The CRA clock is already running
The EU Cyber Resilience Act (CRA) entered into force on 10 December 2024. If you manufacture or sell hardware or software with digital elements in the EU market, vulnerability and incident reporting obligations apply from 11 September 2026, and the full requirements apply from 11 December 2027. Non-compliance risks fines of up to €15 million or 2.5% of global turnover — and losing the CE mark that lets you sell in Europe at all.
ITSecOps.cloud helps manufacturers, SaaS vendors and IoT companies get CRA-ready: product scoping, secure development practices, SBOMs, vulnerability handling and the reporting processes regulators expect.
Who the CRA applies to
- Manufacturers of connected hardware — IoT devices, industrial equipment, consumer electronics — sold in the EU, wherever the company is based.
- Software vendors whose products (including SaaS supporting a product with digital elements) reach the EU market.
- Importers and distributors placing such products on the EU market.
- Non-EU companies — US, UK, Norwegian, Indian, Asian manufacturers — selling into the EU. The CRA follows the product, not the company.
What we deliver
- Product scoping & classification: which of your products fall under the CRA, and whether they are default, Class I or Class II (important products) — this determines your conformity route.
- Gap assessment: your current secure-development, vulnerability-handling and update practices measured against Annex I essential requirements.
- SBOM & secure development: software bills of materials, secure-by-design practices and update mechanisms implemented with your engineering team.
- Vulnerability handling & reporting: the coordinated disclosure policy, 24-hour early-warning and incident reporting workflows (ENISA/CSIRT) required from September 2026.
- Technical documentation & CE marking support: the conformity documentation that keeps your products on the EU market.
- Continuous compliance: the CRA requires security support for the product lifetime — we operate the monitoring and update processes with you.
CRA overlaps you can reuse
If you are already working toward ISO 27001, SOC 2 or NIS2, much of the groundwork — risk assessment, vulnerability management, incident response — transfers directly to CRA readiness. We map controls once and reuse the evidence, as part of our compliance readiness consulting.
Frequently asked questions
When do we actually have to comply?
Reporting obligations (actively exploited vulnerabilities and severe incidents) apply from 11 September 2026. The full essential requirements apply from 11 December 2027. Products placed on the EU market after that date must be fully compliant.
We are not an EU company — does the CRA apply to us?
Yes, if your products with digital elements are placed on the EU market. Like GDPR, the CRA applies based on where the product is sold, not where you are headquartered.
Does the CRA apply to pure SaaS?
Standalone cloud services are generally covered by NIS2 instead, but SaaS that supports a product with digital elements (remote data processing) can fall under the CRA. Scoping is the first thing we assess.
What is an SBOM and do we need one?
A software bill of materials — a machine-readable inventory of your product’s components. The CRA requires manufacturers to maintain one as part of technical documentation.
How long does CRA readiness take?
Typically 3–9 months depending on product complexity and existing secure-development maturity — start before the September 2026 reporting deadline.
Get a CRA scoping call
Send us your product list and target EU markets and we will come back with a scoped readiness plan with fixed-fee phases. Contact us or email info@itsecops.cloud.