Implementation and programme leadership

Technical implementation and programme leadership for the EU Cyber Resilience Act.

Need someone to own your CRA programme? We lead the technical work alongside your team, using the tools that fit your stack.

Book a free CRA roadmap call
New to the Cyber Resilience Act? Read our free CRA compliance guide
How we engage

Three situations, three engagements.

Three situations matched one-to-one to three engagements Three common situations on the left are connected by dashed lines to three engagements on the right. The point: no repackaged template, each engagement maps to one clear situation. 01 · SITUATION A reporting deadline 02 · SITUATION No one owns the work 03 · SITUATION An incident is coming 01 · ENGAGEMENT Readiness Sprint 02 · ENGAGEMENT Programme Lead 03 · ENGAGEMENT Response Plan matched one-to-one · not repackaged

Each engagement maps to a specific situation: preparing for the 11 September 2026 reporting deadline, running the cross-functional CRA work your team does not have capacity to own, or getting ready for the first reportable vulnerability or authority letter.

Scope is fixed and agreed upfront. Duration is discussed on the roadmap call, because real timelines depend on product count and how much groundwork already exists.

CRA Technical Readiness Sprint

Fixed-scope engagement
Who this is for

Manufacturers with no internal CRA owner, one to three product lines, preparing for the 11 September 2026 reporting deadline.

What you walk away with
  • A written CRA scope memo per product line, covering Article 13 obligations and classification decisions
  • A prioritised gap assessment against Annex I, with a remediation plan your engineering lead can execute
  • A technical file aligned with Annex VII, signed off by your engineering lead
  • An operational vulnerability-handling process your team runs continuously, not a one-off scan
  • A written vulnerability reporting runbook mapped to Article 14 timelines
Scoped and priced on the roadmap call.

CRA Programme Lead

Ongoing retainer, cadence agreed with your team
Who this is for

Companies where no one owns the CRA cross-functional work and the founder or CTO is carrying it informally.

What you walk away with
  • Technical ownership of your CRA programme, with a working rhythm agreed with your product, engineering, and security teams
  • A living obligations calendar tied to CRA deadlines, kept current as obligations and standards evolve
  • A technical file that stays current as your products ship, not a document that rots between audits
  • An operational vulnerability-response process your on-call engineer can run without ambiguity
  • Regular compliance reviews against Annex I obligations, with escalation paths agreed in advance
Scoped and priced on the roadmap call.

Authority and Incident Response Plan

Setup engagement plus on-call retainer
Who this is for

Teams whose real concern is the first reportable vulnerability or the first ENISA or national-authority letter.

What you walk away with
  • A written incident-response playbook your on-call engineer can execute under the Article 14 reporting clock
  • Early-warning and incident-notification templates pre-drafted for each national CSIRT you need to notify
  • An on-call response window that covers reportable incidents during the retainer period
  • A runbook for producing a complete evidence package when a market surveillance authority asks for one
Scoped and priced on the roadmap call.

Priced per engagement

We do not publish price bands. The shape of a CRA engagement depends on your role under the Regulation, the technical complexity of your products, and how much groundwork already exists. A startup with one complex embedded product is a different engagement to a manufacturer with a dozen simpler SKUs. The exact figure is agreed on the 30-minute roadmap call, with a scoped written proposal delivered within 48 hours.

We work with your existing tools

Every engagement is tool-agnostic. We lead the technical work inside your stack, whether that is open source (CycloneDX, SPDX, Grype, Trivy), commercial tools you already pay for, or internal systems your team has built. Where the CRA Evidence platform is the right fit we will offer it, but it is never a requirement and never the deliverable. The deliverables are the compliance outcomes.

The basis

Why this works

01

Built against the full text.

We built CRA Evidence against the full text of Regulation (EU) 2024/2847, Annexes I to VIII, and the 41 harmonised standards under Commission standardisation request M/606. The platform maps every obligation to evidence, workflow, and reporting. The same mapping drives every engagement.

02

Engineer-led, not advisor-led.

CRA Evidence was built by engineers with backgrounds in infrastructure and cloud security at European technology companies. The platform and every engagement reflect that operational background.

03

Small batch on purpose.

We take on a limited number of new CRA programmes each quarter to keep delivery quality high. Every engagement is led by the same senior people who build the platform.

Process

What happens on the 30-minute call

A working conversation, not a sales pitch. It covers three things, in order:

1
Your role under the Regulation. Manufacturer, importer, and distributor face different obligations. Getting this right shapes which engagement fits.
2
Which engagement fits, or whether platform-only is right. Not every company needs implementation support. If the platform alone is the better fit, we will say so.
3
A scoped proposal within 48 hours. After the call, you receive a written proposal with scope, deliverables, and price for your specific situation.
Scope

Scope and limitations

CRA Evidence provides a compliance platform and technical implementation services. We are transparent about what we are and what we are not.

