CRA Compliance Cost: How to Budget for Conformity Assessment and Documentation
Practical cost estimation framework for CRA compliance. Covers conformity assessment costs by product category, tooling investments, and ongoing maintenance budgets.
In this article
CRA compliance costs vary by product category, conformity route, and current security maturity. There is no single figure. A simple IoT sensor using self-assessment can get there for €20,000–60,000. An industrial firewall requiring a Notified Body will spend €200,000–500,000 before you count ongoing obligations. This article breaks down what drives those numbers and what manufacturers need to budget realistically.
Tip: Default category products can use self-assessment (Module A). That keeps initial costs lowest. Confirm your product classification before budgeting. Most products are Default.
Summary
- CRA compliance costs range from €20K (simple product, self-assessment) to over €500K (complex product, third-party assessment)
- Major cost drivers: conformity assessment route, product complexity, current security maturity
- Ongoing costs for vulnerability management and security updates often exceed initial compliance spend
- SMEs face proportionally higher per-product costs than large manufacturers
- No CRA-specific notified body fee schedules have been published yet; designation starts June 2026
- The European Commission Impact Assessment (SWD(2022) 282) estimated total EU-wide compliance costs at EUR 29 billion. Per-product benchmarks from the same document: ~EUR 18,400 for self-assessment, ~EUR 25,000 for third-party assessment, and EUR 126,000 for complex products such as routers
Two Deadlines, Two Different Budgets
The CRA (Regulation (EU) 2024/2847) has two compliance milestones, each with different budget implications:
September 11, 2026: Reporting obligations apply (Article 14)
Manufacturers must have active vulnerability disclosure and incident response processes in place. This means:
- A process to detect and triage actively exploited vulnerabilities
- Ability to report to your national CSIRT within 24 hours of becoming aware, with a full notification within 72 hours and a final report within 14 days after a fix is available
- For severe security incidents: the same 24h/72h early warning timeline, with a final report within one month
This deadline is 5 months away as of April 2026. It does not require full product conformity but does require operational processes. Budget separately for this.
Note: The CRA Single Reporting Platform (the system manufacturers will use to report to national CSIRTs and ENISA simultaneously) is being built by ENISA. It is not yet operational.
December 11, 2027: Full manufacturer obligations apply
Technical file, conformity assessment, EU Declaration of Conformity, CE marking, SBOM, and update delivery requirements all apply from this date.
The notified body framework under the CRA takes effect June 11, 2026. Member States are required to have sufficient notified bodies in place by December 11, 2026. No CRA-designated notified bodies exist yet. This is a supply constraint: when bodies are designated, demand will be high and queues will form. Manufacturers who need Module B+C assessment should factor this into their timeline.
Cost Categories Overview
CRA compliance costs fall into five categories:
CRA COMPLIANCE COST STRUCTURE
==============================================================
ONE-TIME COSTS
--------------------------------------------------------------
1. CONFORMITY ASSESSMENT
- Risk assessment
- Security testing
- Documentation
- Notified Body fees (if applicable)
2. INFRASTRUCTURE SETUP
- SBOM tooling
- Update delivery mechanism
- Vulnerability management system
- Documentation repository
3. PRODUCT REMEDIATION
- Security gap fixes
- Architecture changes
- Secure boot implementation
- Cryptography upgrades
ONGOING COSTS
--------------------------------------------------------------
4. VULNERABILITY MANAGEMENT
- Monitoring and triage
- Patch development
- Customer notification
- National CSIRT reporting (Article 14)
5. SUPPORT PERIOD MAINTENANCE
- Update distribution
- Security testing (ongoing)
- Documentation updates
- Customer support
Cost Estimates by Product Category
About these figures: The line-item breakdowns below are illustrative estimates, not verified quotes. They are calibrated against published benchmarks: the EC Impact Assessment (SWD(2022) 282) modeled self-assessment at ~EUR 18,400 per product on average, third-party assessment at ~EUR 25,000, and complex products such as routers at EUR 126,000. Pre-CRA market rates (France CSPN: EUR 25,000-35,000; Netherlands BSPA: avg EUR 40,000) provide additional anchors. No CRA-specific notified body fees have been published; those ranges reflect pre-CRA EU cybersecurity assessment market rates. Actual costs depend on your product, existing security maturity, service provider, and timeline. Use these as a planning framework, not as a quote.
