CRA Compliance for Spanish Manufacturers: INCIBE-CERT and Regional Support

Spanish manufacturers face the same CRA obligations as their EU counterparts, but with access to Spanish-language resources and national support structures. INCIBE-CERT serves as the national reference CSIRT, and various regional programs can help SMEs prepare for compliance.

This guide covers CRA compliance from a Spanish manufacturer's perspective.

CRA in the Spanish Context

Same Regulation, Same Obligations

The CRA is an EU Regulation (not a Directive), meaning it applies directly in Spain without transposition. Spanish manufacturers have the same obligations as German, French, or any other EU manufacturer:

• Conformity assessment before market placement
• Technical documentation (technical file)
• CE marking
• Vulnerability handling and security updates
• ENISA/CSIRT reporting (when applicable)

No Spanish-specific exemptions exist.

Spanish Implementation Bodies

INCIBE-CERT: Your National CSIRT

What Is INCIBE-CERT?

INCIBE-CERT (Instituto Nacional de Ciberseguridad - Computer Emergency Response Team) is Spain's national CSIRT for citizens, businesses, and critical infrastructure operators.

Relevance to CRA:

• Receives vulnerability reports routed through ENISA
• Coordinates with manufacturers on Spanish market incidents
• Provides guidance and resources in Spanish
• Supports SMEs with cybersecurity

INCIBE Contact Information

INCIBE-CERT CONTACT

General Inquiries:
Website: https://www.incibe.es
Email: incidencias@incibe-cert.es

For Businesses:
017 (National cybersecurity helpline)
Website: https://www.incibe.es/empresas

Incident Reporting:
https://www.incibe.es/incibe-cert/incidentes

Vulnerability Coordination:
Follow ENISA SRP procedures (Sept 2026 onwards)

How CRA Reporting Will Work

When CRA vulnerability reporting begins (September 2026):

VULNERABILITY REPORTING FLOW (Spanish Manufacturer)

Actively Exploited Vulnerability Discovered
                │
                ▼
        ENISA Single Reporting Platform
                │
                ├──────────────────────────────┐
                ▼                              ▼
        ENISA (EU Level)              National CSIRT(s)
                                              │
                                   If Spain: INCIBE-CERT
                                              │
                                   Coordination & Support

The ENISA SRP routes reports to relevant national CSIRTs based on where your products are sold. For products on the Spanish market, INCIBE-CERT will receive notifications.

Spanish-Language CRA Resources

INCIBE Resources

INCIBE provides cybersecurity resources in Spanish:

CRA-Specific: Monitor INCIBE for CRA guidance as the regulation enters into force.

CCN Resources

The Centro Criptológico Nacional provides resources primarily for public sector but useful for manufacturers:

Industry Associations

Spanish industry associations providing CRA information:

SME Support Programs

Spanish SMEs may access support for CRA compliance investments:

National Programs

CDTI (Centro para el Desarrollo Tecnológico Industrial):

• Innovation financing
• May support cybersecurity/compliance R&D
• Loans and grants for technology development

ICEX (España Exportación e Inversiones):

• Export support
• May help with EU market compliance requirements
• International certification assistance

Kit Digital:

• Digitalization support for SMEs
• Cybersecurity components included
• Potential alignment with CRA preparation

Regional Programs

Check regional programs for:

• Cybersecurity grants
• Certification support
• Technical assistance programs
• Export preparation funding

EU Programs Accessible from Spain

Practical Steps for Spanish Manufacturers

Phase 1: Assessment (Now - Mid 2026)

ASSESSMENT PHASE CHECKLIST

Product Portfolio:
[ ] List all products with digital elements
[ ] Determine CRA classification for each
[ ] Identify products sold in Spain vs. broader EU
[ ] Map current compliance status

Gap Analysis:
[ ] Compare current practices to CRA requirements
[ ] Identify documentation gaps
[ ] Assess vulnerability handling capability
[ ] Evaluate update delivery mechanisms

Resources:
[ ] Estimate compliance investment needed
[ ] Identify potential support programs
[ ] Assess internal capability vs. external support needs

Phase 2: Preparation (Mid 2026 - Sept 2026)

PREPARATION PHASE CHECKLIST

Vulnerability Handling:
[ ] Establish security contact (security.txt)
[ ] Create CVD policy
[ ] Prepare for ENISA reporting (Sept 2026 start)
[ ] Test incident response procedures

Documentation:
[ ] Begin technical file preparation
[ ] Implement SBOM generation
[ ] Document security architecture
[ ] Prepare risk assessments

Infrastructure:
[ ] Set up update delivery mechanism
[ ] Establish customer notification capability
[ ] Create documentation repository

Phase 3: Compliance (Sept 2026 - Dec 2027)

COMPLIANCE PHASE CHECKLIST

September 2026:
[ ] Reporting capability active
[ ] ENISA SRP access established
[ ] Vulnerability handling process operational

Through 2027:
[ ] Complete conformity assessments
[ ] Finalize technical documentation
[ ] Achieve CE marking readiness

December 2027:
[ ] Full CRA compliance
[ ] All products have conformity assessment
[ ] CE marking applied
[ ] 5-year support commitments in place

Spanish SME Challenges

Challenge 1: Limited Cybersecurity Resources

Many Spanish SMEs lack dedicated security staff.

