CRA lead and implementation partner for product companies selling into Europe

No. I provide technical and operational advisory on CRA readiness: gap analysis, technical evidence organization, vulnerability handling process design, SBOM workflows, and coordination with legal and conformity assessment parties. Legal interpretation of the regulation, formal compliance opinions, and regulatory submissions require a qualified lawyer. I work alongside legal counsel, not in place of it.

I founded CRA Evidence, a Cyber Resilience Act compliance platform. You can work with me without using the platform, and the platform can be adopted independently without my involvement. See the CRA Evidence section above for the full disclosure.

Yes. The CRA is an EU regulation, but the practical question is whether your product is placed on the EU market. I can work remotely with international teams that sell into Europe when they need to understand and prepare for CRA obligations connected to European market access.

Yes. This is covered in detail under How I Help. In short: I translate what lawyers and assessors need into concrete engineering workstreams, prepare the technical documentation and evidence they will review, and coordinate the practical side. I can help you understand what to look for in a lawyer, notified body, or conformity assessment body, and I can make introductions where appropriate. The formal choice and engagement stay with you.

Yes, if your company is outside the EU and the role is relevant to your route to market. An Authorized Representative is an EU-based person or company acting under written mandate from the manufacturer for specific tasks. I can help you understand when that role may be needed, what to ask for, and how it fits alongside your lawyer and any notified body or conformity assessment body. I can also help you build a shortlist or make introductions where appropriate. The formal appointment stays with you.

Where appropriate, yes. I can share relevant contacts or help you build a shortlist based on your product type, assessment route, language needs, and jurisdiction. I do not provide legal advice, and I do not decide which lawyer, notified body, or conformity assessment body you should engage. My role is to help you ask better technical questions and prepare the evidence those parties will need.

A short message is enough. Useful context: what your product is, whether it connects to other devices or networks, which markets you sell into, and the main uncertainty you need to resolve. No compliance program or documentation is required. See the How Engagements Work section for what a first call typically covers.

The Cyber Resilience Act (Regulation (EU) 2024/2847) is an EU regulation that introduces binding cybersecurity requirements for products with digital elements placed on the EU market. It covers both hardware and software that connect to other devices or networks. Manufacturers must meet security requirements during design, development, and the entire supported lifetime of a product, including how they handle vulnerabilities and maintain documentation. The regulation entered into force on 10 December 2024.

The regulation entered into force on 10 December 2024. Obligations phase in over three years. Vulnerability and incident reporting obligations apply from 11 September 2026. Most other obligations, including conformity assessment, technical documentation, and market access requirements, apply from 11 December 2027. Companies placing products on the EU market, or continuing to make them available after those dates, need to meet the applicable requirements.

The CRA applies to manufacturers, importers, and distributors of products with digital elements placed on the EU market. A company does not need to be established in Europe for the EU market question to matter. Manufacturers carry the heaviest obligations: security by design, vulnerability handling, technical documentation, conformity assessment, CE marking, and post-market obligations. The regulation divides products into categories. Most products are default class and can follow an internal self-assessment route. Products listed in Annex III are classified as "important" (Class I or Class II) and face stricter conformity requirements. Products listed in Annex IV are classified as "critical" and may need mandatory European cybersecurity certification. If your company builds, assembles, imports, or distributes a connectable product for the EU market, you are likely in scope.

SaaS: Pure software-as-a-service that does not support the functionality of a product with digital elements is generally out of scope under the CRA. The regulation targets products placed on the market as discrete units, not cloud services delivered on a subscription basis. However, if your SaaS runs an embedded component or delivers firmware, security updates, or operating logic to a connected product, that component may fall within scope.

B2B-only: Selling only to businesses does not exclude a product from CRA scope. The regulation applies based on what the product is and whether it is placed on the EU market, not on who the buyer is.

Open source: Non-commercial free and open-source software developed outside of a commercial activity is out of scope. Open-source software that is monetized or distributed as part of a commercial activity is in scope, even if the source code is publicly available.

Hardware: Hardware products with digital elements, meaning hardware that connects to other devices or networks, are fully in scope. The CRA was designed specifically to cover connected hardware alongside software.

Self-assessment (also called internal control) means the manufacturer evaluates their own product against the CRA essential requirements, compiles technical documentation, and issues a declaration of conformity without involving an external body. This route is available for most default-class products. Third-party conformity assessment means an independent conformity assessment body, which must be designated and notified to the European Commission, reviews the product and its development processes against the requirements before the CE marking is affixed. Important products (Annex III, Class I and Class II) require third-party conformity assessment. Critical products (Annex IV) may additionally need certification under a European cybersecurity certification scheme where one exists. The assessment route your product must follow depends on its classification, so knowing whether your product appears in Annex III or Annex IV is the first step.

A Software Bill of Materials (SBOM) is a structured list of the software components, libraries, and dependencies contained in a product. Under the CRA, manufacturers are required to identify and document all components in their products with digital elements, including by drawing up an SBOM. The SBOM is part of the technical documentation that manufacturers must maintain. Manufacturers are not required to make the SBOM public, but market surveillance authorities can request it. The practical implication is that manufacturers need processes to generate and maintain an SBOM as a standard part of their build and release pipeline.

The CRA targets products: it sets cybersecurity requirements for manufacturers, importers, and distributors of products with digital elements placed on the EU market. NIS2 (Directive (EU) 2022/2555) targets operators: it sets cybersecurity and incident reporting obligations for organizations in critical sectors. The two regulations can apply to the same company at the same time, but they address different obligations.

The Radio Equipment Directive (RED, Directive 2014/53/EU) covers radio equipment and already includes some cybersecurity requirements; the CRA complements it. GDPR (Regulation (EU) 2016/679) covers personal data protection. A company may need to satisfy more than one of these regulations simultaneously. None of them replace the others.

Whether you need a notified body depends on your product's classification. Default-class products (those not listed in Annex III or Annex IV) can follow a self-assessment route without involving an external body. Products listed in Annex III as important (Class I or Class II) require a third-party conformity assessment, and that assessment must be carried out by a notified body. Products listed in Annex IV as critical may additionally need to go through a European cybersecurity certification scheme. The classification question should be resolved early: it affects your conformity assessment budget and documentation strategy.