Default Products (Module A Self-Assessment)
Most products fall here. Self-assessment keeps costs lowest.
DEFAULT PRODUCT - COST ESTIMATE
SCENARIO: IoT sensor, existing product, moderate security maturity
----------------------------------------------------------------
ONE-TIME COSTS:
Risk Assessment
+-- Internal effort (40-80 hours) EUR 4,000 - EUR 8,000
\-- External consultant (optional) EUR 5,000 - EUR 15,000
Security Testing
+-- Vulnerability scanning EUR 1,000 - EUR 3,000
+-- Penetration testing EUR 5,000 - EUR 15,000
\-- Code review (if applicable) EUR 3,000 - EUR 10,000
Documentation
+-- Technical file preparation EUR 5,000 - EUR 15,000
+-- SBOM generation setup EUR 1,000 - EUR 5,000
\-- DoC and user instructions EUR 1,000 - EUR 3,000
Infrastructure
+-- SBOM tooling EUR 0 - EUR 5,000/year
+-- Update delivery mechanism EUR 5,000 - EUR 20,000
\-- Vulnerability tracking EUR 0 - EUR 10,000/year
----------------------------------------------------------------
ONE-TIME TOTAL: EUR 20,000 - EUR 80,000
----------------------------------------------------------------
ONGOING COSTS (per year):
Vulnerability management EUR 10,000 - EUR 30,000
Update development and testing EUR 15,000 - EUR 40,000
Documentation maintenance EUR 2,000 - EUR 5,000
Customer support (security) EUR 5,000 - EUR 15,000
----------------------------------------------------------------
ANNUAL ONGOING: EUR 32,000 - EUR 90,000
----------------------------------------------------------------
5-YEAR TOTAL COST OF OWNERSHIP: EUR 180,000 - EUR 530,000
Important Class I (Module B+C Required in Practice)
Higher scrutiny, more documentation, Notified Body involvement for most manufacturers.
Harmonized standards note: Module A self-assessment is available for Important Class I products only when relevant harmonized standards under the CRA have been published and the manufacturer fully applies them. As of early 2026, no CRA-specific harmonized standards have been adopted. EN 18031-1/2/3 (published January 2025, OJ ref EU 2025/138) are harmonized under the Radio Equipment Directive, not the CRA. Until CRA harmonized standards are formally adopted, most Important Class I manufacturers will need Module B+C. Budget accordingly.
IMPORTANT CLASS I - COST ESTIMATE
SCENARIO: Smart home hub, Important Class I
----------------------------------------------------------------
CURRENT SITUATION (Module B+C, no CRA harmonized standards yet):
Risk Assessment
+-- Comprehensive assessment EUR 8,000 - EUR 20,000
\-- Standards gap analysis EUR 5,000 - EUR 15,000
Security Testing
+-- Full security testing suite EUR 15,000 - EUR 40,000
+-- Standards conformance testing EUR 10,000 - EUR 25,000
\-- Third-party validation EUR 10,000 - EUR 30,000
Documentation
+-- Technical file (detailed) EUR 15,000 - EUR 35,000
+-- Standards compliance evidence EUR 5,000 - EUR 15,000
\-- SBOM and related docs EUR 3,000 - EUR 8,000
Notified Body (Module B+C)
+-- Application and review EUR 5,000 - EUR 15,000
+-- EU-Type Examination EUR 20,000 - EUR 60,000
+-- Testing fees EUR 10,000 - EUR 40,000
\-- Certificate issuance EUR 2,000 - EUR 5,000
----------------------------------------------------------------
ONE-TIME TOTAL: EUR 110,000 - EUR 310,000
----------------------------------------------------------------
FUTURE OPTION: IF CRA HARMONIZED STANDARDS ARE ADOPTED (Module A):
Remove Notified Body fees above.
