Cyber Resilience Act (CRA)

CRA as a Service – How to make your products secure for the long term

The Cyber Resilience Act requires companies to maintain high cybersecurity standards for products with digital elements – from development through the entire product lifecycle. We’ll guide you smoothly through the compliance process.

What does the Cyber Resilience Act mean for your business?

The Cyber Resilience Act (CRA) affects all manufacturers and suppliers of connected products in the EU.

This means: Without strong security measures, your products may face market restrictions.

What are the most common challenges posed by the CRA?

  • How do I ensure my products comply with Security by Design?
  • What documentation and certification is required?

  • How do I organise regular security updates and vulnerability management?

Our CRA as a service – your path to compliance

  • Step 1: CRA Readiness Check – Where is your organisation today?
  • Step 2: Security Design Integration – Implementing security by design from the outset

  • Step 3: Update and Vulnerability Management – Ongoing security measures

  • Step 4: Certification Support – Documentation, CE Marking & Audits
  • Step 5: Continuous improvement – security as a process, not a one-off measure

Take advantage of our expertise and make your products CRA compliant!

How can asvin help to implement the requirements from the Cyber Resilience Act (CRA)?

Software lifecycle managementent

Device Security Boosterâ„¢
Fulfill the regulatory requirements on implementing security by design on connected devices, cybersecurity management, serving patches and updates.

Regulatory Guidance

Professional Services
Get guidance on the setup of cybersecurity management systems and ensure that the implementation of asvin’s products goes quickly, everything runs smoothly and regulatory compliant for a long times.

Riskmanagement and Vulnerability

Risk by Contextâ„¢
Gain a comprehensive understanding of your company’s OT cyberrisks and their interconnectedness to prioritize cybersecurity investments and mitigation efforts.

Cyber Resilience Act Directive

What are the Cyber Resilience Act main topics?

A key part of the act is maintaining cybersecurity throughout a product’s lifecycle, including a defined support period with security updates. Every player in the supply chain, from manufacturers to distributors, has specific obligations.

  • Cybersecurity has to be included in the planning, design, development, production, delivery, and maintenance process.

  • Conformity assessment – differentiated by level of risk

  • Manufacturers must actively report exploited vulnerabilities and incidents

  • Once Sold, you have to make sure that vulnerabilities are fixed for the expected product lifetime or for a timeframe of 5 years (whichever is shorter)

  • Clear and understandable instructions for use of products with digital elements have to be available

  • Security updates must be available for at least 5 years

Mirko Ross offers Cyber Resilience Act workshop.

CRA Readiness Inhouse Workshop

Kick start your implementation today. To support you in planning and implementing the necessary measures and to anchor the topic of the
Cyber Resilience Act in your company, we have developed an in-house workshop for you that will prepare you optimally.

Our workshop offer is primarily aimed at German-speaking companies, and therefore takes place in German. – If your company language is English, please contact us.

What is the Cyber Resilience Act (CRA) about?

The Cyber Resilience Act (CRA) developed by the EU Commission defines standards for the cyber security of connected devices and thus improves the cyber security of products. It does not matter whether the products are connected to the Internet, communicate with each other or via internal interfaces. The CRA applies not only to finished end products, but also to all preliminary products and components. – In other words, all components of the hardware supply chain.
The Cyber Resilience Act (CRA) regulations apply not only to manufacturers of products with digital elements, but also to distributors and importers.

What measures need to be implemented?

The Cyber Resilience Act requires the establishment of risk-appropriate cybersecurity measures for affected products in the design, development and production phases, as well as during marketing and use.
The types of actions vary depending on criticality.

While around 90% of the affected products can be checked in a self-assessment. A third party assessment should be carried out for Critical Class I devices and must be carried out for Critical Class II devices.

Quickcheck – Are you affected by the CRA?

Take 2 minutes to find out if you, as a manufacturer or distributor, are affected by the Cyber Resilience Act regulations.

Gather further helpful information on regulatory and compliance topics

  • E-world 2025 in Essen Blog

    E-world 2025 | Zenner and asvin present new cyber security strategies for the energy sector

    Est. Reading time: 1.4 min.

    Updated: February 17, 2025

  • Risk Analysis for Due Diligence

    Risk analysis must be included in M&A due diligence

    Est. Reading time: 1.5 min.

    Updated: February 14, 2025

  • E-world 2025 - asvin - Zenner cooperation press release

    asvin and Zenner present innovative cybersecurity solutions at E-world 2025

    Est. Reading time: 2.1 min.

    Updated: January 27, 2025