CRA Compliance
CRA Gap Analysis
Structured baseline assessment across all seven requirement areas of the Cyber Resilience Act. Prioritized gaps, realistic roadmap – as the foundation for a solid implementation plan.
What is a CRA Gap Analysis?
A CRA gap analysis is a structured baseline assessment: it systematically compares a company's current processes, tools, and documentation against the requirements of the Cyber Resilience Act — and concretely identifies where gaps exist and which are regulatory-critical.
It is not only about what is missing. A thorough gap analysis also reveals what is already present and can be credited: an existing ISO 27001 certification covers parts of vulnerability management. Existing SDLC processes often already contain security reviews. Vulnerability scanning tools are frequently already in use — just not embedded in a CRA conformity path and documented.
The result is not a deficiency list but a prioritized roadmap: which gaps must be closed by September 2026? Which by December 2027? Where is the greatest regulatory risk, and where is the implementation effort highest?
Who Needs a CRA Gap Analysis Now?
The CRA applies to all manufacturers, importers, and distributors of products with digital elements placed on the EU market — from connected industrial products to medical devices with software components to SaaS solutions that under certain conditions are classified as products. Excluded are open-source products that are not commercially distributed.
The time pressure is real. The reporting obligations to ENISA become binding from September 2026. The full conformity obligation — including CE marking and technical documentation — takes effect from December 2027. Security-by-design processes, SBOM infrastructure, and vulnerability disclosure processes require months to years of lead time.
Conducting a gap analysis now means: sufficient time for implementation, no reactive compliance at the last minute, and a solid foundation for internal budget planning and stakeholder communication.
What is Analyzed?
The gap analysis covers seven requirement areas of the CRA. For each area, the current state is assessed, the distance to the CRA target state measured, and the regulatory risk rated.
01
Product Classification
Classification under Annexes III and IV of the CRA Regulation: standard product, Class I, or Class II. Incorrect classification is a liability risk — particularly the underestimation of Class II products.
02
Secure Development Lifecycle
Threat modeling, secure coding standards, automated security testing (SAST, SCA, DAST) in the CI/CD pipeline. Assessed are maturity, documentation, and quality of evidence.
03
SBOM & Dependency Management
Completeness, machine-readability, and format compliance (SPDX / CycloneDX) of the Software Bill of Materials, as well as process integration for continuous updates.
04
Vulnerability Management
CVE monitoring for deployed components, defined patching process, tracking of findings through to remediation, and documentation of exceptions.
05
Reporting Processes & Coordinated Disclosure
ENISA reporting obligation for actively exploited vulnerabilities and serious incidents (from September 2026). Existence and accessibility of a coordinated disclosure channel.
06
Technical Documentation & CE Conformity
Completeness of technical documentation per Annex VII CRA, test protocols, risk analysis, and declaration of conformity. Basis for CE marking.
07
Supply Chain & Third-Party Components
Handling of open-source components and commercial third-party products: manufacturer declarations, supplier assessment, contractual arrangements for security information.
From Practice
Typical Findings of a CRA Gap Analysis
No company starts from zero. But these gaps regularly occur — regardless of industry and company size:
- 1No formal threat modeling anchored in the development process
- 2SBOM does not exist or is not machine-readable (Excel instead of SPDX/CycloneDX)
- 3No defined vulnerability disclosure channel for product vulnerabilities
- 4Security reviews take place but are not documented and not verifiable
- 5CVE monitoring covers only own code, not embedded third-party components
- 6ISO 27001 certification covers vulnerability management organization-wide – but not product-specifically
- 7No defined timelines for the ENISA initial notification of actively exploited vulnerabilities
What You Receive
The results of the gap analysis are prepared in audit-ready format and can be directly used as a basis for internal decision-making processes:
Gap Report
Assessment of all seven requirement areas with current state, target state, and risk rating per gap.
Prioritization List
Gaps sorted by regulatory risk and implementation effort — as a basis for budget planning and resource prioritization.
Roadmap
Realistic timelines to the September 2026 deadline (ENISA reporting obligations) and the December 2027 deadline (full conformity).
Action Recommendations
Concrete next steps per area, with notes on sensible sequencing and dependencies between measures.
Next Step
From Gap Analysis to CRA Conformity
The gap analysis is Phase 1 of a structured implementation model. Based on it, we develop target architecture and measure design, and support implementation through to audit-ready conformity.
View CRA Consulting OverviewCRA Deadlines at a Glance
September 2026
Reporting obligations to ENISA become binding (actively exploited vulnerabilities, serious incidents)
December 2027
Full conformity obligation: CE marking, technical documentation, security-by-design evidence
Analysis Scope
- Product classification (Annexes III/IV)
- Secure Development Lifecycle
- SBOM & dependency management
- Vulnerability management
- Reporting processes & disclosure
- Technical documentation
- Supply chain & third-party components
Key Data
Related Topics
Request Gap Analysis
In 4–6 weeks you receive a complete baseline assessment, clear prioritization, and a solid roadmap.
Request NowFrequently Asked Questions on CRA Gap Analysis
How long does a CRA gap analysis take?
Typically 4 to 6 weeks. The duration depends on the number of products to be assessed, the complexity of the development environment, and the availability of existing documentation. For a single product with existing SDLC documentation, a more compact format is also possible within 3 weeks.
What do I receive as a result?
A prioritized list of all identified gaps across the seven requirement areas, an assessment of regulatory risk per gap, and a roadmap with realistic timelines to the September 2026 and December 2027 deadlines. The results are prepared in audit-ready format.
What documents are needed for the gap analysis?
Product descriptions and architecture documentation, existing process documentation on the development workflow, existing security concepts or ISO 27001 documentation, and information on third-party components and suppliers used. Missing documents are themselves a finding of the gap analysis.
What is the difference between a gap analysis and an audit?
A gap analysis is a cooperative consulting process: the goal is honest baseline assessment, not formal verification against a certification basis. Findings remain internal and form the basis for implementation planning. A formal audit by a notified body is only required for Class II products — and sensibly presupposes a completed gap analysis.
What happens after the gap analysis?
The results form the basis for Phase 2 of CRA implementation: target architecture and measure design. We optionally support the entire implementation through to audit-ready conformity — or hand over in a structured manner to your internal team if you wish to lead the implementation yourself.
Kontakt aufnehmen
Bereit für den nächsten Schritt?
Sprechen Sie mit uns über Ihre Sicherheitsanforderungen – konkret, ohne Verpflichtung und auf Augenhöhe.