One-time estimate would reduce to approximately: EUR 70,000 - EUR 190,000
----------------------------------------------------------------
ONGOING COSTS (per year):
Vulnerability management EUR 15,000 - EUR 40,000
Update development and testing EUR 15,000 - EUR 40,000
Standards monitoring EUR 2,000 - EUR 5,000
Enhanced testing EUR 5,000 - EUR 15,000
NB surveillance (Module B+C) EUR 5,000 - EUR 15,000
----------------------------------------------------------------
ANNUAL ONGOING: EUR 45,000 - EUR 125,000
----------------------------------------------------------------
Important Class II (Mandatory Module B+C)
Third-party assessment required. Higher costs unavoidable.
IMPORTANT CLASS II - COST ESTIMATE
SCENARIO: Industrial firewall, Important Class II (Annex III, Part II)
----------------------------------------------------------------
ONE-TIME COSTS:
Risk Assessment
+-- Comprehensive threat modeling EUR 15,000 - EUR 40,000
\-- Industrial security assessment EUR 10,000 - EUR 30,000
Security Testing
+-- Full security audit EUR 25,000 - EUR 75,000
+-- Industrial protocol testing EUR 15,000 - EUR 40,000
\-- Compliance testing EUR 10,000 - EUR 30,000
Documentation
+-- Technical file (extensive) EUR 25,000 - EUR 60,000
+-- Security architecture docs EUR 10,000 - EUR 25,000
\-- Test reports and evidence EUR 5,000 - EUR 15,000
Notified Body (Module B+C)
+-- Application and planning EUR 10,000 - EUR 25,000
+-- EU-Type Examination EUR 40,000 - EUR 100,000
+-- Laboratory testing EUR 20,000 - EUR 60,000
\-- Certification EUR 5,000 - EUR 15,000
----------------------------------------------------------------
ONE-TIME TOTAL: EUR 190,000 - EUR 515,000
----------------------------------------------------------------
ONGOING COSTS (per year):
Enhanced vulnerability management EUR 30,000 - EUR 80,000
Continuous security testing EUR 20,000 - EUR 50,000
NB surveillance audits EUR 10,000 - EUR 25,000
Documentation maintenance EUR 5,000 - EUR 15,000
Customer support (enterprise) EUR 15,000 - EUR 40,000
----------------------------------------------------------------
ANNUAL ONGOING: EUR 80,000 - EUR 210,000
----------------------------------------------------------------
Critical Products (Annex IV: Module B+C)
Critical products (Annex IV) currently require mandatory third-party conformity assessment via a notified body using Module B+C or Module H.
The EUCC (Commission Implementing Regulation (EU) 2024/482) is a Common Criteria-based certification scheme that is often discussed alongside Annex IV products, but it is not currently mandatory for them. CRA Article 35 gives the Commission the power to adopt a delegated act requiring Annex IV products to obtain an EUCC certificate at "substantial" or "high" assurance level. No such delegated act has been adopted as of early 2026. It is expected in Q4 2026. Until adopted, critical product manufacturers use Module B+C alone.
When the EUCC delegated act is adopted, manufacturers of Annex IV products will need both the Module B+C assessment and an EUCC certificate. Cost estimates below reflect the full expected cost once that requirement takes effect.
Annex IV currently lists only three product types: Hardware Devices with Security Boxes, smart meter gateways with advanced security functions, and smartcards or similar devices including secure elements.
