Blog
Insights on CRA compliance, SBOM management, and product security.
CRA for Small Teams: Running a Compliance Programme Without a Compliance Department
The Cyber Resilience Act was written for manufacturers with legal, quality, and security functions in the same building. Most small product teams have none of those. Here is how to run a compliant CRA programme at 5, 15, or 50 people — without hiring for it.
CRA for Contract Manufacturers: Who Is the 'Manufacturer' When the Brand Isn't on the Label?
White-label products, OEM relationships, and contract manufacturing blur the line between who builds a product and who is legally responsible under the CRA. Here is how the regulation allocates the manufacturer role — and why getting it wrong shifts liability to the wrong company.
The CRA Support Period: How Long You Must Patch, and What Happens When the Clock Runs Out
Article 13(8) of the Cyber Resilience Act turns the support period into a hard legal obligation. Here is how to set it, why five years is the wrong default answer, and what actually happens at end-of-support.
Notified Bodies Under the CRA: When You Need One and How to Actually Pick One
Engaging a notified body is the most expensive step in CRA compliance. Here is exactly when the regulation requires it, when it does not, and how to choose a body once you know you need to.
The Article 14 Incident Reporting Clock: How the 24h / 72h / 14-Day Deadlines Actually Work
The CRA's reporting obligations are the compliance requirement most likely to land you in front of a regulator — because they trigger fast and they trigger often. Here is exactly how the three deadlines work, when each clock starts, and what has to be in each submission.
CRA Risk Assessment: A Step-by-Step Walkthrough of Article 13(3)
The Article 13(3) risk assessment is the backbone of the entire CRA technical file. Here is how to produce one from first principles, structured the way an auditor expects to read it.
CRA Conformity Assessment Routes: Module A, B+C, H, and European Certification Explained
Choosing the wrong conformity-assessment route under the CRA costs you between a few weeks and several hundred thousand euros. Here is how the four routes actually work, which one applies to your product, and when you need a notified body.
CRA vs NIS2 vs the Radio Equipment Directive: How EU Cyber Regulations Overlap
Confused by the alphabet soup of EU cybersecurity regulations? This guide explains how the CRA, NIS2, and RED differ, where they overlap, and what applies to your business.
Writing Your CRA Declaration of Conformity: A Practical Guide to Annex IV
The EU Declaration of Conformity is the single page your product lives or dies by under the CRA. Here is what Annex IV actually requires, written the way a compliance officer needs to read it.
Technical Documentation Under CRA Annex VII: A Working Contents List for Your Product File
The technical documentation file is where a market-surveillance audit lives or dies. Here is what Annex VII actually requires, organised as a working contents list you can copy into a folder structure today.
CRA Penalties Explained: Fines, Market Bans, and Enforcement
What happens if you don't comply with the EU Cyber Resilience Act? Understand the fine tiers, market surveillance powers, product recalls, and real enforcement scenarios.
Security by Design Under CRA Annex I: The Eleven Product Requirements, Translated
Annex I Part I of the Cyber Resilience Act lists eleven essential cybersecurity requirements for the product itself. Here is what each one actually means in engineering terms — and the design choices that decide whether you meet them.
Open Source and the CRA: What Manufacturers Must Know
Almost every product uses open source software. Learn how the EU Cyber Resilience Act affects your use of open source components, your obligations, and the new open source steward concept.
Vulnerability Disclosure Under the CRA: Setting Up Your First PSIRT
Most manufacturers have never had a security response team. This guide walks you through building a PSIRT, coordinated vulnerability disclosure, and the CRA's reporting requirements.
CRA Compliance Checklist: How to Get Started in 10 Steps
A practical, step-by-step checklist for manufacturers starting their EU Cyber Resilience Act compliance journey. From gap analysis to CE marking — everything you need to do.
Does the CRA Apply to Your Product? A Simple Decision Guide
Not sure if the EU Cyber Resilience Act applies to your product? This decision guide walks you through product types, exemptions, categories, and how to determine your obligations.
SBOM for Manufacturers: What It Is and Why CRA Requires It
Learn what a Software Bill of Materials (SBOM) is, why the EU Cyber Resilience Act requires one, and how to create your first SBOM using CycloneDX or SPDX.
CRA September 2026 Deadline: What Manufacturers Must Do Now
The EU Cyber Resilience Act's first deadline hits September 2026. Learn about Article 14 reporting obligations, PSIRT requirements, and SBOM readiness.
What is the EU Cyber Resilience Act? A Practical Guide for Manufacturers
A plain-language explanation of the EU Cyber Resilience Act (CRA), who it affects, key deadlines, penalties, and practical first steps for product manufacturers.