Solutions:

• Use INCIBE resources and training
• Consider managed security services
• Join industry clusters for shared resources
• Leverage regional support programs

Challenge 2: Technical Documentation in Spanish

While CRA documentation can be in Spanish for Spanish market, component documentation (from international suppliers) may be in English.

Solutions:

• Request Spanish documentation from EU suppliers
• Use translation for internal understanding
• Maintain English versions for technical accuracy
• Spanish summary documents for authorities

Challenge 3: Supplier Relationships

Spanish manufacturers may import components from non-EU suppliers who are unfamiliar with CRA.

Solutions:

• Educate key suppliers on CRA requirements
• Include CRA terms in procurement contracts
• Consider alternative EU suppliers for critical components
• Build buffer time for supplier compliance

Challenge 4: Conformity Assessment Access

Notified Bodies for CRA may initially be limited.

Solutions:

• Engage early with potential Notified Bodies
• Check ENAC for accredited bodies in Spain
• Consider bodies in other EU countries (valid EU-wide)
• For Default products, self-assessment (Module A) may suffice

Industry Perspectives

IoT and Electronics

Spanish IoT manufacturers face full CRA scope:

• Product classification (likely Important Class I for many)
• Conformity assessment requirements
• 5-year update commitments
• SBOM and vulnerability management

Key consideration: Many IoT products incorporate imported components, so supply chain due diligence is essential.

Software Companies

Spanish software companies:

• Standalone software is in CRA scope
• SaaS may be out of scope (service, not product)
• Embedded software in products is definitely in scope

Key consideration: Distinguish between software products (CRA applies) and services (CRA may not apply).

Industrial Equipment

Spanish industrial equipment manufacturers:

• IACS for essential entities = Important Class II
• Higher conformity assessment requirements
• Longer expected product lifetimes

Key consideration: Industrial products often have extended support expectations beyond 5 years.

Working with Spanish Authorities

Market Surveillance

Market surveillance for CRA in Spain will likely involve:

• Ministerio de Industria or designated body
• Coordination with INCIBE for cybersecurity aspects
• Inspections and documentation requests

Preparation:

• Maintain accessible technical documentation
• Document compliance decisions and rationale
• Respond promptly to authority requests

Cooperation Obligations

Under CRA, you must cooperate with market surveillance authorities:

• Provide technical documentation on request
• Assist with product testing
• Implement corrective measures if non-compliance found

Checklist for Spanish Manufacturers

SPANISH MANUFACTURER CRA READINESS CHECKLIST

ORGANIZATION:
[ ] CRA responsibilities assigned internally
[ ] Budget allocated for compliance
[ ] Support programs identified (CDTI, ICEX, regional)

PRODUCT ASSESSMENT:
[ ] All products cataloged
[ ] CRA classification determined
[ ] Gap analysis completed

INCIBE/CSIRT:
[ ] Familiar with INCIBE-CERT services
[ ] 017 helpline number known
[ ] Incident reporting process understood

DOCUMENTATION:
[ ] Technical file structure defined
[ ] Spanish/English documentation strategy
[ ] SBOM generation capability

VULNERABILITY HANDLING:
[ ] Security contact established
[ ] CVD policy (can be in Spanish)
[ ] ENISA reporting preparation

SUPPLIER MANAGEMENT:
[ ] Key suppliers identified
[ ] CRA requirements communicated
[ ] Documentation requests sent

CONFORMITY ASSESSMENT:
[ ] Assessment route selected (A, B+C, H)
[ ] Notified Body identified (if needed)
[ ] Timeline planned

SUPPORT:
[ ] Industry association engagement
[ ] Regional program applications
[ ] External consultancy (if needed)

Related guides:

• EU Cyber Resilience Act: Complete Implementation Timeline 2025-2027
• CRA Product Classification: Is Your Product Default, Important, or Critical?

How CRA Evidence Helps

CRA Evidence supports Spanish manufacturers:

• Spanish interface: Platform available in Spanish
• INCIBE alignment: Reporting workflows aligned with Spanish CSIRT
• Documentation: Templates adaptable for Spanish market
• Guidance: CRA requirements explained in context

Start your CRA compliance at app.craevidence.com.

Este artículo es solo para fines informativos y no constituye asesoramiento legal. Para orientación específica sobre cumplimiento, consulte con asesores legales cualificados.

This article is for informational purposes only and does not constitute legal advice. For specific compliance guidance, consult with qualified legal counsel.