CRITICAL PRODUCT - COST ESTIMATE
SCENARIO: Hardware Security Module (Annex IV, item 1)
----------------------------------------------------------------
ONE-TIME COSTS:
Security Assessment
+-- Common Criteria-level evaluation EUR 100,000 - EUR 300,000
+-- Threat modeling and analysis EUR 30,000 - EUR 80,000
\-- Cryptographic assessment EUR 20,000 - EUR 60,000
Conformity Assessment
+-- Module B+C (Notified Body) EUR 75,000 - EUR 175,000
+-- EUCC certification (CAB) EUR 100,000 - EUR 400,000
\-- Laboratory testing EUR 50,000 - EUR 150,000
Documentation
+-- Technical file (comprehensive) EUR 40,000 - EUR 100,000
+-- Security target documentation EUR 30,000 - EUR 80,000
\-- Certification evidence EUR 20,000 - EUR 50,000
----------------------------------------------------------------
ONE-TIME TOTAL: EUR 465,000 - EUR 1,395,000
----------------------------------------------------------------
ONGOING COSTS (per year):
Certification maintenance EUR 50,000 - EUR 150,000
Security monitoring and response EUR 50,000 - EUR 120,000
Annual assessments EUR 30,000 - EUR 80,000
----------------------------------------------------------------
ANNUAL ONGOING: EUR 130,000 - EUR 350,000
----------------------------------------------------------------
Cost Comparison Summary
All figures are illustrative. No CRA-specific notified body fees have been published; ranges are based on pre-CRA EU cybersecurity assessment market rates and industry commentary.
| Category | One-Time | Annual Ongoing | 5-Year TCO |
|---|---|---|---|
| Default (Module A) | €20K-80K | €32K-90K | €180K-530K |
| Important I (current, Module B+C) | €110K-310K | €50K-140K | €360K-1.0M |
| Important I (future, Module A with harmonized standards) | €70K-190K | €45K-125K | €295K-815K |
| Important II (Module B+C) | €190K-515K | €80K-210K | €590K-1.6M |
| Critical (Module B+C; + EUCC when delegated act adopted) | €465K-1.4M | €130K-350K | €1.1M-3.2M |
Warning: Hidden costs include ongoing vulnerability monitoring, security update delivery, and the full support period commitment. Factor these into your total cost of compliance. Notified Body queues are likely to be significant after June 2026 designation. Build lead time into your plan.
Cost Drivers
What Increases Costs
| Factor | Impact | Why |
|---|---|---|
| Product complexity | High | More components, more attack surface, more testing |
| Low security maturity | High | Gap remediation before compliance is possible |
| Third-party assessment | High | Notified Body fees are significant |
| Multiple products | Medium | Some costs multiply per product |
| Legacy architecture | Medium | May require redesign for secure update delivery |
| Short timeline | Medium | Rush fees and parallel workstreams; notified body queues |
What Reduces Costs
| Factor | Impact | Why |
|---|---|---|
| Existing security practices | High | Less remediation, faster documentation |
| Reusable infrastructure | High | SBOM tools and update systems serve multiple products |
| Simple product design | Medium | Less attack surface, faster testing |
| Early start | Medium | No rush fees, time to clear notified body queues |
DIY vs. Outsourced
Do It Yourself (Internal)
Best for:
- Organizations with security expertise
- Multiple products (amortize the learning investment)
- Simple and Default products
Cost profile:
- Lower direct costs
- Higher time investment
- Risk of rework if done incorrectly
Typical internal team needs:
INTERNAL COMPLIANCE TEAM (DIY)
Full-time roles:
- Security Engineer (0.5-1 FTE)
