Am I affected as a supplier?

If you supply components with digital elements that are integrated into other products — yes. The CRA's supply chain effect means your customers will demand CRA compliance from you. SBOM provision and vulnerability handling become selection criteria.

What happens if I miss the September 2026 deadline?

From September 2026, reporting obligations apply. Actively exploited vulnerabilities must be reported to ENISA within 24 hours. Without a reporting workflow, you risk fines and — more critically — cannot react fast enough in an actual incident.

We have no DevSecOps expertise internally. Is that a problem?

That's exactly what Krafteq is for. We are the engineering partner for companies that need to implement CRA compliance technically but don't have an internal DevSecOps team. We implement and enable — you decide whether to work internally long-term or through our managed service.

Which products fall under the CRA?

Every product with digital elements sold on the EU market — software, hardware, IoT devices, embedded systems, connected machines. Around 90% fall into the default category (self-assessment). We determine your exact scope in the CRA Technical Assessment.

What sets Krafteq apart from large compliance consultancies?

Large consultancies deliver compliance PowerPoints and paper-based gap analyses. Krafteq implements the technology: SBOMs in the pipeline, automated vulnerability scanning, incident reporting workflows as code. We are engineering, not consulting.

What's the best way to start?

With the CRA Technical Assessment (2–3 days, fixed price). You receive a gap analysis against CRA Annex I, your scope, and a prioritized roadmap. Then you decide on next steps — no obligation.

Isometric illustration of a regulated software supply chain with SBOM generation, vulnerability scanning, and compliance reporting

Enterprise Solution

CRA Compliance Pressure on Manufacturing Companies

EU Cyber Resilience Act: reporting obligations from September 2026, full compliance from December 2027

The EU Cyber Resilience Act affects every manufacturer of products with digital elements — software, hardware, IoT, embedded systems. Reporting obligations take effect from September 2026: actively exploited vulnerabilities must be reported to ENISA within 24 hours. Most manufacturing companies lack DevSecOps expertise internally. Krafteq implements the technical controls — SBOM pipelines, vulnerability management, incident reporting workflows — directly in your CI/CD infrastructure.

Sept. 2026 Reporting obligations begin

24 Hours Vulnerability reporting deadline

EUR 15M Max. penalty for violations

Schedule a free CRA consultation

CRA self-assessment conducted internally. SBOM generation (CycloneDX 1.6) and gap analysis against Annex I/II documented.

ChallengesWhy the CRA puts manufacturers under pressure

The EU Cyber Resilience Act is not abstract regulation — it concretely affects the software delivery processes and products of manufacturers. The requirements are technical, the deadlines binding, and the penalties severe. Most companies face an engineering problem they cannot solve internally.

24-hour reporting — without a workflow

From September 2026, actively exploited vulnerabilities must be reported to the ENISA Single Reporting Platform within 24 hours. Without a defined incident reporting workflow, escalation chains, and templates, this deadline is impossible to meet.

48% of security leaders are behind on SBOMs

The CRA requires SBOMs in machine-readable format — CycloneDX or SPDX. Yet nearly half of companies have no automated SBOM generation. Without dependency tracking, you don't know which components are in your software and what vulnerabilities they bring.

No vulnerability management across the lifecycle

The CRA requires vulnerability handling throughout the entire product support period. Without automated scanning, risk-based prioritization, and defined remediation SLAs, this is not achievable.

Missing secure development lifecycle

Cybersecurity risk assessment before market launch is a CRA obligation. Yet security gates in the pipeline — SAST, DAST, secrets detection — are missing at most companies. The SDLC is not demonstrably secure.

Supply chain effect creates pressure from all sides

Not only your product must be CRA-compliant — your procurement department will also demand CRA compliance from suppliers. And your customers from you. Those who can't deliver risk exclusion from supply chains.

Our ApproachEngineering, not compliance theater

Krafteq is a technical implementation partner, not a compliance consultant. We build the technical controls and processes that the CRA requires — directly in your existing CI/CD infrastructure. Large consultancies deliver compliance PowerPoints. We implement the how: SBOMs, secure pipelines, vulnerability management, incident reporting automation.

CRA compliance as code: SBOM generation (CycloneDX/SPDX) as an automatic pipeline step. Vulnerability scanning at every build. Security gates that catch vulnerabilities before release. Incident reporting workflows with defined escalation chains. Technical documentation per Annex II/VII, auto-assembled where possible.

Knowledge transfer instead of dependency: we empower your team to operate DevSecOps independently. Pair working, documented processes, and handover workshops ensure the expertise stays with you. Alternatively, we handle monitoring and SBOM updates as a managed service.

ProcessFour steps to CRA compliance

Our approach is structured and delivers standalone results at every step. So you can see progress at any point and measure the value.

CRA Technical Assessment (Day 1–3)

Gap analysis of your SDLC, CI/CD, and dependency management processes against CRA Annex I. Scope determination: Default, Important Class I/II, or Critical. Prioritized roadmap with concrete actions and timeline.

Clarity about your CRA scope and the most critical action areas

SBOM and Vulnerability Management (Week 1–2)

SBOM generation (CycloneDX/SPDX) as an automatic pipeline step. Vulnerability scanning in CI/CD. Risk-based prioritization with defined remediation SLAs: Critical 24h, High 7d, Medium 30d, Low 90d.

Automated SBOM generation and vulnerability tracking per release

Incident Reporting and Secure SDLC (Week 2–4)

24h/72h/14d reporting workflow for ENISA. Security gates: SAST, DAST, secrets detection. Coordinated vulnerability disclosure. Technical documentation per Annex II/VII.

Reporting-obligation-ready and demonstrably secure development process

Handover or Managed Service (Week 3–4)

Your choice: Krafteq handles ongoing monitoring and SBOM updates as a managed service. Or: handover to your team with documented processes, runbooks, and workshops.

Sustainable CRA compliance — internally or through Krafteq

ServicesWhat Krafteq implements for CRA compliance

We implement the technical controls directly in your pipeline — no manual compliance management, but automated processes.

SBOM Generation

CycloneDX and SPDX as an automatic CI/CD step. Versioned SBOMs per release. Dependency tracking and vulnerability monitoring across the entire product lifecycle.

Vulnerability Management

Automated scanning: containers, dependencies, code. Risk-based prioritization with CVSS, EPSS, and reachability. Defined remediation SLAs.

Incident Reporting

24h/72h/14d reporting workflow for ENISA Single Reporting Platform. Escalation chains, templates, approval gates.

Secure Development Lifecycle

Security gates in the pipeline: SAST, DAST, secrets detection. Secure-by-default configurations. Demonstrable cybersecurity risk assessment.

Coordinated Vulnerability Disclosure

security.txt, disclosure policy, intake forms, triage workflow, advisory publishing. CRA-compliant and practical.

CRA Documentation

Technical documentation per Annex II/VII — auto-assembled from pipeline artifacts and git history. Post-market monitoring processes.

ResultsWhy companies choose Krafteq for CRA compliance

CRA self-assessment conducted and documented internally — SBOM generation (CycloneDX 1.6) and gap analysis against Annex I/II

Security gates integrated into CI/CD pipelines without sacrificing deployment speed — cycle time under 15 minutes

Engineering, not consulting — technical implementation directly in the pipeline, no PowerPoint decks