® 
Know exactly where your product stands with the CRA.
The EU Cyber Resilience Act requires products to be secure-by-design. Gap analysis and roadmap for manufacturers and software vendors. 2027 deadline.
What is a CRA Readiness Assessment?
A CRA Readiness Assessment tests your product and development process against the requirements of the EU Cyber Resilience Act. You receive a gap analysis per CRA requirement area, a classification of your product and a prioritised roadmap to compliance. The CRA requires secure-by-design products, an SBOM, vulnerability management and lifecycle security updates. Deadline: 2027.
The CRA requires secure-by-design from manufacturers and software vendors
The Cyber Resilience Act sets security requirements for products with digital elements. If you manufacture or sell hardware or software in the EU, your product must be secure-by-design and maintained with security updates throughout its lifecycle.
A CRA Readiness Assessment evaluates whether your product and development process comply with the CRA requirements. The team combines security expertise with knowledge of product development to deliver a practical assessment.
The CRA covers the full spectrum: from product security requirements and vulnerability management to documentation and CE marking. The assessment maps where you stand and what you still need to do to be compliant by 2027.
You have products with digital elements but no CRA compliance roadmap
Manufacturers and software vendors selling in the EU face a new regulatory reality. The 2027 deadline seems distant but implementing secure-by-design takes time and requires structural changes to development processes.
- You do not know which CRA category your product falls under (default, important or critical) and therefore which requirements apply and how stringent the conformity assessment must be.
- Secure-by-design and an SBOM require structural changes to your development process, supply chain and vulnerability disclosure procedures that take time to implement.
- Non-compliance can result in fines up to EUR 15 million and product withdrawal from the EU market, making this a business-critical compliance challenge.
What the assessment covers
- Product security requirements assessment
- Secure-by-design and secure-by-default evaluation
- Vulnerability handling and disclosure processes
- Software Bill of Materials (SBOM)
- Security updates and lifecycle management
- Documentation and CE marking requirements
- Conformity assessment procedures
How DEFION conducts a CRA assessment
Product classification
Determining the CRA category of your product (default, important or critical) and which requirements apply.
Security requirements review
Assessment of the product against CRA essential requirements for security properties.
Process review
Assessment of development process, vulnerability management and update mechanisms against CRA requirements.
Gap analysis
Identification of missing measures per CRA requirement area with risk classification and prioritisation.
SBOM and disclosure advice
Guidance on SBOM structure and vulnerability disclosure process to meet CRA requirements.
Roadmap to compliance
Prioritised implementation plan with timeline, effort estimates and resource requirements.
Deliverables
- CRA classification and applicability assessment
- Gap analysis report per CRA requirement area
- Implementation roadmap to compliance
- SBOM advice and vulnerability handling process advice
- Management summary
- Optional: implementation support
Suitable for
- Hardware and software manufacturers selling products in the EU
- IoT manufacturers
- SaaS companies (insofar as products with digital elements)
- Importers and distributors of digital products
FAQ
When does the CRA come into force?
Does the CRA also apply to software?
What is an SBOM and why is it important?
How does the CRA relate to NIS2?
What are the penalties for non-compliance?
Ready to assess your CRA position?
Tell us what you need. We scope the right approach and start within days.