• TLS and cryptography review
• Update mechanism review
• SBOM and software composition analysis
• Vulnerability scanning
• Fuzzing of selected interfaces or protocols
• Cloud configuration review where relevant
• Logging and audit trail review

The testing scope is adapted to the product type, risk level and CRA classification.

5. Vulnerability Handling and Incident Reporting Readiness

The CRA requires manufacturers to maintain effective vulnerability handling throughout the product lifecycle. This is one of the most important operational changes introduced by the regulation.

ComplyMarket helps companies build or improve:

• Vulnerability disclosure policy
• Security contact point
• Vulnerability intake process
• Triage and severity classification
• Root-cause analysis process
• Patch and update workflow
• Customer communication templates
• Coordinated vulnerability disclosure process
• Incident reporting procedure
• Evidence records for authorities and customers

This is especially important before the CRA reporting obligations start applying.

6. Technical Documentation and CE-Marking Readiness

CRA compliance must be supported by documentation. Manufacturers need evidence showing that cybersecurity requirements have been considered and implemented.

ComplyMarket supports preparation and review of:

• CRA technical file index
• Product description and intended use
• Product cybersecurity risk assessment
• Architecture and data-flow documentation
• Secure development lifecycle evidence
• Vulnerability handling process evidence
• Test reports
• SBOM documentation
• User instructions and security information
• EU Declaration of Conformity template
• CE-marking readiness checklist

ComplyMarket does not replace the manufacturer’s responsibility for signing the EU Declaration of Conformity. Instead, we help prepare the documentation and evidence required to support the manufacturer’s conformity decision.

7. Standards-Based CRA Support

Harmonised standards for the CRA are still being developed. Until the final standards are cited in the Official Journal of the European Union, manufacturers should prepare using recognised cybersecurity standards and the CRA standardisation work programme.

Depending on the product, ComplyMarket may use references such as:

• CRA Regulation (EU) 2024/2847
• CRA Annex I essential cybersecurity requirements
• IEC 62443-4-1 for secure product development lifecycle
• IEC 62443-4-2 for industrial automation and control system components
• IEC 62443-3-3 for industrial system security requirements
• ISO/IEC 29147 for vulnerability disclosure
• ISO/IEC 30111 for vulnerability handling
• OWASP ASVS for web application security
• OWASP WSTG for web security testing
• OWASP API Security Top 10 for API testing
• OWASP MASVS and MASTG for mobile application security
• EN 18031 series where radio equipment cybersecurity requirements are relevant
• SBOM formats such as CycloneDX and SPDX
• Secure cloud configuration benchmarks where cloud-hosted product components are involved

When harmonised standards become available, ComplyMarket can help update the compliance matrix and technical documentation to reflect the final presumption-of-conformity route.

8. Supplier and Software Supply Chain Support

Many products with digital elements rely on third-party components, open-source libraries, firmware modules, cloud services and suppliers. CRA readiness therefore requires a strong software and hardware supply-chain process.

ComplyMarket supports:

• Supplier cybersecurity questionnaires
• SBOM collection and review
• Open-source dependency risk review
• Vulnerability monitoring process
• Component risk assessment
• Supplier evidence collection
• Cybersecurity clauses for supplier documentation
• Product-level compliance evidence management

This helps manufacturers reduce cybersecurity risk and prepare defensible technical documentation.

9. Notified Body and Accreditation Support

Some CRA product categories may require the involvement of a notified conformity assessment body. ComplyMarket supports preparation for such assessments but does not claim to act as a notified body unless separately agreed and legally authorised.

ComplyMarket can help clients:

• Determine whether notified body involvement may be required
• Prepare technical documentation before submission
• Review cybersecurity evidence
• Coordinate with accredited laboratories or notified bodies where needed
• Close gaps identified during pre-assessment

This approach gives manufacturers practical support while maintaining a clear distinction between consultancy, testing support and formal third-party conformity assessment.

Typical Deliverables

A CRA project with ComplyMarket may include:

• CRA applicability report
• Product classification report
• Product boundary assessment
• CRA Annex I compliance matrix
• Cybersecurity risk assessment
• Security test plan
• Penetration testing report
• Firmware or embedded security report
• SBOM and software composition analysis summary
• Vulnerability handling gap assessment
• Incident reporting workflow
• Technical documentation checklist
• Draft EU Declaration of Conformity template
• CE-marking readiness report
• Remediation roadmap
• Management presentation

Who Needs CRA Support?

