Strengthening Your Product’s Cybersecurity for the European Market

The Cyber Resilience Act (CRA) marks a major shift in how digital product security is regulated across the EU. As a mandatory framework applying to all products with digital elements, the CRA introduces harmonized cybersecurity requirements that manufacturers must meet to access the European market. At CCLab, we support your organization in navigating this new regulatory landscape with clarity, confidence, and expert guidance.
Contact Us for CRA Support
Download our CRA Readiness Guide

Companies who chose us

Why the CRA Matters

In an increasingly interconnected world, digital products serve as critical entry points into networks and infrastructures. The CRA responds to growing cybersecurity concerns by transforming security-by-design from a recommendation into a legal obligation.
Manufacturers must now demonstrate that their products meet essential cybersecurity requirements from design and development to deployment, maintenance, and end-of-life.

cclab-common-criteria-compliance-consultancy
learn more

The CRA ensures:

  • Security throughout the entire product lifecycle

  • Consistent requirements across the EU’s internal market

  • Greater consumer and business confidence

  • Clear, transparent accountability for manufacturers, importers, and distributors

CRA Compliance at a Glance

The CRA applies to any product with digital elements, including:

  • Consumer IoT devices

  • Industrial control systems

  • Embedded software

  • Enterprise applications

  • Cloud-based solutions

To ensure consistent security, the CRA introduces requirements based on:

  • Lifecycle risk management

  • Secure design and development

  • Vulnerability handling and updates

  • Technical documentation and transparency

Our services are tailored for:

  • Manufacturers of consumer IoT, industrial or embedded devices

  • Software developers and platform providers

  • Importers and distributors seeking to understand obligations

A key compliance pathway is Module A – Internal Production Control, where manufacturers verify conformity internally and document every step.

Products aligned with harmonized European standards (hENs) may benefit from Presumption of Conformity, simplifying the path to market. However, where standards remain incomplete, additional assessments and risk analyses are required.

As of now, no harmonised standards under the CRA have been officially published in the
Official Journal of the EU. However, CCLab actively tracks the development of candidate
standards, such as the EN 18031 series, and helps clients align early.

How CCLab Supports Your CRA Journey

As an accredited evaluation laboratory with extensive industry experience, CCLab provides full-spectrum support for organizations preparing for CRA compliance. We help you translate regulatory obligations into practical, actionable processes.

CRA Gap Analysis

Identify gaps between your product’s current security posture and CRA Annex I requirements.

Conformity Assessment Support – Module A

We guide you through the Internal Production Control process, including:

  • Technical documentation validation
  • Risk assessment review
  • Verification of security processes

Testing and Consulting Based on Harmonized Standards (hENs)

Our experts apply up-to-date knowledge of standards under development within CEN,
CENELEC, and ETSI (M/606).

Lifecycle Security and Vulnerability Assessment

Ensure your vulnerability management, update mechanisms, and incident response procedures meet Annex I expectations.

Training and Team Enablement

We provide tailored training programs to help your teams integrate CRA requirements from the earliest development stages. At CCLab, we act not only as evaluators but as strategic partners, supporting you from concept to market placement.

Talk to us
Download the CRA Compliance Infographics

What Manufacturers Must Ensure Under the CRA

The CRA imposes clear responsibilities, including:

  • Security-by-design integration

  • Documented risk management

  • Regular security updates

  • Vulnerability handling and notification processes

  • Technical documentation per Annex II

  • EU Declaration of Conformity and CE marking

Compliance is continuous — not a one-time event. Our experts help you maintain ongoing conformity in line with regulatory expectations.

cclab-common-criteria-compliance-consultancy

Your Path to a Secure and Compliant Future

cclab-common-criteria-compliance-consultancy

The CRA becomes fully applicable on 11 December 2027, but early preparation is essential.
Organizations that begin integrating CRA requirements today will:

  • Simplify future compliance efforts

  • Reduce costs and development delays

  • Strengthen cybersecurity resilience

  • Gain a strategic market advantage

CCLab is here to support you at every step.

