The Cyber Resilience Act (CRA) is coming.
Is your product ready?

From December 2027, products with digital elements sold in the EU must meet mandatory cybersecurity requirements. If you develop, manufacture, import, or distribute connected products or software, the CRA applies to you.

Cingulum helps you understand your obligations, identify your gaps, and build a practical roadmap towards compliance, without disruption to your daily operations. 

Talk to an expert
Logos-Golden-Ratio_0008_xxlarge_Logo_Pauwels_Sauzen_CMYK_Print_300_dpi_04b8f15a24
Logos-Golden-Ratio_0004_Club_Brugge_KV_logo.svg
Logos-Golden-Ratio_0005_Easi-logo.svg
Logos-Golden-Ratio_0010_vrijetijd_hoplr
Logos-Golden-Ratio_0013_Cimpro-Logo_2014-scaled
Logos-Golden-Ratio_0003_logo
Logos-Golden-Ratio_0002_Logo-Responsum
Logos-Golden-Ratio_0007_LOGO_iz_pos_pms
Logos-Golden-Ratio_0011_citymesh-logo-mini-power
Logos-Golden-Ratio_0000_321502329_1340258323427703_8014709527846285048_n
Logos-Golden-Ratio_0006_ipsos-1
Logos-Golden-Ratio_0001_pionira
Logos-Golden-Ratio_0009_WGK-logo-geel-RGB

What is the Cyber Resilience Act?

The CRA makes cybersecurity mandatory for any product with a digital component sold in the EU. It covers the full lifecycle: how you build it, how you maintain it, and how you respond when things go wrong.

Unlike a guidance framework, the CRA is binding EU legislation. If your organisation falls under its scope, compliance is not optional.

In practice, this means you are required to:

  • Build security into your product from the start
  • Perform and document risk assessments
  • Set up a process to manage and respond to vulnerabilities
  • Provide security updates and patches
  • Prepare technical documentation and declarations of conformity
  • Report known vulnerabilities quickly, within legally defined timelines

Understanding your obligations early gives you the time to get it right.

Who should act now?

Business man in a modern office

The CRA applies to organisations that:

  • Develop software or connected products
  • Manufacture products with digital elements
  • Import products into the EU
  • Distribute digital products under their own brand

Your role in the supply chain determines your obligations. Even if you are not the original manufacturer, you may still have responsibilities under the CRA.

Not sure whether the CRA applies to you? That is a good reason to find out sooner rather than later.

Talk to an expert

Could your CRA proejct be part-funded?

If your organisation is an SME, you may be eligible for financial support through SECURE4SME, an EU-funded initiative that helps small and medium-sized enterprises work towards CRA compliance.

Through its open call system, SECURE4SME provides co-funding that covers 50% of eligible project costs, up to a maximum of €30,000.

Who can apply?

  • Micro, small, and medium-sized enterprises established in the EU or EEA
  • Organisations that develop, manufacture, import, or distribute products with digital elements
  • Projects directly aimed at improving CRA compliance

Eligible activities include gap assessments, risk assessments, vulnerability management, secure development practices, governance implementation, and technical documentation. Exactly the kind of work Cingulum supports.

The current open call closes on 29 March 2026.

Not sure whether you qualify, or where to start? Talk to one of our experts. We help you scope a qualifying project, clarify what needs to be in place, and make sure your compliance work is solid, both on paper and in practice.

Talk to an expert

How Cingulum supports your CRA compliance

We approach CRA compliance as a structured maturity process, not a one-off checklist exercise.

Our methodology is built around four phases:

Assess

We analyse where you stand today and how the CRA applies to your organisation. This includes:

Applicability analysis

based on your product portfolio, and including role clarification (manufacturer, importer, distributor).

Gap analysis

against CRA requirements.

Review

of existing secure development and vulnerability processes.

Risk assessment

aligned with product security obligations

You receive a clear overview of your compliance gaps and priorities.

Implement

We translate regulatory requirements into operational reality. Depending on your context, this may include:

Embedding security-by-design

into development processes.

Product risk assessments

formalised and implemented.

Setting up vulnerability disclosure

and handling procedures.

Structuring technical documentation

and compliance evidence.

Ensuring alignment with your existing frameworks

e.g.: ISO 27001, CyFun, secure SDLC (Software Development Life Cycle) practices

Establishing governance

around product security ownership

Our focus is practical implementation, not theoretical documentation.

Validate

Before market surveillance authorities ask questions, you should have answers ready. We help you:

Review

conformity documentation.

Prepare internal controls

and responsibilities.

Simulate audit

or authority review scenarios.

Align CRA compliance

with broader cybersecurity governance (NIS2, ISO, supply chain security).

The goal: demonstrable, defensible compliance.

