EU Cyber Resilience Act Compliance Without the Consultant Bill
From December 2027, no product with digital elements can be sold in the EU without proving it meets the Cyber Resilience Act. CyberAssure gives you a defensible, evidence-backed way to know exactly where you stand — and to prove you are closing the gap — owned by your own team, not rented from a consultant.
100% local · runs on your device · no data leaves your environment
The CRA is now the price of entry to the EU market
For decades, building security into a connected product was a choice. The EU Cyber Resilience Act (Regulation 2024/2847) ends that. It makes cybersecurity a legal precondition for placing any product with digital elements on the European market — and the clock is already running. Vulnerability and incident reporting obligations bite from September 2026; from December 2027, a product without demonstrable CRA conformity simply cannot carry the CE marking it needs to be sold.
The exposure is not theoretical. Non-compliance carries penalties of up to €15 million or 2.5% of global annual turnover, whichever is higher — alongside the more immediate commercial risk of being locked out of the EU entirely. For any manufacturer, importer or distributor that touches the European market, CRA readiness has moved from a future project to a present obligation.
EU CRA Enforcement Timeline
December 2024
Regulation in force
CRA published in the EU Official Journal. Compliance planning should begin now.
September 2026
Reporting obligations apply
Vulnerability and incident reporting to ENISA becomes mandatory. First hard deadline.
December 2027
Full compliance required
All essential requirements, CE marking, and conformity assessment obligations enforceable.
Knowing where you stand is the hard part
The CRA runs to hundreds of pages of articles and annexes. Translating that into "are we compliant, and if not, what exactly do we fix?" is a genuinely hard problem — and the usual answers fall short. A Big-4 readiness engagement runs into six figures, produces a single point-in-time report, and the moment the partner who understood your business walks out, the institutional knowledge walks with them. An internal spreadsheet drifts away from the regulation and won't survive scrutiny from a notified body. Neither gives you something you can re-run, defend, and improve against quarter after quarter.
And CRA compliance is not a one-off. It is a multi-year programme that has to be owned, evidenced, and demonstrably improving — because when a regulator or notified body asks "prove it," very few manufacturers will be perfect on day one. What earns credit is a disciplined, evidence-backed programme and a clear trajectory of closing the gap.
A defensible CRA programme your team owns
CyberAssure replaces the consultant engagement with a platform your own team runs. Every question is mapped to the precise CRA Article and Annex it tests; every answer pairs a self-assessment with an independent reviewer conclusion and an evidence-confidence rating; and every gap arrives referenced, prioritised, and ready to assign. The result is the thing the regulation actually rewards: a defensible baseline, a CRA-cited remediation plan, and a ten-year audit trail — at a fraction of external consulting cost, with the expertise building inside your organisation instead of leaving with a contract. It runs entirely on your own machine; nothing is ever uploaded to CyberAssure.
The CRA works at two levels — so the platform does too
Here is the one structural thing that shapes everything: the CRA imposes two distinct kinds of duty. Some apply once, to the organisation — governance, vulnerability handling, incident reporting, supply-chain due diligence. Others apply to every individual product and gate its CE marking — the Annex I essential requirements, technical documentation and Declaration of Conformity. One organisational assessment sits above many product assessments. Neither half alone demonstrates compliance: strong governance does not stop a non-conformant product reaching the market, and one conformant product does not prove the organisation can sustain the programme across its range. CyberAssure covers both.
One organisational assessment sits above many product assessments — different objectives, one compliance picture.
Two assessments. One platform.
Most organisations start with organisational readiness to stand up credible governance and a defensible baseline, then layer the product-level work on top.
Tool 1 · Start here
CRA Organisational Readiness Assessment
Process-level duties that apply once to the organisation — governance, risk management, vulnerability handling, incident reporting, supply-chain due diligence and economic-operator obligations. 100 questions across 12 CRA domains, role-adaptive for manufacturers, importers, distributors, authorised representatives and open-source software stewards. Produces a readiness score, a CRA-referenced gap register and a board-ready remediation roadmap.
Product-level duties that apply to every product and gate CE marking — Annex I/II essential requirements, technical documentation and conformity. 136 questions across 9 domains, with a classification engine, binary essential-requirement scoring that flags conformity blockers, multi-product portfolio reporting and a draft EU Declaration of Conformity. Run one product or manage the whole portfolio.
The two assessments answer different questions, cover different scope, and rest on different parts of the regulation.
Organisational Readiness
Product Compliance
Unit assessed
The organisation — one assessment
Each product — a portfolio of assessments
Core question
Is the business set up to comply?
Can this product reach the EU market?
Scope
Governance, processes & QMS duties
Annex I/II essential requirements, technical docs
Headline outcome
Readiness % and a gap register
Per-product CE-readiness & conformity blockers
Scale
100 questions · 12 domains
136 questions · 9 domains, per product
Main CRA basis
Articles 13, 14, 18–21, 24
Annex I/II, Annex VII, Articles 24–28
Both share the same foundations — per-question evidence, an independent reviewer workflow, evidence-validated scoring, a ten-year audit trail, optional AI on your own Anthropic key, and 100% local execution with nothing uploaded to CyberAssure.
A shared foundation
Whichever you start with, both assessments are built on the same principles.
Evidence-Validated & Independently Reviewed
Every answer pairs a self-assessment with an independent reviewer conclusion and a None/Weak/Partial/Strong evidence-confidence rating — turning self-assessment into a defensible position a notified body can scrutinise.
Mapped to the CRA, Citation by Citation
Every question cites the precise CRA Article and Annex it addresses, and every gap arrives referenced — so remediation traces straight back to the regulation, and a Coverage Map shows exactly which provisions you cover.
Your Data, On Your Machine
Both tools run locally and work fully offline — nothing is ever uploaded to CyberAssure. Optional AI uses your own Anthropic Claude API key and can be disabled site-wide for regulated environments.
A Living Programme, Not a One-Off Report
Re-run period over period to evidence improvement, track every gap to closure in an Action Register, and retain the full audit trail for the CRA's ten-year period — owned in-house, not rented from a consultant.
Pricing
The organisational assessment is licensed per entity; the product assessment per product — both per year, with portfolio pricing for multiple products. No per-seat fees, no usage metering, and nothing hosted off your device. Talk to us about combined suite pricing for the full programme.
The CRA imposes two distinct duties. Some apply once, to the organisation — governance, vulnerability handling, incident reporting. Others apply to every product and gate its CE marking — the Annex I essential requirements and Declaration of Conformity. Neither half alone demonstrates compliance, so most manufacturers need both.
Which should we start with?
Most organisations begin with the organisational readiness assessment to stand up credible governance and a defensible baseline, then layer the product-level assessments on top, one product at a time.
If we enable AI, what data is sent — and to whom?
AI is off by default in both tools. When enabled, requests go directly from your browser to Anthropic using your own API key — never through CyberAssure's servers, and nothing is stored by us. AI can be disabled entirely for regulated environments.
Does our data leave our device?
No. Both assessments run entirely in your browser; your answers and evidence stay on your own device and are never uploaded to CyberAssure.
Most organisations begin with the organisational assessment to stand up credible governance and a defensible baseline, then layer the product-level work on top. Get in touch and we'll help you scope the right starting point.
The EU Cyber Resilience Act: What Manufacturers Need to Do Before December 2027
A plain-language guide to the CRA's enforcement timeline, product classification categories, essential requirements under Annex I, vulnerability reporting obligations, and conformity assessment pathways.
