THINK SAFE. THINK ICS.

Implement the Cyber Resilience Act (CRA)

Instead of Excel chaos and vague assessments: SECIRA makes risks visible, decisions comprehensible and gets your products safely through the CRA requirements.

Holistic risk analysis
Comprehensive threat analysis
Structured technical documentation
Security by design
Vulnerability assessment
Support with CE conformity assessment

FREE CONSULTATION

How ICS supports you with CRA

Our CRA support starts with a GAP analysis, includes implementation packages for various budgets and does not simply end with the CE stamp. SECIRA provides you with a tool that combines risk analysis, threat modeling and technical documentation in one platform.

1. Orientation

line_blue

CRA classification & scope / impactassessment

  • Analysis of whether and to what extent products are subject to the CRA.
  • Analysis of whether products fall into the category "Important products with digital elements" or "Critical products with digital elements", differentiation from IEC 62443 and other standards.
  • Check which type of CE declaration of conformity is required: self-declaration or via a notified body

Result: Documented analysis with product type, category and recommended action.

CRA gap analysis / readiness check

  • Service: Compact inventory of the CRA maturity level. Implementation of a structured assessment and derivation of necessary measures to close the gaps.
  • Result: Documented gap analysis with high-level recommendations for action
  • Goal: Clarity as to whether and how the product is affected and a quick overview of the need for action.

2. Risk analysis

line_blue

Holistic risk analysis with SECIRA

SECIRA checks whether a vulnerability isaccessible andexploitable. This is exactly what the CRA requires before risk-prioritized measures are defined.

With SECIRA, you can implement CRA requirements in a software-supported and comprehensible manner:

  • Map risk analysis and threat modeling in a structured manner
  • Create and version technical documentation
  • Evaluate vulnerabilities and plan measures
  • Security by design

Resilience strategy / action plan

We work with you to develop a realistic CRA roadmap, jointly prioritize the relevant requirements and define implementation goals that fit your product, team and budget. We also create individual offers for start-ups and SMEs to make it easier to get started.

Goal: Develop a structured roadmap for integrating CRA requirements into development and product cycles.

3. Implementation

line_blue

Security-by-default

Service: Support in the implementation of CRA requirements in concrete measures.

  • Products must be delivered without known vulnerabilities,
  • The integrity of the software must be protected
  • Protective measures must be active in the default state.

Result: Practical support through to a compliant, ready-to-use solution.

SBOM & update management

  • Service: Creation and maintenance of a software bill of materials (SBOM). Definition of support and update processes.
  • Result: Transparent SBOM, documented update strategy, verifiability for auditors.

Vulnerability management

  • Service: Development of a vulnerability reporting process. Establishment and training of a Product Security Incident Response Team (PSIRT).
  • Result: Vulnerability management process, defined workflow, templates for security advisories.
  • Goal: Practical implementation of central obligations in product design and processes.

Training & SDLC integration

  • Service: Implementation of practical training for developers, PMs and security roles. Integration of security-by-design into the development process (SDLC).
  • Result: Trained team, documented process adaptation, sustainable anchoring of security in the lifecycle.
  • Goal: Make teams fit, pass audits and anchor security-by-design sustainably in the company.

4. CE verification & documentation

line_blue

CE conformity assessment

  • Service: Support for the entire CE process according to CRA. Preparation of technical documentation, interface to notified bodies.
  • Result: Complete documentation for CE marking

Documentation

  • Service: Advice and preparation of documentation required by CRA - from product description and development processes to risk assessment, test reports and EU declaration of conformity.
  • Result: Structured, audit-proof dossier that covers all mandatory content in accordance with Art. 31.

5. After-market & operation

line_blue

Continuous monitoring

  • Service: Support or takeover of the vulnerability management process and continuous risk analysis to identify and evaluate exploitable vulnerabilities.
  • Result: SECIRA as a tool for continuous monitoring and vulnerability remediation, managed or as a self-service.

Product Registration & Regulatory Controls

  • Service: Consulting and implementation for reporting obligations. Establishment of internal compliance control mechanisms.
  • Result: Registered products, central overview of regulatory obligations.
  • Goal: Remain legally compliant even after market launch, report vulnerabilities and document updates.
line_blue

CRA classification & scope / impactassessment

  • Analysis of whether and to what extent products are subject to the CRA.
  • Analysis of whether products fall into the category "Important products with digital elements" or "Critical products with digital elements", differentiation from IEC 62443 and other standards.
  • Check which type of CE declaration of conformity is required: self-declaration or via a notified body

Result: Documented analysis with product type, category and recommended action.

