Technical implementation and programme leadership for the EU Cyber Resilience Act

Need someone to own your CRA programme? We lead the technical work alongside your team, using the tools that fit your stack.

CRA reporting obligations begin 11 September 2026. Plan your programme now.

Book a free CRA roadmap call
New to the Cyber Resilience Act? Read our free CRA compliance guide
How we engage

Three common starting points. Every engagement is scoped to you.

Example situations mapping to scoped engagements Three common situations on the left map to three engagements on the right. A fourth, dashed row shows that any other situation maps to a custom engagement scoped to you. 01 · SITUATION A reporting deadline 02 · SITUATION No one owns the work 03 · SITUATION An incident is coming ·· SITUATION Your situation

These are the three situations we see most often: preparing for the 11 September 2026 reporting deadline, running the cross-functional CRA work your team has no capacity to own, or getting ready for the first reportable vulnerability or authority letter. Most engagements are a blend, and plenty look nothing like this list. We scope to the situation you are actually in.

Scope is fixed and agreed upfront. Duration is discussed on the roadmap call, because real timelines depend on product count and how much groundwork already exists.

CRA Technical Readiness Sprint

Who this is for

Manufacturers with no internal CRA owner, one to three product lines, and a need to be ready for Article 14 reporting from 11 September 2026 while building the technical file and Annex I controls required for full CRA application on 11 December 2027.

What you receive
  • A written CRA scope memo per product line, covering Article 13 obligations and classification decisions
  • A prioritised gap assessment against Annex I, with a remediation plan your engineering lead can execute
  • CRA technical documentation aligned with Annex VII, signed off by your engineering lead
  • An operational vulnerability-handling process your team runs continuously, not a one-off scan
  • A written vulnerability reporting runbook mapped to Article 14 timelines

CRA Programme Lead

Who this is for

Companies where no one owns the CRA cross-functional work and the founder or CTO is carrying it informally.

What we take ownership of
  • CRA programme ownership, with CRA Evidence coordinating product, engineering, security, and leadership work
  • Implementation support for the technical controls, evidence gaps, and coverage questions that block progress
  • A living obligations calendar tied to CRA deadlines, product releases, standards, and open owners
  • A technical file we keep current as your products ship, so evidence does not rot between audits
  • Operational vulnerability-response ownership, with reviews against Annex I obligations and agreed escalation paths

Authority and Incident Response Plan

Who this is for

Teams whose real concern is the first reportable vulnerability or the first ENISA or national-authority letter.

What is covered
  • A written incident-response playbook your on-call engineer can execute under the Article 14 reporting clock
  • Early-warning and incident-notification templates pre-drafted for each national CSIRT you need to notify
  • An on-call response window that covers reportable incidents during the retainer period
  • A runbook for producing a complete evidence package when a market surveillance authority asks for one
Not on this list?

Your situation looks different?

Plenty of teams do not map cleanly to one of the three, and that is fine. Most engagements end up a blend, and some are something else entirely. Tell us what you are actually dealing with and we scope an engagement around it. The roadmap call is where we work out the right shape, or whether self-service is the better fit.

Book a free CRA roadmap call →

Priced per engagement

We do not publish price bands. The shape of a CRA engagement depends on your role under the Regulation, the technical complexity of your products, and how much groundwork already exists. A startup with one complex embedded product is a different engagement to a manufacturer with a dozen simpler SKUs. The exact figure is agreed on the 30-minute roadmap call, with a scoped written proposal delivered within 48 hours.

We work with your existing tools

Every engagement is tool-agnostic. We lead the technical work inside your stack, whether that is open source (CycloneDX, SPDX, Grype, Trivy), commercial tools you already pay for, or internal systems your team has built. Where the CRA Evidence platform is the right fit we will offer it, but it is never a requirement and never the deliverable. The deliverables are the compliance outcomes.

The basis

Why this works

01

Built against the full text.

We built CRA Evidence against the full text of Regulation (EU) 2024/2847, Annexes I to VIII, and the 41 harmonised standards under Commission standardisation request M/606. The platform maps every obligation to evidence, workflow, and reporting. The same mapping drives every engagement.

02

Engineer-led, not advisor-led.

CRA Evidence was built by engineers who have shipped products, run vulnerability programmes, and maintained technical evidence at European technology companies. The platform and every engagement reflect that operational background.

03

Small batch on purpose.

We take on a limited number of new CRA programmes each quarter to keep delivery quality high. Every engagement is led by the same senior people who build the platform.

