The CRA sets specific requirements for manufacturers, importers, and distributors of digital products. With carmasec, you understand your obligations, receive a reliable roadmap, and implement the requirements on schedule.
The CRA applies to hardware, software, and networked systems with digital elements. Initial reporting obligations for actively exploited vulnerabilities take effect from September 2026. From December 2027, only compliant products may be placed on the EU market. Violations may result in fines of up to 15 million euros or 2.5 percent of global annual revenue, as well as sales bans.
The CRA requires Security by Design, comprehensive vulnerability management, regular security updates for at least five years, a complete SBOM, and a conformity assessment with CE marking. The requirements affect development, product management, and executive management equally.
Many organizations have previously focused on functional safety. Responsibilities for cybersecurity are often unclear. Legacy products can only be retrofitted with considerable effort. And the regulation itself is complex, while binding standards are still pending.
cra. done. right.
We bring experience from complex compliance projects. We analyze which of your products fall under the CRA and implement the requirements in a structured manner. Every measure is tailored to your context. The result: complete, auditable CRA compliance that secures the EU market.
Determining Impact
You’ll quickly know which of your products fall under the CRA and exactly what is required of you.
start 1.500 €*
depending on the number of products
Clarity and Roadmap
You know you’re affected. We analyze the current situation, identify the gaps, and provide a prioritized roadmap with concrete next steps.
start 9.000 €*
Full implementation
Ongoing support as a trusted advisor for your CRA compliance.
start 3.500 €*
per month, depending on scope
We’ll put together a customized package for you.
With carmasec, you have an experienced partner for the entire Cyber Resilience implementation. From initial assessment to auditable compliance. You quickly understand which of your products are affected, what is specifically required, and which steps are next.
The Cyber Resilience Act requires manufacturers, importers, and distributors of digital products to demonstrate security throughout the entire product lifecycle. The requirements apply starting from the initial development phase and include security by design, vulnerability management, reporting obligations, SBOM documentation, security updates for at least five years, and a conformity assessment with CE marking.
You can find all the details on requirements, deadlines, and common implementation mistakes in our free white paper (in german).
Many companies believe their products already largely meet cyber resilience requirements. Gap analyses consistently paint a different picture, as the gap between perceived and actual compliance is often wider than expected.
We support organizations from initial assessment to auditable compliance. Every measure is aligned with the products and processes.
Our experience ranges from mid-sized manufacturers to internationally operating companies with complex product portfolios.
We combine governance, technical analysis, and operational implementation in one team to eliminate friction losses.
Am I affected by the CRA?
The CRA applies to all products with digital elements that are manufactured, imported, or sold in the EU. This includes hardware with embedded software, software products, and networked systems. Exceptions include medical devices and vehicles, which are subject to their own regulations.
What does Security by Design mean?
Security is planned from the first development phase. This includes systematic risk analysis, threat models, and traceable documentation of all security-relevant decisions.
What does the CRA require for conformity assessment?
Products must undergo a conformity assessment before being placed on the EU market. CE marking is a prerequisite for market access.
How does the CRA differ from NIS-2?
NIS-2 regulates operators of essential and critical infrastructure. The CRA regulates products with digital elements and is directed at manufacturers, importers, and distributors. Both regulations may apply simultaneously.
How comprehensive is the CRA Starter Package and where does it end?
CRA Starter clarifies impact, risk classes, and initial action requirements. Structured implementation begins with CRA Professional.
What distinguishes your gap assessment from a traditional gap analysis?
We deliver prioritized measures that are immediately actionable. The assessment is based on your specific products and processes.
Which areas and roles are involved?
Development, product management, legal, and executive management.
How can the results be integrated into existing governance structures?
We align the measures with existing structures. Organizations that already operate an ISMS can build CRA requirements directly on it.
What is the added value compared to an internal analysis?
We bring experience from numerous CRA projects. You receive a reliable assessment that surpasses internally developed analyses in depth and practical relevance.
Who bears legal responsibility?
Manufacturers bear primary responsibility. Importers and distributors are liable if they fail to ensure compliant products. Executive management is personally responsible for compliance with reporting obligations.
What happens after CRA Starter or Professional?
You decide whether to manage implementation internally or entrust it to experienced hands with CRA Enterprise. We support both paths.
“With carmasec’s support, we have defined KPIs and achieved a higher level of transparency and acceptance.”
DKV Mobility Services
»Professional, flexible, approachable, and above all: successful. carmasec delivered on its promises.«
Bruker Optics
»carmasec has made a significant contribution to the security of our services. Professional consulting, flawless execution. We wholeheartedly recommend carmasec for infrastructure penetration tests.«
tyntec GmbH
Contact
Fill out the form, submit it, done. We will get back to you within 24 hours, unless it’s a weekend or public holiday.
Do you need help, or do you just want to talk about what’s on your mind regarding cybersecurity or ISMS? We take this seriously and will get back to you as soon as possible.
Not a customer yet?
You are currently viewing a placeholder content from HubSpot. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.
More InformationYou are currently viewing a placeholder content from Hubspot Meetings. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.
More Information