- Compliance/Regulatory (0.25-0.5 FTE)
- Documentation (0.25 FTE)
Estimated annual cost: EUR 80,000 - EUR 180,000
(Covers multiple products)
Outsourced to Consultants
Best for:
- One-off compliance needs
- No internal security expertise
- Complex and Important and Critical products
Cost profile:
- Higher direct costs
- Faster timeline
- Expertise included
Typical consultant rates (EU):
CONSULTANT RATES (EU market)
Security assessment: EUR 150 - EUR 300/hour
Technical writing: EUR 100 - EUR 200/hour
Compliance advisory: EUR 200 - EUR 400/hour
Penetration testing: EUR 1,000 - EUR 2,500/day
Full compliance project:
- Default product: EUR 30,000 - EUR 80,000
- Important Class I: EUR 80,000 - EUR 200,000
- Important Class II: EUR 150,000 - EUR 400,000
Hybrid Approach (Recommended)
Best for: Most organizations
HYBRID APPROACH
Internal:
- Product knowledge
- Ongoing maintenance
- Documentation updates
- Day-to-day vulnerability handling
Outsourced:
- Initial risk assessment
- Penetration testing
- Notified Body coordination
- Gap remediation (specialized)
Budget Planning Framework
Phase 1: Assessment (Start Now for December 2027)
ASSESSMENT PHASE BUDGET
Product classification EUR 2,000 - EUR 10,000
Gap analysis EUR 10,000 - EUR 40,000
Compliance roadmap EUR 5,000 - EUR 15,000
----------------------------------------------------
TOTAL: EUR 17,000 - EUR 65,000
Phase 2: Reporting Readiness (Before September 2026)
REPORTING READINESS BUDGET
Vulnerability management process EUR 5,000 - EUR 20,000
Incident response setup EUR 5,000 - EUR 15,000
CSIRT liaison and process testing EUR 3,000 - EUR 10,000
----------------------------------------------------
TOTAL: EUR 13,000 - EUR 45,000
Phase 3: Remediation (Running Now Through 2027)
REMEDIATION PHASE BUDGET
Security improvements EUR 20,000 - EUR 200,000
Architecture changes EUR 10,000 - EUR 100,000
Tooling implementation EUR 5,000 - EUR 30,000
----------------------------------------------------
TOTAL: EUR 35,000 - EUR 330,000
Phase 4: Conformity Assessment (H2 2026 to H1 2027)
CONFORMITY ASSESSMENT BUDGET
Documentation preparation EUR 10,000 - EUR 50,000
Testing EUR 15,000 - EUR 100,000
Notified Body (if required) EUR 40,000 - EUR 200,000
----------------------------------------------------
TOTAL: EUR 65,000 - EUR 350,000
Phase 5: Ongoing (Post-Compliance)
ANNUAL ONGOING BUDGET
Vulnerability management EUR 15,000 - EUR 50,000
Update development EUR 20,000 - EUR 60,000
Documentation maintenance EUR 5,000 - EUR 15,000
Tools and subscriptions EUR 5,000 - EUR 20,000
----------------------------------------------------
ANNUAL TOTAL: EUR 45,000 - EUR 145,000
SME Considerations
Proportionally Higher Costs
SMEs face higher per-product costs because:
- Fixed costs (tools, training) spread over fewer products
- Less existing security infrastructure
- More external support typically needed
The European Commission Impact Assessment (SWD(2022) 282) noted that more than 99% of manufacturers of products with digital elements are SMEs. The EC could not quantify exact per-SME differential costs but cited ENISA data showing 12.3% of SMEs report cybersecurity performance below industry standards versus 2.1% for large enterprises. SME industry representatives rated horizontal mandatory compliance requirements at 3.7 out of 5 for cost burden. The structural problem is simple: a large manufacturer spreading one-time tool costs across 50 products has fundamentally different unit economics than an SME with two products.