Process

What happens on the 30-minute call

A working conversation, not a sales pitch. It covers three things, in order:

1
Your role under the Regulation. Manufacturer and importer obligations differ. Distributor-only cases are usually better served by self-service guidance, and getting this right shapes which engagement fits.
2
Which engagement fits, or whether platform-only is right. Not every company needs implementation support. If the platform alone is the better fit, we will say so.
3
A scoped proposal within 48 hours. After the call, you receive a written proposal with scope, deliverables, and price for your specific situation.
Scope

Scope and limitations

CRA Evidence provides a compliance platform and technical implementation services. We are transparent about what we are and what we are not.

We are not a notified body. We do not perform conformity assessment under Article 32 of Regulation (EU) 2024/2847, and our services do not constitute a conformity assessment or a certification of your products. Where your product requires third-party conformity assessment, you must engage an accredited notified body.

We are not a law firm. We do not provide legal advice. For regulatory interpretation, legal opinions on product classification, or contractual compliance questions, we work alongside your legal counsel.

We are a commercial vendor of the CRA Evidence platform. Our implementation services are independent of the platform: we work inside whatever tools fit your situation, including open source, third-party commercial software you already pay for, and our own platform where that is the best fit. Where your needs would be better served by tools or services outside our product, we will say so.

Frequently asked questions

Both, and they are independent. CRA Evidence is a SaaS platform for EU Cyber Resilience Act compliance that you can use self-service, and we also deliver hands-on implementation services led by infrastructure engineers. The services are tool-agnostic: we work inside your existing stack using open source, commercial tools you already pay for, or our platform if that is the best fit. Three engagements cover the most common situations: a Technical Readiness Sprint for manufacturers preparing for the 11 September 2026 reporting deadline, a Programme Lead retainer for ongoing technical ownership of your CRA programme, and an Authority and Incident Response Plan for vulnerability reporting and market-surveillance letters. Most engagements are a blend of these, and when your situation does not match one we scope a custom engagement to it.

We do not publish price bands because scope depends on too many real variables: your role under the Regulation, the technical complexity of each product, how many products you ship, how much internal groundwork already exists, and which tools you already operate. A startup with one complex embedded product is a different engagement to a manufacturer with a dozen simpler SKUs. The exact figure is agreed on a 30-minute roadmap call, with a scoped written proposal in your inbox within 48 hours.

No on both counts. CRA Evidence is not a notified body. We do not perform conformity assessment under Article 32 of Regulation (EU) 2024/2847, and our services do not constitute certification of your products. Where your product requires third-party conformity assessment, you must engage an accredited notified body. CRA Evidence is also not a law firm. For regulatory interpretation and legal opinions we work alongside your own legal counsel.

Big Four firms provide strategic and legal advisory, but they rarely build or operate the technical systems that make CRA compliance durable. CRA Evidence engagements are led by engineers who work alongside your team to write the technical file, stand up a vulnerability-handling process, and integrate evidence generation into your existing pipelines. The deliverables are operational, running inside your stack, not a slide deck.

CTOs, VPs of Engineering, product security leads, and compliance leads at manufacturers or importers placing products with digital elements on the EU market. The call is most useful when you already know you have CRA obligations but no one on your team has the capacity to own the cross-functional work. If you are still working out whether the CRA applies to you, start with the free CRA Applicability Check.

Any industry, any size. The CRA applies across the board, whether you are a 15-person startup shipping your first connected product or a manufacturer with dozens of product lines. Engagements are most useful when CRA obligations are real but no single team internally owns the cross-functional work yet.

Yes. Platform and services are independent. You can run the CRA Evidence platform self-service with a 14-day free trial and role-based pricing, without ever engaging us for consultancy. Services are for companies where no one internally owns the CRA cross-functional work, or where the first reportable vulnerability or authority letter is a specific concern. And services do not require our platform either: the engagement works with whatever tools fit your stack. See pricing for self-service plans.

Yes. The Cyber Resilience Act applies to anyone placing products with digital elements on the EU market, regardless of where the company is headquartered. If you ship products into the EU, you are in scope and we can help. Engagements are delivered in English.

11 September 2026 is the date from which vulnerability and incident reporting obligations under Article 14 of Regulation (EU) 2024/2847 become applicable. Manufacturers must be able to notify actively exploited vulnerabilities and severe incidents to ENISA and the relevant national CSIRT within 24 hours, with a follow-up notification at 72 hours, and a final report at 14 days for vulnerabilities or within one month for severe incidents. The full CRA becomes applicable on 11 December 2027. See our CRA compliance guide for the complete timeline.
Next step

If one of these engagements fits, tell us which one. If your CRA implementation need is different, tell us what you need help with.

You will have a scoped written proposal in your inbox with no pressure to proceed.

Get in touch

Prefer to grab a slot directly? Book a 30-minute roadmap call.