Frequently asked questions

The CRA (EU Regulation 2024/2847) applies to manufacturers, importers, and distributors of products with digital elements placed on the European Union market.

It is a software or hardware product and its remote data processing solutions, including components placed on the market separately (art. 3 CRA). In practice: hardware, devices, and software that connect to a device or network.

Art. 14 requires the manufacturer to report an actively exploited vulnerability: an early warning within 24 hours, a notification within 72 hours, and a final report within 14 days after a patch is made available, to the CSIRT acting as coordinator and to ENISA. It applies from 11 September 2026.

Full application and CE marking apply from 11 December 2027. The CRA concerns products placed on the market, and the transitional rules for products already available are worth assessing individually for a specific product family.

An SBOM (software bill of materials) is a machine-readable list of software components. The CRA requires it as part of vulnerability handling (Annex I Part II).

A PSIRT is the team and process for handling product vulnerability reports: intake, triage, issuing patches, and customer communications (advisories).

No. CRA Snapshot prepares you for assessment and organizes evidence, but it does not replace the conformity assessment and does not guarantee compliance. The manufacturer is responsible for the EU declaration of conformity and CE marking.

CRA Snapshot is a technical and organizational assessment of product readiness. We separate legal interpretations from the technical part; on legal matters we work with advisors and law firms.

It is usually not a legally imposed mandatory standard for every company with OT. It is, however, a recognizable language of security evidence for industrial systems and products.

Because industrial clients, auditors, and insurers increasingly ask about it. It provides a common language to show that the OT environment is secured.

IT protects data and office systems. OT protects industrial processes and control, where process continuity and safety are the priority. Device lifecycles, update capabilities, and tolerance for downtime are different.

A short assessment: remote access, segmentation, accounts, logging, updates, vulnerabilities and backup, industrial client requirements, mapping to IEC 62443 practices, and recommendations for 60–90 days.

We do not broker insurance sales. We help technically prepare answers and evidence before a conversation with a broker or insurer.

Yes, on the technical side: we explain the questions, flag risky answers, and assemble evidence of controls.

Most often: MFA, backups with a restore test, EDR and logs, management of remote access and privileged accounts, and an incident response procedure.

No. The decision is made by the insurer. We help increase readiness and the quality of answers, but we do not guarantee obtaining a policy.

KSC is the Act on the National Cybersecurity System, which implements the EU NIS 2 directive. The obligations of Polish entities arise from the act.

No. Coverage is determined by the sector (the act's annexes) and the size of the enterprise (art. 5). It is worth checking your status individually, for example with our qualifier.

No. ISO 27001 is voluntary. It makes meeting KSC requirements easier thanks to similar risk management principles, but it is not required and does not automatically mean KSC compliance.

No. IEC 62443 is not a general statutory obligation. It can be helpful for OT environments as a language of evidence.