/

Regulation & Framework

/

Cyber Resilience Act (CRA)

EXPERTISE

Cyber Resilience Act (CRA)

EU security requirements for products with digital elements — secure-by-design, vulnerability handling, and lifecycle obligations for anyone making or selling connected hardware and software.

What it is — and why it matters.

The Cyber Resilience Act introduces mandatory cybersecurity requirements for "products with digital elements" — hardware and software that connect to a device or network. Manufacturers must build security in by design, handle vulnerabilities across the product's lifecycle, provide security updates, and demonstrate conformity (including CE marking). It also introduces obligations to report actively exploited vulnerabilities and severe incidents. Importers and distributors carry duties of their own. For product makers, the CRA shifts cybersecurity from optional to a condition of access to the EU market.

Who this affects.

Manufacturers, importers, and distributors of connected products placed on the EU market — from IoT devices and components to standalone software. If you make or sell digital products, the CRA very likely affects you.

What's involved

How we help.

  • Product scoping | Which products are in scope, and in which category.

  • Gap analysis | Where your products stand against CRA requirements.

  • Secure development lifecycle | Building security into how products are made.

  • Vulnerability handling | Coordinated disclosure and lifecycle processes.

  • Reporting readiness | Meeting the vulnerability and incident reporting duties.

  • Conformity documentation | The evidence and documentation conformity needs.

Governance

Within your managed office.

The CRA sits under Compliance and connects strongly to Architecture & Transformation (secure development and product architecture) and Risk. We manage it as part of your program so product security and organisational security reinforce each other.

Within your managed office.

The CRA sits under Compliance and connects strongly to Architecture & Transformation (secure development and product architecture) and Risk. We manage it as part of your program so product security and organisational security reinforce each other.

CTRL Disrupt

Your Managed Security & Risk Office.
Based in the Netherlands.

EXPERTISE

ISO 27001

NIS2

BIO2.0

EU AI Act

AI Security & Compliance

Marshalllaan 2
2625 GZ Delft
The Netherlands

© 2026 CTRL Disrupt Consulting B.V. · KvK 87198983 · All rights reserved.