CRA gap analysis / readiness check

  • Service: Compact inventory of the CRA maturity level. Implementation of a structured assessment and derivation of necessary measures to close the gaps.
  • Result: Documented gap analysis with high-level recommendations for action
  • Goal: Clarity as to whether and how the product is affected and a quick overview of the need for action.
line_blue

Holistic risk analysis with SECIRA

SECIRA checks whether a vulnerability isaccessible andexploitable. This is exactly what the CRA requires before risk-prioritized measures are defined.

With SECIRA, you can implement CRA requirements in a software-supported and comprehensible manner:

  • Map risk analysis and threat modeling in a structured manner
  • Create and version technical documentation
  • Evaluate vulnerabilities and plan measures
  • Security by design

Resilience strategy / action plan

We work with you to develop a realistic CRA roadmap, jointly prioritize the relevant requirements and define implementation goals that fit your product, team and budget. We also create individual offers for start-ups and SMEs to make it easier to get started.

Goal: Develop a structured roadmap for integrating CRA requirements into development and product cycles.

line_blue

Security-by-default

Service: Support in the implementation of CRA requirements in concrete measures.

  • Products must be delivered without known vulnerabilities,
  • The integrity of the software must be protected
  • Protective measures must be active in the default state.

Result: Practical support through to a compliant, ready-to-use solution.

SBOM & update management

  • Service: Creation and maintenance of a software bill of materials (SBOM). Definition of support and update processes.
  • Result: Transparent SBOM, documented update strategy, verifiability for auditors.

Vulnerability management

  • Service: Development of a vulnerability reporting process. Establishment and training of a Product Security Incident Response Team (PSIRT).
  • Result: Vulnerability management process, defined workflow, templates for security advisories.
  • Goal: Practical implementation of central obligations in product design and processes.

Training & SDLC integration

  • Service: Implementation of practical training for developers, PMs and security roles. Integration of security-by-design into the development process (SDLC).
  • Result: Trained team, documented process adaptation, sustainable anchoring of security in the lifecycle.
  • Goal: Make teams fit, pass audits and anchor security-by-design sustainably in the company.
line_blue

CE conformity assessment

  • Service: Support for the entire CE process according to CRA. Preparation of technical documentation, interface to notified bodies.
  • Result: Complete documentation for CE marking

Documentation

  • Service: Advice and preparation of documentation required by CRA - from product description and development processes to risk assessment, test reports and EU declaration of conformity.
  • Result: Structured, audit-proof dossier that covers all mandatory content in accordance with Art. 31.
line_blue

Continuous monitoring

  • Service: Support or takeover of the vulnerability management process and continuous risk analysis to identify and evaluate exploitable vulnerabilities.
  • Result: SECIRA as a tool for continuous monitoring and vulnerability remediation, managed or as a self-service.

Product Registration & Regulatory Controls

  • Service: Consulting and implementation for reporting obligations. Establishment of internal compliance control mechanisms.
  • Result: Registered products, central overview of regulatory obligations.
  • Goal: Remain legally compliant even after market launch, report vulnerabilities and document updates.

CRA - Clarity in 30 minutes!

Book a free consultation with our CRA experts Ann-Kathrin Wentz and Stefan Karg now.

  • Which requirements apply to your products
  • How our gap analysis provides quick clarity
  • What your next steps look like
BOOK A CONSULTATION NOW
people_ics_ann_katrin_&_stefan_k_contact

CRA implementation package for start-ups and SMEs

Our basic package is aimed at companies that want to start with limited effort and at the same time set the course for later expansion:

  • Risk and threat analysis focused on the minimum requirements
  • CE-relevant documentation prepared
  • Can be flexibly expanded as required
BOOK A CONSULTATION NOW

How ICS supports you with CRA

Our CRA support starts with a GAP analysis, includes implementation packages for various budgets and does not end with the CE stamp. SECIRA provides you with a tool that combines risk analysis, threat modeling and technical documentation in one platform.