Maintain

We help you embed and maintain sustainable product security governance.

Establish continuity

in vulnerability monitoring processes.

Monitoring

third-party components and software dependencies.

Structuring

secure update and patch management mechanisms.

Periodically reviewing

product risk assessments.

Maintaining technical documentation

and compliance evidence.

Your products remain compliant, secure, and defensible, not only at launch, but throughout their entire market presence.

Why work with Cingulum?

CRA compliance sits at the intersection of regulation, product development, and security. You need a partner who understands all three.

As a cybersecurity-focused sister company of CRANIUM, Cingulum brings together regulatory expertise and hands-on security experience. We work alongside your legal, product, and engineering teams to turn obligations into a structured, manageable process.

We focus on building maturity and long-term resilience. Not on ticking boxes.

Two consultants at work

Frequently Asked Questions

The CRA has been adopted at EU level and is being rolled out in phases.

  • The first deadline is 11 September 2026, when reporting obligations come into effect.
  • Full compliance is required from 11 December 2027.

That may sound like there is time to spare, but embedding security into your development and support processes is not a quick fix. The earlier you start, the more room you have to get it right.

It depends on the type of software. If your software needs to be installed locally and requires a network connection, it most likely falls within scope. Pure SaaS products are generally not covered by the CRA, though they may fall under NIS2. The boundary is not always clear-cut, and the EU is still working on technical guidance to clarify it. If you are unsure, contact us and we’ll work it out together.

It depends on how the software is distributed. Open source software developed and shared on a non-commercial basis is generally exempt from the CRA. However, if you monetise the software, offer paid support, or integrate it into a commercial product, you may fall within scope. The boundary is not always straightforward, and the EU is still working on technical guidance to clarify edge cases. If your organisation distributes or builds on open source software commercially, it is worth assessing your position carefully.

ISO 27001 is a strong foundation, but it is not sufficient on its own. It focuses on how your organisation manages information security. The CRA goes further by setting specific requirements for the products you build and sell. That includes how you design them, how you handle vulnerabilities after launch, and how you document and prove your compliance.

That said, ISO 27001 and the CRA complement each other well. The 2022 version of ISO 27001 includes a number of Annex A controls specifically around secure development, covering areas such as secure coding practices, protection of test environments, and security in development and support processes. These controls provide a useful starting point, but the CRA expects a more product-specific and documented approach that goes beyond what ISO 27001 requires on its own.

The two regulations target different things. NIS2 focuses on how organisations protect their own systems, networks, and operations. The CRA focuses on the products they build and sell.

If your organisation falls under NIS2 and also develops or distributes products with digital elements, both regulations apply to you. In practice, the two regulations complement each other. Strong governance and risk management under NIS2 provides a solid foundation for CRA compliance, but the CRA adds product-specific obligations that NIS2 does not cover.

Non-compliance can result in fines, enforcement measures, or being barred from selling your product in the EU market. Beyond the legal consequences, it can also affect your relationships with customers and partners, as well as your insurance coverage. More fundamentally, the CRA is designed to raise the bar for all digital products in Europe. Organisations that treat it as a strategic priority rather than a legal obligation will be better placed, both commercially and reputationally.

Compliance under the CRA is demonstrated primarily through the CE marking, combined with a documented conformity assessment. This means you need to be able to show which risk assessment you carried out, which security measures you put in place, how vulnerabilities are monitored and addressed, and how security updates are made available. The CRA also requires that certain information is made publicly available, such as relevant risks and security aspects of your product. In short, compliance is not just about what you do. It is about being able to prove it, clearly and consistently.

Cingulum can assist you with all these compliance documents. 

From 11 September 2026, organisations must report actively exploited vulnerabilities and serious incidents that affect the security of their products to the relevant national authorities. The reporting timeline is strict: an early warning must be submitted within 24 hours of becoming aware of the incident, followed by a more detailed notification within 72 hours. This requires clear internal processes well before the deadline arrives. Many organisations underestimate how much structural preparation this takes, from defining responsibilities to setting up the right monitoring and documentation processes.

Yes, if your products are placed on the EU market, the CRA applies regardless of where your organisation is based. The regulation follows the product, not the producer. If you sell to customers in the EU, import into the EU, or distribute under your own brand within the EU, you are in scope. Many non-European manufacturers and software developers are affected by this, even if they have no physical presence in Europe.

Relevant blogs

Ready to move forward with CRA?

Whether you’re starting from scratch or fine-tuning what’s already in place, we’ll help you take the next right step.

Drop us a line. We’ll get back to you within one working day.

Cingulum does everything possible to protect and respect your privacy. You can unsubscribe from our mailings at any time. For more information about how we process your data, please read our privacy statement.
Contact