Cyber Resilience Act (CRA) Compliance
Get clarity. Prioritise action. Secure Your Products.
Are Your Digital Products CRA-Ready?
The Cyber Resilience Act (CRA) is redefining how organisations design, build, and maintain digital products in the European Union (EU). Importantly, the products must pass a required CRA conformity assessment. This includes both software and hardware products that contain digital elements.
In September 2026, vulnerability reporting obligations begin for organisations with products in scope. From December 2027, full compliance is mandatory, with substantial fines on the line.
Don’t wait until it’s too late. Gain a fast, structured view of where you stand today and what to do next. Before investing in new controls, tooling, or processes, you need clear answers:
- Where are we already aligned with CRA requirements?
- Where are the critical gaps?
- What effort is required to close them?
Northwave’s CRA Quick Scan ensures you can answer these questions and develop a practical improvement plan to fill any compliance gaps.
How Northwave’s CRA Quick Scan Works
This is not another theoretical compliance exercise. We designed our Quick Scan as a decision-making tool, focused on how your organisation actually develops, releases, and maintains products–and where CRA requirements will really impact you.
You’ll gain:
- Clear insight into your current level of CRA compliance
- Identification of gaps across key requirements
- A prioritised, actionable roadmap
- Realistic indication of effort (time, capacity, organisational impact)
Our focused approach delivers fast, high-quality insight. The result is a concise, management-ready report that supports strategic decision-making.
- Intake
Define relevant products, processes, and stakeholders - Desk Research
Review existing policies, controls, and documentation - Stakeholder Interviews
Gather insight into how processes actually work in practice - Assessment & Gap Analysis
Map your current state against CRA requirements - Management Report & Presentation
Deliver clear findings, priorities, and next steps
Why act now?
The CRA introduces operational accountability across the entire product lifecycle. Implementing its requirements is not a quick fix. It typically requires fundamental changes to development practices, governance, and product lifecycle management.
Organisations that start early can implement these changes in a controlled and phased manner. Those that wait risk being forced into reactive, time-pressured remediation with higher costs and operational disruption.
Key requirements include:
- Security by Design
Embed security into product development by performing risk assessments and implementing an appropriate level of security controls from the outset. - Lifecycle Support
Establish the ability to securely maintain products over time, including timely security updates and a structured vulnerability management process. - Documentation & SBOM
Maintain technical documentation and a Software Bill of Materials (SBOM). - Incident & Vulnerability Reporting
Report actively exploited vulnerabilities within strict timelines. - CE Marking
Demonstrate compliance before products enter the EU market.
In addition to incurring fines of up to €15 million or 2.5% of global turnover, non-compliance can delay product launches, block access to the EU market, and trigger increased scrutiny from regulators and customers.
Take the first step with Northwave
CRA compliance requires coordinated, organisation-wide alignment. The fastest way to get there is to start with a clear, structured assessment. We can also work together to create a CRA consultancy approach tailored to your organisation’s reality.
We are here for you