As a manufacturer of products with digital elements, you carry the primary responsibility under the Cyber Resilience Act. We help you meet every obligation — efficiently and on time.
Under the CRA, manufacturers are responsible for the cybersecurity of their products throughout the entire lifecycle. From initial design to end-of-support, you must demonstrate that your products meet the essential cybersecurity requirements. Failure to comply can result in fines of up to €15 million, product recalls and loss of EU market access.
Integrate cybersecurity into the design and development process from day one. Products must be delivered with secure default configurations, minimized attack surfaces and no known exploitable vulnerabilities.
Conduct a comprehensive cybersecurity risk assessment for each product. Document all identified risks, evaluate their severity and implement proportionate technical and organizational mitigation measures.
Prepare and maintain complete technical documentation covering the product's design, development, risk assessment, applied standards and conformity assessment results.
Generate and maintain a detailed SBOM listing all components, libraries and dependencies used in your product. This must be kept up to date and made available to authorities on request.
Establish effective procedures for identifying, documenting and remediating vulnerabilities. Implement coordinated vulnerability disclosure and report actively exploited vulnerabilities to ENISA within 24 hours.
Provide free security updates for a minimum of five years after placing the product on the market. Ensure updates are delivered promptly and can be installed securely by users.
Affix the CE marking only after successfully completing the appropriate conformity assessment. The marking must be visible, legible and accompanied by a declaration of conformity.
Complete the required conformity assessment procedure based on your product's risk classification — self-assessment for default products, or third-party assessment for Class II and critical products.
Report any actively exploited vulnerability or severe security incident to ENISA within 24 hours of becoming aware. Provide a full analysis within 72 hours and a final report within 14 days.
Our CRA specialists understand the specific challenges manufacturers face. Schedule a consultation to receive a tailored compliance plan for your product portfolio.