Cyber Resilience Act (CRA)

From December 2027, all products with digital elements sold in the EU must meet CRA cybersecurity requirements. Refracted helps you assess gaps, implement secure development practices, and prepare for CE marking.

Book your CRA Compliance Assessment

What is the cyber resilience act?

The CRA is an EU regulation that makes cybersecurity mandatory for products with digital elements – hardware, software, IoT, and OT. It covers the entire product lifecycle, from design to end‑of‑life.

Why the CRA Matters

  1. Keep selling your products in the EU
    Products must meet CRA security requirements and carry the CE mark to stay on the market from December 2027 onwards.
  2. Avoid fines & recalls
    Non‑compliance can lead to fines up to €15M or 2.5% of global revenue.
  3. Build customer trust
    Proof that your product is secure and supported throughout its lifecycle.
Contact us

Examples of CRA requirements

The CRA may sound legal or abstract, but its requirements translate into simple, concrete actions that keep products secure. Here are everyday situations your team will recognize and how they relate to CRA compliance.

  • Releasing a software update? → You must check if it changes your risk level.
  • Using a new third‑party library? → It must appear in your SBOM.
  • Spotting a security issue? → It must be handled and documented quickly.
  • Selling your product through partners? → They need the correct CE info.
  • Keeping old versions alive? → You must provide security updates for a defined period.

How Refracted works

Assess

We start by mapping out how the CRA applies to your products and your role in the supply chain. You get a clear view of what’s already in place, what’s missing, and which gaps need attention first. This gives you a realistic, prioritized roadmap instead of a long list of abstract requirements.

Fix

Next, we help you implement the improvements that matter most. This includes strengthening essential product security practices, making your development process more resilient, and setting up the practical steps you’ll need for CRA compliance. Everything is tailored to your team’s workflow.

Prove

Finally, we help you put everything into the documentation and evidence needed for CRA compliance. This includes preparing your technical file, improving reporting workflows, and guiding you toward CE‑mark readiness. By the end, you’re compliant, and not just on paper. You’re genuinely prepared for the 2026 and 2027 requirements.

Who needs to comply?

Hardware, software, IoT and connected device producers are responsible for secure design, vulnerability handling and full lifecycle support.

Any software product or service with network connectivity, even indirectly, must meet CRA’s security and transparency obligations.

Organizations that bring products into the EU or distribute them must verify documentation, CE‑marking and CRA compliance before products are sold.

Open‑source components offered commercially or used within commercial products must meet CRA requirements.

Refracted's CRA Services overview

1. CRA Readiness Scan

The CRA Readiness Scan gives you a quick understanding of how the CRA applies to your product, what gaps you have today, and what timeline makes sense for you. You also receive access to our free CRA self‑assessment tool to get an immediate first impression of your compliance level.

2. Practical Security Improvements

We help you implement the key security requirements of the CRA in a straightforward, team‑friendly way. This includes improving your product’s basic security posture, strengthening development and release workflows, and setting up a solid approach for handling updates and vulnerabilities.

3. Documentation & CE‑Mark Support

We guide you through the required documentation, explain exactly what needs to go into your technical file, and help you understand when self‑assessment is allowed and when a notified body is needed. We also support you in preparing for CE marking under the CRA so your product can remain on the EU market.

4. Ongoing support

The CRA introduces strict operational duties from 2026 onwards, including 24‑hour vulnerability reporting and timely security updates. We help you set up these processes now, so you’re ready well before the deadlines take effect.

Why choose Refracted?

  • Deep technical expertise in pentesting, audits, and SSDLC
  • Transparant and hands-on advice
  • Advisory-first, with implementation partners
  • Clear docs aligned to CRA Annex I & conformity steps

Part of the CRA‑AI Consortium

Refracted Security is a proud member of the CRA‑AI Consortium, a European initiative developing an automated platform that helps organizations — especially SMEs — navigate the process of achieving CE‑marking and complying with the Cyber Resilience Act. Working alongside leading cybersecurity partners across Europe, we contribute our technical expertise to make CRA compliance clearer, more efficient and more accessible for businesses of all sizes.

Ready to get started?

Siebe contact form picture

Siebe De Roovere

Book a free CRA consultation — we’ll map out your first steps in 30 minutes.

 

Give your security a boost

Schedule a call with our digital security experts. We check your security so you can protect your company.
Because you deserve to feel confident and safe in a digital world.

Get an appointment
Scroll to Top