GAP ANALYSIS

Our structured GAP analysis shows:

  • Whether and how your products are affected by the CRA

  • Which verifications and processes are missing

  • Whether IEC 62443 requirements also apply

  • What a sensible start looks like depending on the maturity level

CRA IMPLEMENTATION STRATEGY

We develop with you

  • develop a realistic CRA roadmap
  • prioritize the relevant requirements together
  • and define implementation goals that fit your product, team and budget.
BASIC IMPLEMENTATION PACKAGE

Our Basic package is aimed at companies that want to start with limited effort and at the same time set the course for later expansions:

  • Risk and threat analysis focused on the minimum requirements
  • CE-relevant documentation prepared
  • Can be flexibly expanded as required
SECIRA

With SECIRA, you can implement CRA requirements in a software-supported and traceable manner:

  • Map risk analysis and threat modeling in a structured manner
  • Create and version technical documentation
  • Evaluate vulnerabilities and plan measures
  • Security by design

How SECIRA supports the implementation of the CRA

The Cyber Resilience Act not only requires security on paper, but also traceable measures along the entire product life cycle. This is exactly where SECIRA comes in: as a practical tool for manufacturers, system managers and developers of digital products.

Holistic risk analysis

SECIRA enables you to systematically record all security-relevant risks - from conception to operation. The platform combines regulatory requirements with technical depth and offers clear assessment methods for threats and vulnerabilities.

Comprehensive threat analysis

SECIRA uses structured attack tree methods to identify possible vulnerabilities, scenarios and impact chains - in line with the principle of "security by design". This creates the basis for effective protective measures and transparent decision-making.

Structured technical documentation

All assessments, measures and analyses are automatically documented in SECIRA. This allows you to fulfill the CRA obligation for technical documentation without additional effort.

Security by design

With SECIRA, security is not an afterthought, but an integral part of your product development. The platform helps to derive security requirements at an early stage and incorporate them directly into the design.

Vulnerability assessment and action planning

The risk and threat analysis in SECIRA automatically reveals where action is required - including an assessment of the impact and prioritization. This allows you to derive and document targeted measures.

Supports the CE conformity assessment

SECIRA does not provide CE certification - but everything you need for it: reliable risk analyses, documented evidence and a comprehensible safety argumentation as the basis for your CRA declaration of conformity.

SECIRA - The holistic risk management tool

How SECIRA as a digital risk management tool supports companies in implementing technical and regulatory requirements such as CRA, NIS2 & IEC 62443 efficiently, traceably and automatically, including a live demo invitation.

LEARN MORE
ics_secira_modeling

The CRA project becomes a suitable overall package

We put together modular services that fit your requirements and budget: Pentesting, IEC 62443 certification, Secure Operations and CISO as a Service. This turns the CRA basis into an end-to-end roadmap from risk analysis to operation.

Pentesting for products & OT

Uncover vulnerabilities in firmware, interfaces and the cloud. The results support your CRA risk assessment, prioritize measures and can be documented in SECIRA.

 

LEARN MORE

IEC 62443 certification

Classify your product according to standards, close gaps and prepare for audits. Ideal as a supplement to CRA implementation, including mapping between CRA obligations and IEC 62443.

 

LEARN MORE

Secure Operations

Fulfill your post-market obligations: PSIRT, CVD, patch and update processes, SBOM/VEX and reporting. Keep evidence up to date and link it to SECIRA.

 

LEARN MORE

CISO as a service

Get strategic security leadership on a temporary basis: governance, roles, roadmap and reporting. Manages your CRA program and coordinates interfaces to IEC 62443 and audit partners.

 

LEARN MORE

Secure development (security by design)

Anchor security in the development process: threat modeling, clear requirements, code reviews and CI/CD checks (SAST, DAST, SCA, SBOM). Evidence flows directly into SECIRA.

 

LEARN MORE

What the CRA is really calling for - and why action is needed now

What is the Cyber Resilience Act?

The Cyber Resilience Act (CRA) is a planned EU regulation that regulates the cyber security of digital products with hardware and software functionality. The aim is to ensure that products are developed, documented and operated "secure by design" in future, with clear requirements for manufacturers, importers and retailers.
Unlike the NIS2 Directive, the CRA is not aimed at operators of digital services, but at companies that develop, provide or distribute products, e.g:

  • Manufacturers of digital devices or embedded systems
  • Software developers who offer marketable tools
  • Providers of configuration software or remote services
  • OEMs, suppliers or distributors
  • Importers and integrators

Is my company affected by the CRA?

