Talk to a security advisor — a free 30-minute review
AlphaCISO®
Contact us
All servicesService

EU Cyber Resilience Act

Security for products with digital elements.

Cybersecurity becomes a condition of market access

Regulation (EU) 2024/2847 — the Cyber Resilience Act — entered into force in December 2024 and sets horizontal cybersecurity requirements for "products with digital elements," covering both hardware and software placed on the EU market. If you ship a connected product or the software that runs on one, the CRA almost certainly reaches you.

Manufacturers must build in security by design and by default, handle vulnerabilities across the product lifecycle, maintain a software bill of materials, and complete conformity assessment to earn the CE marking. Reporting of actively exploited vulnerabilities and severe incidents to ENISA begins around September 2026, with the main obligations applying from 11 December 2027.

How we work

  • Classify the product. We determine whether your product is in scope and which conformity-assessment route applies.
  • Engineer the requirements. We map secure-by-design and vulnerability- handling obligations into your development lifecycle, including SBOM.
  • Ready the evidence. We assemble the technical documentation and conformity pack needed to support CE marking.
  • Stand up reporting. We build the workflow for reporting exploited vulnerabilities and severe incidents to ENISA within the required timelines.

For APAC and India-based product makers selling into the EU

The CRA binds any manufacturer placing products on the EU market, wherever it is based. We help hardware and software firms in APAC and India phase the work ahead of the 2026 and 2027 deadlines, so compliance does not become a sudden barrier to a European launch.