Talk to us
Download the CRA Compliance Infographics

FAQ

What is the Cyber Resilience Act (CRA)?

The Cyber Resilience Act (CRA) is a European Union regulation that sets horizontal cybersecurity requirements for all products with digital elements — including connected hardware and software, from IoT devices to standalone software applications. Unlike sector-specific laws, the CRA ensures a unified minimum level of cybersecurity across the entire EU market.

It requires manufacturers to consider cybersecurity throughout the entire product lifecycle — from design and development to maintenance and vulnerability handling. This means security can no longer be treated as an afterthought but must be built into products by design (“security by design” and “security by default”).

When will the CRA become applicable?

Although the CRA formally entered into force on 10 December 2024, it will only become fully applicable on 11 December 2027. This three-year transition period allows manufacturers and other stakeholders to adjust their development, compliance, and support processes in line with the new requirements.

After this date, any product with digital elements that is not compliant with CRA requirements cannot be legally placed on the EU market. Companies should therefore already start preparing by identifying affected products and aligning existing standards and risk management processes with the CRA.

What happens to the Radio Equipment Directive Delegated Act (RED-DA)?

The RED Delegated Act (EU) 2022/30 — which currently defines cybersecurity requirements for certain radio-connected products — will be repealed on 11 December 2027, the same day the CRA becomes fully applicable.

From that point onward, the CRA will serve as the overarching legal framework for product cybersecurity, avoiding duplication of obligations. Until then, manufacturers must still comply with the RED-DA, and existing RED-DA compliance work will still support future CRA compliance.

How are RED-DA and CRA related?

Both the RED-DA and the CRA impose mandatory cybersecurity requirements enforceable via CE marking.

  • RED-DA applies to internet-connected radio equipment.
  • CRA applies to all digital products, including software-only products.

Many devices fall under both frameworks (e.g., smart home devices, routers, industrial gateways). Once the CRA applies, it will take precedence, creating a single streamlined cybersecurity framework.

What is “Module A” and how does it relate to the CRA?

“Module A” refers to the Internal Production Control conformity assessment procedure. Under the CRA, it allows manufacturers to self-declare conformity if they fully implement relevant harmonised standards.

Manufacturers using Module A must implement internal processes ensuring their product meets all essential cybersecurity requirements, then issue an EU Declaration of Conformity, taking full legal responsibility.

However, Module A can only be used if harmonised standards (hENs) fully apply. If no standards exist or only partially apply, additional justification or third-party involvement may be required.

What is “Presumption of Conformity” (PoC)?

Presumption of Conformity means that a product is presumed to meet CRA requirements if it complies with harmonised standards (hENs) published in the Official Journal of the European Union.

By following these standards, manufacturers can demonstrate compliance in a straightforward and recognised way. However, PoC only applies to the aspects covered by the standards; any uncovered risks must be handled separately.

Important: No harmonised standards have yet been published under the CRA. Therefore, full Presumption of Conformity is currently impossible, and manufacturers must rely on alternative assessment methods until standards are finalised.

Can all products achieve full PoC under Module A?

No. Under the CRA, only Class I products listed in Annex III (“important products with digital elements”) can achieve full PoC by applying harmonised standards.

For other product classes, only partial PoC will be possible — especially because the complete set of CRA-related harmonised standards is still under development.

Currently, no harmonised standards exist, meaning even Class I products cannot yet claim full Presumption of Conformity.

How do harmonised standards (hEN) support CRA compliance?

Harmonised standards form the technical backbone for demonstrating CRA compliance. The EN 18031 series — originally used for RED-DA — is expected to form the basis for future CRA harmonised standards.

This continuity means current RED-DA alignment efforts will continue to be useful and will ease the transition to CRA compliance.

Once harmonised standards are published, they will provide manufacturers with clear, recognised methods to meet cybersecurity and vulnerability management requirements.

Important: Candidate standards (such as EN 18031-1/-2/-3) are in development, but none have yet been harmonised. Until published in the Official Journal, compliance must rely on custom technical documentation and risk assessments.