EU Cyber Resilience Act
From regulatory risk to competitive advantage.
Manufacturers, importers and distributors of connected products face a clearly defined implementation horizon. We structure your path to CRA conformity – technically and from a regulatory perspective.
Pressure to act
Why act now — not first in 2027?
The Cyber Resilience Act is not a distant regulation. With reporting obligations arriving in September 2026 and full effect in December 2027, only a tight implementation window remains. Acting early secures not just compliance — it builds genuine competitive advantage.
Organisations that integrate security into their product architecture early differentiate themselves in the market: through demonstrable quality, faster audits and customer trust. Early CRA conformity is not a cost factor — it is a strategic advantage over competitors who only react at the last minute.
Establishing a robust security-by-design process takes on average 12–18 months. Anyone who wants to be compliant in December 2027 must start now.
October 2024 — CRA in force
The Cyber Resilience Act formally enters into force. The transition period for manufacturers begins.
September 2026 — reporting obligations active
Mandatory incident reporting and active vulnerability disclosure must be operational.
December 2027 — full effect
All CRA requirements apply. Non-compliant products lose EU market access.
Now — the optimal start time
Enough time for a structured implementation, early enough to gain first-mover advantage.
Regulatory framework
What the CRA really requires
Four central requirement areas that must be addressed systematically across the entire product lifecycle.
Security by Design
Security must be built in from the very first design decision. Threat modelling, secure coding practices and automated security tests as part of the CI/CD pipeline.
SBOM transparency
Software Bill of Materials for every component – complete documentation of all dependencies and continuous matching against vulnerability databases (NVD, OSV, GHSA).
Vulnerability management
Systematic detection, assessment and remediation of vulnerabilities. Reporting duty for actively exploited vulnerabilities to ENISA within 24 hours.
Long-term support
Free security updates across the expected product lifetime. Defined minimum support periods per product category, communicated transparently.
The real challenge
Not individual requirements —
but scaling.
The CRA requirements, taken individually, are manageable. The core problem lies in scaling: many product lines, heterogeneous system landscapes, global supply chains — and the need to manage all of this consistently, traceably and audit-ready.
The real achievement is not solving a single compliance requirement but creating an enterprise-wide infrastructure for sustainable security management — across all products, teams and development cycles.
The core problem
The missing link between development, operations and evidence.
Most organisations have functioning individual disciplines. The problem: they do not communicate end to end. Security information from engineering does not reach operations. Regulatory documentation does not reflect operational reality. The result: compliance gaps and audit risk.
Silos between these four areas create compliance gaps that, in the moment of truth — audit, incident, regulatory request — become concrete risks.
Our approach
End-to-end connection of regulation and operational delivery.
Blackfort connects regulatory requirements with operational, technical reality — not theoretically but in your specific environment. We translate EU regulation into actionable structures that actually function in live operations.
Our approach is not a consulting document. It is a structured implementation programme with measurable interim results — calibrated to the complexity and strategic goals of your organisation.
Implementation model
The 4-phase model
A clear structure for controlled CRA implementation — from stocktake to regulatory evidence.
Phase One
Analysis & gap assessment
Structured stocktake: product classification by risk class, mapping of existing processes against CRA requirements, clear prioritisation of the most critical gaps.
Phase Two
Target architecture & design
Tailored concept for security-by-design processes, SBOM integration, vulnerability management workflow and technical documentation structure.
Phase Three
Implementation
Operational delivery with technical depth: SBOM in CI/CD pipelines, vulnerability monitoring, incident reporting processes, training of development teams – in live operation.
Phase Four
Evidence & documentation
Audit-ready technical documentation, CE conformity assessment and evidence for authorities, customers and internal audits. Ready for notified bodies (Class II).
Concrete value
What you actually gain.
CRA conformity is more than a regulatory obligation — done well it becomes a strategic asset.
Secured EU market access
Demonstrable conformity ahead of the September 2026 and December 2027 deadlines removes the risk of market access bans and recalls.
Reduced liability exposure
Structured CRA compliance protects leadership and management from personal liability in the event of security incidents and regulatory reviews.
Faster audit readiness
Audit requests from authorities, customers and notified bodies become a managed process. Documentation is available at all times and remains coherent.
Competitive advantage
Early CRA conformity differentiates your organisation in the market – with B2B customers, public procurers and across EU markets where security evidence is becoming standard.
FAQ
CRA implementation: your questions
What is the first step in CRA implementation?
The first step is a structured gap analysis: which products are in scope? What risk class do they fall into? Which existing processes already cover CRA requirements – and where are the most critical gaps? This stocktake yields a prioritised roadmap with realistic timelines towards the December 2027 deadline.
How long does a full CRA implementation take?
A full CRA implementation typically takes 18–24 months. The 4-phase model is structured as: gap assessment (4–6 weeks), target architecture & design (6–8 weeks), implementation (10–14 weeks) and evidence & documentation (3–5 weeks). Depending on product complexity and existing maturity the overall timeline can vary.
Does the CRA also apply to pure software companies?
Yes. The Cyber Resilience Act applies to software with a network function that is integrated into products with digital elements. Pure SaaS products are subject to certain exemptions. Embedded software, firmware, software for IoT devices and operating systems clearly fall within the scope. Correct demarcation is part of the applicability assessment.
What happens if a product is not CRA-compliant by December 2027?
Non-compliant products lose lawful access to the EU single market. National market surveillance authorities can order recalls, sales bans and fines of up to EUR 15 million or 2.5 % of global annual turnover. Importers and distributors face their own obligations: they may not place non-compliant products on the market.
What is the difference between CRA Class I and Class II?
Class I products (standard risk) can in many cases declare conformity through self-assessment provided harmonised standards are applied. Class II products (high risk) – including network devices, firewalls, industrial routers, operating systems and products for critical infrastructure – require assessment by a notified body. Correct classification is the first critical step.
Related page
A compact overview of CRA applicability, product classes and service scope
Kontakt aufnehmen
Request a gap analysis
In 4–6 weeks you receive a full stocktake, clear prioritisation of the most critical gaps and a robust roadmap — as a decision basis for the structured CRA implementation.