EXPERTISE
Cyber Resilience Act (CRA)
EU security requirements for products with digital elements — secure-by-design, vulnerability handling, and lifecycle obligations for anyone making or selling connected hardware and software.
What it is — and why it matters.
The Cyber Resilience Act introduces mandatory cybersecurity requirements for "products with digital elements" — hardware and software that connect to a device or network. Manufacturers must build security in by design, handle vulnerabilities across the product's lifecycle, provide security updates, and demonstrate conformity (including CE marking). It also introduces obligations to report actively exploited vulnerabilities and severe incidents. Importers and distributors carry duties of their own. For product makers, the CRA shifts cybersecurity from optional to a condition of access to the EU market.
Who this affects.
Manufacturers, importers, and distributors of connected products placed on the EU market — from IoT devices and components to standalone software. If you make or sell digital products, the CRA very likely affects you.
What's involved
How we help.
Product scoping | Which products are in scope, and in which category.
Gap analysis | Where your products stand against CRA requirements.
Secure development lifecycle | Building security into how products are made.
Vulnerability handling | Coordinated disclosure and lifecycle processes.
Reporting readiness | Meeting the vulnerability and incident reporting duties.
Conformity documentation | The evidence and documentation conformity needs.
Governance
Within your managed office.
The CRA sits under Compliance and connects strongly to Architecture & Transformation (secure development and product architecture) and Risk. We manage it as part of your program so product security and organisational security reinforce each other.
Related expertise
Topic
Enterprise Security Architecture
A business-driven, enterprise-wide architecture that links security to strategy — from business context down to logical and physical design, so every control traces back to a goal.
Topic
Information Security Architecture
The structured design of security controls across your technical estate — identity, network, data, cloud, endpoints — as one coherent system aligned to your risks.
Topic
Security Strategy
Setting direction and priorities for security — a sequenced, realistic roadmap aligned to your objectives and risk, not a wish list of everything.
Within your managed office.
The CRA sits under Compliance and connects strongly to Architecture & Transformation (secure development and product architecture) and Risk. We manage it as part of your program so product security and organisational security reinforce each other.
CTRL Disrupt
Your Managed Security & Risk Office.
Based in the Netherlands.
EXPERTISE
ISO 27001
NIS2
BIO2.0
EU AI Act
AI Security & Compliance
Marshalllaan 2
2625 GZ Delft
The Netherlands
© 2026 CTRL Disrupt Consulting B.V. · KvK 87198983 · All rights reserved.