Cost Reduction Strategies for SMEs
SME COST OPTIMIZATION
1. Start with gap analysis
- Know exactly what you need before spending
- Avoid over-engineering for your actual product category
2. Use open-source tools
- SBOM: Syft, Trivy (free)
- Vulnerability scanning: Trivy, Grype (free)
- Saves EUR 5,000-20,000/year on tooling
3. Leverage harmonized standards (when available)
- CRA harmonized standards not yet published as of early 2026
- When published: following them enables Module A for Important Class I
- Avoids significant Notified Body costs for those products
4. Shared services
- Industry consortiums
- Managed compliance services
- Fractional security team
5. Phased approach
- Prioritize reporting readiness first (September 2026 deadline)
- Then tackle product conformity for December 2027
6. Government support
- EU Digital Europe Programme
- National SME digitalization grants
- Regional cybersecurity programs
SME Budget Template
SME CRA BUDGET (Single Default Product)
YEAR 1 (Compliance Achievement):
Reporting readiness (Sep 2026) EUR 15,000
Gap remediation EUR 20,000
Documentation EUR 10,000
Testing EUR 10,000
Tools setup EUR 5,000
Contingency (20%) EUR 12,000
--------------------------------------------
YEAR 1 TOTAL: EUR 72,000
YEARS 2-5 (Ongoing):
Annual maintenance EUR 30,000/year
--------------------------------------------
5-YEAR TOTAL: EUR 192,000
Per-unit (5,000 units over 5 years): EUR 38.40
ROI Considerations
Cost of Non-Compliance
| Consequence | Potential Cost |
|---|---|
| Administrative fines | Up to €15M or 2.5% of annual turnover (Article 64, Regulation 2024/2847) |
| Product withdrawal | Lost revenue plus recall costs |
| Reputational damage | Customer loss |
| Market access loss | Cannot sell in the EU |
| Liability exposure | Customer claims |
Compliance Benefits
| Benefit | Value |
|---|---|
| EU market access | Required to sell products with digital elements in the EU after December 2027 |
| Customer trust | Verifiable security posture |
| Reduced incident cost | Proactive vulnerability management lowers breach impact |
| Due diligence defense | Documented compliance limits liability |
Budgeting Checklist
CRA COMPLIANCE BUDGETING CHECKLIST
INITIAL ASSESSMENT:
[ ] Products classified (Default/Important Class I or II/Critical)
[ ] Current security maturity assessed
[ ] Gap analysis completed
[ ] Conformity route determined (A, B+C, or H)
[ ] Reporting readiness plan for September 2026
ONE-TIME BUDGET:
[ ] Risk assessment costs
[ ] Remediation costs (if gaps exist)
[ ] Documentation preparation
[ ] Testing (internal and external)
[ ] Notified Body fees (if applicable)
[ ] Tool implementation
[ ] Training
[ ] Contingency (15-25%)
ONGOING BUDGET:
[ ] Vulnerability management (Article 14 processes)
[ ] Update development and testing
[ ] Documentation maintenance
[ ] Tool subscriptions
[ ] NB surveillance (if applicable)
[ ] Customer support (security)
RESOURCE PLANNING:
[ ] Internal FTE allocation
[ ] External consultant needs
[ ] Notified Body engagement timeline (queues expected post-June 2026)
[ ] Budget approved by management
[ ] Phased spending plan
How CRA Evidence Helps
CRA Evidence reduces compliance costs by combining SBOM generation, vulnerability tracking, and documentation in one platform. Templates reduce technical file preparation time. Automated monitoring reduces ongoing manual effort for vulnerability management.
Related reading:
Classification: Your costs depend on your classification. See our product classification guide.
Assessment: Cost breakdown by conformity module in our conformity assessment guide.
Startups: Budget-friendly approaches in our startup compliance guide.
This article is for informational purposes only and does not constitute legal advice. Cost estimates are illustrative and will vary based on specific circumstances.
Related Articles
ECSMAF v3.0 Explained: How ENISA Maps the EU Cybersecurity Market
Does the CRA apply to your product?
Answer 6 simple questions to find out if your product falls under the EU Cyber Resilience Act scope. Get your result in under 2 minutes.
Ready to achieve CRA compliance?
Start managing your SBOMs and compliance documentation with CRA Evidence.