CRA Snapshot for manufacturers of products with digital elements
Fixed-price assessment of 1–2 product families against the Cyber Resilience Act: classification, exclusions, gaps versus Annex I, art. 14 readiness, SBOM-lite and a 60–90 day action plan.
Who it is for
For manufacturers of hardware, IoT devices, embedded systems and software, that is, companies placing products with digital elements on the market. The CRA applies to manufacturers, importers and distributors of such products.
What it covers
- Establishing whether your product is a product with digital elements and what your role is (manufacturer, importer, distributor, authorised representative).
- Checking possible exclusions.
- Product classification: default product, important product class I or II, critical product.
- Gap analysis against the requirements of Annex I part I (product properties) and part II (vulnerability handling).
- Readiness for art. 14, that is, reporting actively exploited vulnerabilities and severe incidents.
- SBOM-lite, that is, a software bill of materials.
- Support period and the update process.
- Map of technical documentation toward CE marking (Annex VII).
- Recommended next step and a 60–90 day action plan.
Key CRA dates
The Cyber Resilience Act is Regulation (EU) 2024/2847. The dates of application are phased:
- The Regulation entered into force on 10 December 2024.
- The vulnerability and incident reporting obligations (art. 14) apply from 11 September 2026.
- The provisions on notified bodies apply from 11 June 2026.
- Full application and CE marking from 11 December 2027.
Micro and small enterprises have facilitations: they may present technical documentation in a simplified form, and administrative fines do not apply to a missed early warning deadline (art. 64(10)). Maximum fines under the CRA reach EUR 15 million or 2.5% of worldwide annual turnover (art. 64).
What CRA Snapshot is not
CRA Snapshot prepares you for conformity assessment, but does not replace it. We do not guarantee compliance and we do not issue the EU declaration of conformity on the manufacturer's behalf. The manufacturer is responsible for the declaration of conformity and CE marking. For some product classes the conformity assessment is carried out by a notified body, which we are not.
Standards such as IEC 62443, ISO/IEC 27001, ISO/IEC 29147 or ISO/IEC 30111 we treat as good practice and as mapping to requirements, not as an automatic guarantee of CRA compliance. Until a harmonised standard is published in the Official Journal of the EU, we do not rely on a presumption of conformity.
Related services
- PSIRT / SBOM Starter as the next step after CRA Snapshot.
- OT / IEC 62443 Mini-Gap for products used in industry.
- Cyber Insurance Evidence Check for evidence to support an insurance questionnaire.