CRA

Cyber Resilience Act: Are your products ready?

Prepare for the CRA with Orbik and build compliant products throughout their lifecycle.

10 december 2024

CRA enters into force

Today

11 september 2026

Vulnerability management reporting obligations start

11 december 2027

CRA full application. Mandatory for in-scope products

What the CRA expects from you

Secure by default products, no known exploitable vulnerabilities at launch.​​

Continuous vulnerability management and updates during support period.

Clear documentation, CE marking and conformity assessment where required.

Incident and vulnerability reporting to users and authorities.

Pre-testing and advanced security testing for connected products. Acredited testing for IEC 62443, CRA and related standards. Support for certification and CE marking.

Explore

Product

Automated security tests for your products. Centralized vulnerability and SBOM management One place for CRA compliance evidence.

Get started

Compliance services

CRA GAP Analysis and initial risk assessment. Secure development and testing strategy (S-SDLC). Ongoing advisory, audits and compliance reviews.​

Contact us

Who is affected by the CRA?

Product Manufacturers

For companies developing products: full compliance and cybersecurity evaluation from design to launch.

More information

System Integrators

For integrators and organizations operating with third-party products: assurance that all suppliers meet required standards and regulations. 

More information

Distributors

Distributing products in the supply chain: Responsibility to verify regulatory compliance and pass on conformity information to customers. 

Contact us

Manufacturers define a category based on the criteria of the standard

Products that are not classified in any other class
Modules: A, B+C, H
Notified body: optional for Module B+C or H
Modules A, B+C, H

Notified body: optional for Module B+C or H

Products with sensitive security or connectivity functions
Annex III. A CRA, Annex I
Modules: B+C, H
Notified body: recommended for Module B+C
Products with higher criticalty or greater potential impact
Annex III. B, CRA, Annex I
Modules: B+C, H
Notified body: mandatory
Products capable of causing serious disruptions to essential services
Annex IV CRA
Modules: H, B+C³
Notified body: mandatory

How much do you know about CRA?

Assess your CRA readiness

The Cyber Resilience Act (CRA) introduces new cybersecurity requirements for digital products in the EU.

Answer a few quick questions to see where your organization stands today and what kind of support would be most useful for you.

GAP Analysis to identify your compliance status

Support in generating SBOMs

During development

Technical controls implementation

Vulnerability management platform

Need validation

Cybersecurity testing

Automated compliance dashboard and security checks

Seek certification

Accredited audits and regulatory assessments

Centralized documentation and support

Need to monitor cybersecurity operations

Continuous vulnerability management

Support for regulatory notifications

Discover more

Do you want to
know more?

From GAP Analysis to certification, we are here to support you at every step. Reach out to start improving your product cybersecurity today.

Do you want to know more?

From GAP Analysis to certification, we are here to support you at every step. Reach out to start improving your product cybersecurity today.