CRA Compliance: Step-by-Step for Manufacturers
A practical roadmap for achieving EU Cyber Resilience Act compliance. Eight sequential steps covering assessment, security implementation, SBOM, CVD policy, incident reporting, technical file, and CE marking.
Start now — don't wait until 2027
Full compliance is required by 11 December 2027, but Article 14 incident reporting becomes live on 11 September 2026. Most manufacturers need 12–18 months to implement all requirements properly. Starting in mid-2026 leaves insufficient time.
Determine applicability and classify your products
1–2 weeksThe first step is confirming the CRA applies and identifying which risk class your products fall into. This determines your entire compliance roadmap.
- Run a CRA applicability assessment for each product line
- Identify whether each product is Default, Important Class I/II, or Critical
- Determine your conformity assessment route (self-assessment vs notified body)
- Document the assessment results — these form part of your technical file
Conduct a gap analysis against Annex I requirements
2–4 weeksAnnex I lists the essential cybersecurity requirements. Assess your current product architecture against each requirement to identify gaps.
- Review all 13 essential requirements in Annex I, Part I
- Assess current product security against each requirement
- Prioritise gaps by risk level and implementation effort
- Create a remediation plan with owners and timelines
Implement security requirements
1–6 monthsAddress the gaps identified in your Annex I audit. Timelines vary significantly depending on your product architecture and current security posture.
- Implement secure-by-default configuration (disable unnecessary services, ports, accounts)
- Enforce strong authentication and least-privilege access control
- Implement data encryption at rest and in transit
- Add input validation and protection against common attack patterns
- Establish a patch management and update delivery process
- Implement logging and monitoring for security events
Generate and automate SBOMs
1–2 weeksThe CRA requires a machine-readable Software Bill of Materials for every product version. Automate this in your CI/CD pipeline to keep it current.
- Choose an SBOM format: CycloneDX 1.5+ or SPDX 2.3+
- Integrate Syft or CycloneDX CLI into your build pipeline
- Generate a full transitive SBOM (not just top-level dependencies)
- Store SBOMs per product version in a retrievable location
- Set up automated vulnerability matching against NVD, OSV, and EUVD
Establish a Coordinated Vulnerability Disclosure policy
1 weekArticle 15 requires a public CVD policy. You must accept, acknowledge, and act on vulnerability reports from security researchers.
- Draft and publish a CVD policy at a stable public URL
- Publish a security.txt file at /.well-known/security.txt
- Set up a dedicated security reporting email or web form
- Define internal triage, remediation, and disclosure timelines
- Test the process with an internal simulated report
Build incident reporting capability (before Sep 2026)
2–4 weeksFrom 11 September 2026, Article 14 reporting is live. You must be able to detect, assess, and report significant incidents to ENISA within 24 hours.
- Establish internal incident detection and triage processes
- Identify who owns Article 14 reporting (typically security / legal / product teams)
- Build or adopt tooling for the 24h/72h/14d notification workflow
- Conduct a tabletop exercise simulating a real incident report
- Register with your national CSIRT contact point
Compile the Technical File
2–4 weeksAnnex VII requires a technical file that demonstrates compliance. It must be maintained for 10 years after the product is placed on the market.
- Compile product description, design drawings, and intended use
- Include the risk assessment and how Annex I requirements are met
- Attach the SBOM and vulnerability handling procedures
- Include test reports and any harmonised standard conformity records
- Document the update and support lifecycle commitment
Draw up the Declaration of Conformity and affix CE marking
1 weekOnce the technical file is complete and all requirements are met, draw up the EU Declaration of Conformity (DoC) under Article 28 and affix CE marking.
- Complete the EU Declaration of Conformity per Annex V
- Include product identification, applicable legislation, standards, and manufacturer details
- Ensure authorised representative details are included (for non-EU manufacturers)
- Affix CE marking to the product, packaging, or accompanying documentation
- Make the DoC available to market surveillance authorities on request
CRAReady automates the most time-consuming parts of CRA compliance — SBOM generation, vulnerability scanning, incident reporting workflows, and Declaration of Conformity generation.
Start your CRA assessment