ComplyMarket’s CRA services are relevant for companies that manufacture, import, distribute or supply products with digital elements in the EU.

This includes companies in sectors such as:

• Electronics
• Industrial automation
• Laboratory equipment
• Medical and life-science equipment
• Smart devices
• Machinery
• ICT products
• Software products
• Consumer IoT
• Professional IoT
• Building automation
• Energy and infrastructure equipment
• Connected measuring and monitoring devices

If a product includes software, firmware, connectivity, data exchange, remote access or digital control functions, the CRA should be assessed.

Why Choose ComplyMarket for CRA Readiness?

ComplyMarket brings together product compliance, regulatory assessment, supplier data management, cybersecurity testing and technical documentation support.

Our service is designed for product compliance and engineering teams that need practical outputs, not only legal interpretation.

ComplyMarket helps clients:

• Understand whether the CRA applies
• Identify affected products and product families
• Prioritise high-risk products
• Build a realistic compliance roadmap
• Test products against recognised cybersecurity methods
• Prepare technical documentation
• Improve vulnerability handling
• Prepare for CE-marking readiness
• Communicate requirements to suppliers
• Reduce regulatory and market-access risk

Recommended CRA Readiness Roadmap

Manufacturers should not wait until the full application date. CRA compliance requires product design changes, process updates and evidence collection.

A practical roadmap is:

1.  Build a product inventory.

2.  Identify products with digital elements.

3.  Classify products by CRA category.

4.  Define product boundaries and responsibilities.

5.  Perform CRA Annex I gap assessment.

6.  Review secure development and vulnerability handling processes.

7.  Perform cybersecurity testing on representative products.

8.  Prepare SBOM and supply-chain evidence.

9.  Update product documentation and user instructions.

10.  Prepare technical file and Declaration of Conformity documentation.

11.  Establish vulnerability and incident reporting workflows.

12.  Retest critical gaps and maintain post-market monitoring.

Conclusion

The EU Cyber Resilience Act is one of the most important changes in product compliance for connected products and software. It turns cybersecurity into a market-access requirement and links it directly to product design, documentation, vulnerability handling and CE-marking readiness.

ComplyMarket helps manufacturers prepare early, reduce uncertainty and build practical evidence for CRA compliance. Whether you need a product-specific assessment or a full portfolio readiness programme, ComplyMarket can support your team from initial scoping to technical documentation and cybersecurity testing.

Contact ComplyMarket to start your CRA readiness assessment and prepare your products with digital elements for the European market.

FAQ Section 

What is the Cyber Resilience Act?

The Cyber Resilience Act is an EU regulation that introduces mandatory cybersecurity requirements for products with digital elements placed on the EU market.

Which products are covered by the CRA?

The CRA may apply to hardware and software products that connect directly or indirectly to a device or network. This includes IoT devices, embedded systems, firmware, software applications, connected industrial equipment, mobile apps and certain remote data-processing solutions.

Is CRA compliance linked to CE marking?

Yes. For covered products, CRA compliance becomes part of the conformity assessment and CE-marking process.

When do CRA obligations apply?

Reporting obligations for actively exploited vulnerabilities and severe security incidents start on 11 September 2026. The main CRA obligations apply from 11 December 2027.

Does ComplyMarket provide CRA certification?

ComplyMarket provides CRA readiness, cybersecurity testing, gap assessment and technical documentation support. Formal notified body conformity assessment, where required, must be performed by a duly notified conformity assessment body.

What standards are relevant for CRA compliance?

Relevant standards may include CRA harmonised standards once available, IEC 62443, ISO/IEC 29147, ISO/IEC 30111, OWASP testing standards, EN 18031 where radio equipment is involved, and SBOM-related formats such as CycloneDX and SPDX.

What is a CRA gap assessment?

A CRA gap assessment compares a product and its supporting processes against CRA requirements, identifies missing controls or evidence, and provides a remediation roadmap.

Why start CRA compliance now?

CRA compliance may require product design changes, testing, supplier evidence, SBOM management, vulnerability handling and documentation updates. Starting early reduces the risk of delayed market access.