If you develop, distribute or import products that contain digital functions, there is a good chance that the CRA applies to you.

Typical examples:

  • Software tools for machines, vehicles, control units, IoT
  • Digitally networked products with embedded software
  • Remote service platforms for configuration, maintenance or monitoring
  • Digital products designed for critical infrastructures (e.g. KRITIS, OT interfaces)

What does the CRA specifically require?

  • Carrying out a risk and threat analysis before market launch
  • Implementation of technical and organizational protective measures (security by design)
  • Comprehensible documentation of the security functions
  • Conformity assessment and CE marking according to CRA

When will the CRA apply?

  • Adoption at EU level: 2024 will take place
  • Transition period: 36 months (for new products)
  • Mandatory implementation: from Dec. 11, 2027
  • Obligation to report vulnerabilities already from Sept. 11, 2026
  • A transitional period of 21 months applies to existing products that are marketed after the deadline

What happens in the event of violations?

Fines

up to € 15 million or 2.5 % of global annual turnover

Sales ban

of the product concerned throughout the EU in the event of significant risks

Liability risks

for management and manufacturers

FAQ

Does the CRA also apply to us, even though we are not a traditional IT company?

Yes, very likely. The CRA affects not only software companies - but all manufacturers, importers and distributors of "products with digital elements". These include, for example, machines with embedded software, IoT devices, networked control units or digital medical devices. The decisive factor is whether your product is networkable or contains software that handles data.

What exactly is a "product with digital elements" according to the CRA?

A product with a hardware or software component that is directly or indirectly connected to other devices or networks.
The CRA distinguishes between:

  • Software (e.g. applications, operating systems, apps, middleware)

  • Hardware with a digital function (e.g. sensors, control units, networked machines)
    Even open source components can be affected if they are provided commercially.

Do we also have to adapt existing products in accordance with CRA - or does this only apply to new developments?

In principle, the CRA only applies to products that are launched on the market after it comes into force.
BUT: If an existing product is significantly changed or further developed (e.g. through major software updates), the CRA can apply retroactively. In addition, obligations to provide updates also apply to products that have already been delivered during their planned service life.

How does the CRA differ from NIS2 or the IT Security Act 2.0?

CRA = product safety. NIS2 = operational safety.

  • CRA applies to manufacturers, importers and retailers of digital products.

  • NIS2 affects operators of "critical facilities" (e.g. energy, health, transportation), i.e. IT/OT in operations.
    The aim of both laws is cyber resilience, but at different levels and with different obligations.

More about NIS2 and our services

What specific obligations do developers and product managers have?

The following CRA obligations directly affect product teams:

  • Carrying out a risk analysis before market launch

  • Integration of security by design & default

  • Establishment of vulnerability management

  • Creation and maintenance of technical documentation

  • Preparation for a possible conformity assessment (e.g. CE)

What does "security by design" mean in concrete terms - and how can we implement it?

Security by design means that security is part of the product development process right from the start - not just at the end.
In practical terms, this means

  • Threat modeling (e.g. attack tree)

  • Risk-based architecture decisions

  • Documentation of protective measures

  • continuous testing and vulnerability management
    Tools such as SECIRA systematically support this process.

What documents and evidence does the CRA specifically require?

The following are required as a minimum

  • a risk assessment of the product

  • a threat analysis

  • technical documentation of the protective measures

  • a description of the vulnerability management process

  • test results, test certificates or external audits, if applicable. SECIRA documents this evidence automatically and comprehensibly.

CRA or IEC 62443 - which applies to which product and when?

Does the CRA, IEC 62443 or both apply to your product? Find out quickly and easily with our questionnaire and specific examples.

 

TO THE ARTICLE

Normative requirements for risk management - IEC 62443 and ISO 27005

What are the differences between the various norms and standards and what do companies need to do to comply with them?

 

TO THE ARTICLE

The importance of a user-friendly security platform | SECIRA

Learn why usability becomes a security issue - and how SECIRA combines risk, compliance & IT/OT security on one platform.

 

TO THE ARTICLE

Recent Posts

Book a consultation now!

In the initial consultation, we clarify whether CRA, IEC 62443 or both apply to you and whether a GAP analysis or our basic implementation package is the right way to get started. We will show you live how SECIRA can accelerate your implementation.