What is the EU Cyber Resilience Act (CRA)?

The CRA affects every manufacturer of products with digital elements (software, hardware, connected devices) selling on the EU market. Reporting obligations take effect from September 2026 — actively exploited vulnerabilities must be reported to ENISA within 24 hours. Full compliance (conformity assessment, CE marking, technical documentation) is mandatory from December 2027.

Is my company affected by the CRA?

If you sell products with digital elements on the EU market — software, hardware, IoT, embedded systems — then yes. Around 90% of products fall into the default category (self-assessment). In the CRA Technical Assessment, we determine your exact scope and the relevant requirements.

What is an SBOM and why do I need one?

A Software Bill of Materials (SBOM) is a machine-readable inventory of all components in your software — including open-source dependencies and their versions. The CRA requires SBOMs in standardized formats (CycloneDX or SPDX). We integrate generation directly into your CI/CD pipeline, so every release automatically includes a current SBOM.

What does DevSecOps & CRA Compliance cost?

The CRA Technical Assessment (2–3 days) has a fixed price. Implementation is project-based as a 2–4-week sprint or as an ongoing managed service. Combinable with SRE/DevOps & Platform Engineering. In the free initial consultation, we clarify your scope and provide an effort estimate.

How long does implementation take?

A CRA Sprint (assessment + implementation of the most critical gaps) takes 2–4 weeks. For full CRA readiness, we estimate 6–12 weeks depending on complexity. The first step — the CRA Technical Assessment — provides clarity about the scope in 2–3 days.

Does Krafteq replace a compliance consultant?

No. Krafteq is a technical implementation partner. We build the technical controls and processes — SBOMs, secure pipelines, vulnerability management, incident reporting workflows. For legal advice and organizational compliance, we recommend specialized law firms. For formal conformity assessment (Important Class II, Critical), notified bodies are responsible.

What penalties apply for non-compliance?

Up to EUR 15 million or 2.5% of global annual revenue. Additionally, potential market access bans and exclusion from supply chains through the supply chain effect — procurement departments increasingly demand CRA compliance from suppliers.

Can I combine DevSecOps with other Krafteq services?

Yes. DevSecOps & CRA Compliance is directly combinable with SRE/DevOps & Platform Engineering for holistic platform hardening. Many clients start with a CRA Sprint and then expand to ongoing platform engineering.

DevSecOps & CRA Compliance

Isometric illustration of a secure software pipeline with SBOM generation, vulnerability scanning, and compliance gates

CRA compliance as technical reality — not a paper tiger

The EU Cyber Resilience Act takes effect in September 2026. Reporting obligations, SBOMs, vulnerability management — most manufacturing companies lack the DevSecOps expertise to implement this technically. Krafteq implements the technical controls and processes directly in your existing CI/CD infrastructure. No compliance theater, but engineering: SBOM generation, vulnerability management, and secure development lifecycle as code.

Sept. 2026 CRA Reporting Obligations

24 Hours Vulnerability Reporting Deadline

14 Days Time to Start

Schedule a Free CRA Consultation

CRA self-assessment conducted internally. SBOM generation (CycloneDX 1.6) and gap analysis against Annex I/II documented — hands-on experience.

ChallengesWhy the CRA poses an engineering problem for manufacturers

The EU Cyber Resilience Act affects every manufacturer of products with digital elements on the EU market. The requirements are technical — SBOMs, vulnerability handling, incident reporting — yet most companies lack DevSecOps expertise internally.

Reporting obligations from September 2026

Actively exploited vulnerabilities must be reported to ENISA within 24 hours. Without a defined incident reporting workflow and escalation chains, this is practically impossible.

No SBOM processes in place

48% of security leaders are behind on SBOM standards. Machine-readable SBOMs are a CRA obligation, yet few CI/CD pipelines generate them automatically per release.

Vulnerability management is missing

Without automated scanning and risk-based prioritization, vulnerabilities go undetected. The CRA requires vulnerability handling throughout the entire support period.

No secure development lifecycle

Security gates in the pipeline — SAST, DAST, secrets detection — are not implemented at many companies. The CRA requires demonstrable cybersecurity risk assessment before market launch.

Missing CRA documentation

Technical documentation per Annex II and post-market monitoring per Annex VII require structured processes. Manual approaches don't scale.

Supply chain pressure from all sides

Suppliers must also demonstrate CRA compliance. Procurement departments increasingly demand SBOMs and security evidence — those who can't deliver get dropped from supply chains.

Delivery ModelsThree paths to CRA compliance — you decide

Krafteq is a technical implementation partner, not a compliance consultant. We build the technical controls and processes. The delivery model adapts to your needs and timeline pressure.

