CRAReady Blog
CRA compliance guides, regulation updates, and technical deep-dives for manufacturers navigating the EU Cyber Resilience Act.
What Is the EU Cyber Resilience Act? A Plain-English Guide for Product Teams
The EU Cyber Resilience Act mandates cybersecurity requirements for all connected products sold in the EU. Here is what every product team needs to know.
EPSS Scoring Explained: Prioritising Vulnerabilities for CRA Compliance
EPSS predicts the probability a CVE will be exploited in the next 30 days. Used alongside CVSS, it is a practical tool for prioritising CRA patch management obligations.
CRA vs NIS2: What's the Difference and Do You Need Both?
The CRA and NIS2 are both major EU cybersecurity laws but they target different entities. Here is the distinction, where they overlap, and what dual-obligation organisations must do.
How to Build a Technical File That Satisfies CRA Annex VII
The CRA technical file is the dossier of evidence that proves your product meets Annex I requirements. Annex VII specifies exactly what must be in it.
CE Marking and the CRA: What Changes for Software and Connected Products?
From December 2027, CE marking on connected products and software signals CRA compliance. Here is what manufacturers need to understand about affixing the mark correctly.
CRA 2027 Readiness Checklist: Are You Prepared?
With December 2027 approaching, manufacturers need to assess their compliance readiness now. This checklist covers all major CRA obligations — from product classification and SBOM generation to conformity assessment and Article 14 readiness.
CVD Policy Under the CRA: What a Coordinated Vulnerability Disclosure Process Needs
Article 15 makes coordinated vulnerability disclosure a legal obligation for all CRA-subject manufacturers. Here is what your CVD policy must include and how to make it work in practice.
Default Passwords and CRA: What Annex I Requires
Default credentials shared across device fleets are explicitly prohibited under CRA Annex I. This post explains the requirement, why it exists, implementation options for IoT manufacturers, and common mistakes.
The CRA Compliance Checklist: 12 Steps Before September 2026
Article 14 incident reporting begins September 2026 -- well before the December 2027 full deadline. These are the 12 steps every manufacturer must complete first.
Market Surveillance and CRA Enforcement
National market surveillance authorities enforce the CRA in each EU member state. This post explains their powers, how enforcement actions work, the penalties manufacturers face, and what triggers investigations.
CRA Product Classification: Default, Important Class I, Important Class II, or Critical?
Getting your CRA product classification right determines whether you can self-certify or need a notified body. This guide walks through the decision process for all three risk categories.
SBOM Requirements Under the CRA: What Manufacturers Need to Know
The CRA requires machine-readable SBOMs for every product with digital elements. This guide covers formats, required fields, depth, and ongoing maintenance obligations.
Conformity Assessment Routes Under the CRA
The CRA defines three conformity assessment routes depending on product classification — self-assessment (Module A), enhanced self-assessment, and third-party notified body assessment. This post explains when each applies and what is involved.
CRA Article 14: How to Handle Vulnerability Disclosure and Incident Reporting
Article 14 requires manufacturers to notify ENISA within 24 hours when a product vulnerability is actively exploited. Here is exactly what that process looks like.
ENISA's Role in CRA Enforcement
ENISA plays a central role in the CRA framework — receiving Article 14 vulnerability reports, maintaining the EUVD, publishing guidance, and coordinating with national authorities. This post explains what ENISA does and how manufacturers interact with it.
Article 14 Incident Reporting: A Step-by-Step Guide
Walk through the three-stage CRA incident reporting process — 24h early warning, 72h detailed report, and the final 14-day/1-month submission to ENISA.
Patch Management Requirements Under the CRA
The CRA mandates security updates for at least five years and requires they be distributed without undue delay. This post covers the technical and organisational requirements for a compliant patch management programme.
Vulnerability Management Under the CRA: EPSS, CVSS, and VEX
CRA requires manufacturers to handle vulnerabilities without undue delay. Here's how to prioritise using EPSS and CVSS, and how VEX statuses communicate exploitability to your customers.
IoT Devices and the CRA: Classification and Requirements
IoT devices are firmly in scope for the CRA. This post covers how to classify consumer and industrial IoT products, which Annex I requirements are most challenging for IoT, and practical implementation guidance for constrained devices.
CRA vs NIS2: Understanding the Difference
The CRA and NIS2 are both EU cybersecurity regulations, but they apply to different entities and impose different obligations. This post explains the distinction, where they overlap, and what dual-obligation organisations need to do.
SBOMs Under the CRA: What You Need to Know
CRA Annex I requires manufacturers to document all software components. Here's what an SBOM is, why CycloneDX is the right format, and how to automate generation.
Conducting a CRA-Compliant Product Risk Assessment
The CRA requires a cybersecurity risk assessment for each product as part of the technical file. This guide covers methodology, required outputs, and how to link the assessment to your Annex I compliance evidence.
CRA Deadlines Explained: Sep 2026 vs Dec 2027
The CRA has three critical dates. Here's what each one means and what you need to have ready before each deadline.
CRA Obligations for Importers and Distributors
Importers and distributors are not off the hook under the CRA. This post explains the distinct obligations each supply chain role faces — and the circumstances in which a distributor can become a manufacturer.
Security by Design Under CRA Annex I: Practical Steps
Annex I requires products to be designed with security built in from the start — not added on afterwards. This post covers the practical security-by-design principles the CRA expects and how to implement them in your development process.
What is the EU Cyber Resilience Act?
A plain-English overview of CRA scope, obligations, and what it means for manufacturers of connected products.
CRA Technical File: What to Include and How to Maintain It
The CRA requires manufacturers to compile and maintain a technical file demonstrating compliance. This guide covers every required component — from the product description and risk assessment to test results and the SBOM.
EU Declaration of Conformity: Step-by-Step Guide
The EU Declaration of Conformity is the manufacturer's formal declaration that a product meets CRA requirements. This guide covers the nine mandatory fields in Article 30, retention obligations, and common mistakes to avoid.
Setting Up a CVD Programme for CRA Compliance
Article 15 requires manufacturers to operate a coordinated vulnerability disclosure (CVD) programme. This post walks through writing a CVD policy, setting up a disclosure channel, handling reports, and issuing CSAF advisories.
The CRA and Open Source Software: What's Exempt?
The CRA includes an exemption for open source software developed outside a commercial activity — but the boundaries are narrower than many developers assume. This post explains exactly what is and is not exempt.
How to Classify Your Product Under the CRA
The CRA defines three product risk categories — Default, Class I Important, and Class II Important — with different conformity assessment routes. Getting your classification right determines whether you can self-certify or need a notified body.
SBOM Under the CRA: What You Need to Know
The CRA requires manufacturers to generate and maintain machine-readable SBOMs for all products with digital elements. This guide covers format requirements (SPDX vs CycloneDX), minimum fields, depth, and ongoing maintenance obligations.
Article 14 Incident Reporting: What Manufacturers Must Do
Article 14 of the CRA introduces strict timelines for reporting actively exploited vulnerabilities to ENISA: 24 hours for an early warning, 72 hours for a detailed report, and a final report on resolution. Miss these and you face enforcement action.
Breaking Down CRA Annex I: All 21 Essential Requirements
Annex I of the CRA contains 21 essential cybersecurity requirements split across two parts — product design (Part I) and vulnerability handling (Part II). This post breaks down each requirement with practical implementation guidance.
What Is the Cyber Resilience Act? A Complete Guide
The EU Cyber Resilience Act (Regulation 2024/2847) introduces mandatory cybersecurity requirements for all products with digital elements sold in the EU. This guide explains who it affects, what it requires, and when you need to comply.