CRA Sprint — project-based entry

2–4 weeks of intensive assessment and implementation of the most critical gaps. Ideal as a starting point: you receive a gap analysis against CRA Annex I, a prioritized roadmap, and the first technical controls in your pipeline.

Managed Service — ongoing compliance

Continuous vulnerability monitoring, SBOM updates with every release, and incident response support as a subscription. Krafteq ensures your compliance processes stay current — even as requirements evolve.

Team Enablement — build internal expertise

Krafteq engineers work alongside your team, transfer DevSecOps knowledge, and build internal capabilities. The goal: your team is empowered, not made dependent.

SBOM integration into the pipeline

CycloneDX or SPDX generation as an automatic pipeline step. Versioned SBOMs per release. Dependency tracking and vulnerability monitoring — all integrated into your existing CI/CD infrastructure.

Incident reporting workflow

Implementation of the 24h/72h/14d reporting workflow for the ENISA Single Reporting Platform. Escalation chains, templates, approval gates — so your organization can act decisively when incidents occur.

Coordinated Vulnerability Disclosure

security.txt, public disclosure policy, intake forms, triage workflow, and advisory publishing. CRA-compliant and practical.

ProcessHow we make your delivery pipeline CRA-ready

Our approach follows a clear structure. Each step delivers standalone results and brings you closer to CRA compliance.

CRA Technical Assessment (Day 1–3)

Gap analysis of existing SDLC, CI/CD, and dependency management processes against CRA Annex I requirements. Scope determination (Default / Important Class I / II / Critical). You receive a prioritized roadmap with concrete actions.

Clarity about your CRA scope and the most critical gaps

SBOM and Vulnerability Management (Week 1–2)

Implement CycloneDX/SPDX generation as a pipeline step. Set up automated vulnerability scanning in CI/CD. Risk-based prioritization with defined remediation SLAs: Critical 24h, High 7d, Medium 30d, Low 90d.

Automatic SBOM generation and vulnerability tracking per release

Incident Reporting and Secure SDLC (Week 2–4)

Implement the 24h/72h/14d reporting workflow. Security gates in the pipeline: SAST, DAST, secrets detection. Set up coordinated vulnerability disclosure. Technical documentation per Annex II/VII — auto-assembled where possible.

Reporting-obligation-ready and demonstrably secure development process

Handover and Ongoing Operations (Week 3–4)

With managed service, Krafteq handles ongoing monitoring and SBOM updates. For projects and enablement, we hand over to your team — with documented processes, runbooks, and handover workshops.

Sustainable CRA compliance — internally or through Krafteq

ServicesWhat DevSecOps & CRA Compliance covers

We implement the technical controls and processes that the CRA requires — directly in your existing infrastructure. Engineering, not paper.

SBOM Generation

CycloneDX and SPDX generation as an automatic CI/CD pipeline step. Versioned SBOMs per release. Dependency tracking and vulnerability monitoring across the entire product lifecycle.

Vulnerability Management

Automated scanning in CI/CD: containers, dependencies, code. Risk-based prioritization with CVSS, EPSS, and reachability analysis. Defined remediation SLAs for each severity level.

Incident Reporting Workflow

Implementation of the CRA-compliant 24h/72h/14d reporting workflow for the ENISA Single Reporting Platform. Escalation chains, templates, and approval gates.

Secure Development Lifecycle

Security gates in the pipeline: SAST, DAST, secrets detection. Secure-by-default configurations. Documented processes for CRA Annex II.

Coordinated Vulnerability Disclosure

security.txt, public disclosure policy, intake forms, triage workflow, and advisory publishing. Everything the CRA requires for handling reported vulnerabilities.

CRA Documentation

Technical documentation per Annex II/VII — auto-assembled from pipeline artifacts, service catalog, and git history where possible. No manual document management.

ReferencesResults that speak for themselves

CRA-ready

Internal self-assessment completed

Krafteq conducted and documented the CRA self-assessment process internally. SBOM generation (CycloneDX 1.6), vulnerability scanning, and gap analysis against Annex I/II — hands-on experience, not theory.

< 15 Min.

Cycle time after pipeline hardening

Security gates integrated into CI/CD pipelines without sacrificing deployment speed. SBOM generation and vulnerability scanning as automatic pipeline steps.

70%

Cloud cost reduction

DevSecOps and cost optimization go hand in hand. Infrastructure hardening and rightsizing at an enterprise client — security and efficiency are not contradictory.

10+ Years

Experience per engineer

Only senior engineers with 10+ years of experience. DevSecOps expertise from practice — CI/CD pipelines, Kubernetes security, compliance automation.