We are not a notified body. We do not perform conformity assessment under Article 32 of Regulation (EU) 2024/2847, and our services do not constitute a conformity assessment or a certification of your products. Where your product requires third-party conformity assessment, you must engage an accredited notified body.

We are not a law firm. We do not provide legal advice. For regulatory interpretation, legal opinions on product classification, or contractual compliance questions, we work alongside your legal counsel.

We are a commercial vendor of the CRA Evidence platform. Our implementation services are independent of the platform: we work inside whatever tools fit your situation, including open source, third-party commercial software you already pay for, and our own platform where that is the best fit. Where your needs would be better served by tools or services outside our product, we will say so.

Frequently asked questions

Both, and they are independent. CRA Evidence is a SaaS platform for EU Cyber Resilience Act compliance that you can use self-service, and we also deliver hands-on implementation services led by infrastructure engineers. The services are tool-agnostic: we work inside your existing stack using open source, commercial tools you already pay for, or our platform if that is the best fit. There are three fixed-scope engagements: a Technical Readiness Sprint for manufacturers preparing for the 11 September 2026 reporting deadline, a Programme Lead retainer for ongoing technical ownership of your CRA programme, and an Authority and Incident Response Plan for vulnerability reporting and market-surveillance letters.

We do not publish price bands because scope depends on too many real variables: your role under the Regulation, the technical complexity of each product, how many products you ship, how much internal groundwork already exists, and which tools you already operate. A startup with one complex embedded product is a different engagement to a manufacturer with a dozen simpler SKUs. The exact figure is agreed on a 30-minute roadmap call, with a scoped written proposal in your inbox within 48 hours.

No on both counts. CRA Evidence is not a notified body. We do not perform conformity assessment under Article 32 of Regulation (EU) 2024/2847, and our services do not constitute certification of your products. Where your product requires third-party conformity assessment, you must engage an accredited notified body. CRA Evidence is also not a law firm. For regulatory interpretation and legal opinions we work alongside your own legal counsel.

Big Four firms provide strategic and legal advisory, but they rarely build or operate the technical systems that make CRA compliance durable. CRA Evidence engagements are led by infrastructure and cloud security engineers who work alongside your engineering team to write the technical file, stand up a vulnerability-handling process, and integrate evidence generation into your existing pipelines. The deliverables are operational, running inside your stack, not a slide deck.

CTOs, VPs of Engineering, product security leads, and compliance leads at EU manufacturers, importers, or distributors of products with digital elements. The call is most useful when you already know you have CRA obligations but no one on your team has the capacity to own the cross-functional work. If you are still working out whether the CRA applies to you, start with the free CRA Applicability Check.

The Cyber Resilience Act applies to any manufacturer, importer, or distributor placing products with digital elements on the EU market, across every industry and every company size. Our engagements are most useful when CRA obligations are real but no single team internally owns the cross-functional work yet, whether that is a 15-person startup shipping its first connected product or a larger manufacturer with dozens of product lines. If you are unsure whether your situation fits, book the roadmap call and we will tell you honestly.

Yes. Platform and services are independent. You can run the CRA Evidence platform self-service with a 14-day free trial and role-based pricing, without ever engaging us for consultancy. Services are for companies where no one internally owns the CRA cross-functional work, or where the first reportable vulnerability or authority letter is a specific concern. And services do not require our platform either: the engagement works with whatever tools fit your stack. See pricing for self-service plans.

The Cyber Resilience Act applies to any company placing products with digital elements on the EU market, regardless of where the company is headquartered. Services engagements are currently delivered in English to companies in the European Union. Non-EU manufacturers, importers, and distributors with EU market exposure are welcome to book a roadmap call to discuss fit.

11 September 2026 is the date from which vulnerability and incident reporting obligations under Article 14 of Regulation (EU) 2024/2847 become applicable. Manufacturers must be able to notify actively exploited vulnerabilities and severe incidents to ENISA and the relevant national CSIRT within 24 hours, with a follow-up notification at 72 hours and a final report at 14 days. The full CRA becomes applicable on 11 December 2027. See our CRA compliance guide for the complete timeline.
Next step

If your situation fits one of the three engagements, or you are not sure where it fits, tell us about it and we will come back within 48 hours.

You will have a scoped written proposal in your inbox with no pressure to proceed.

Get in touch

Prefer to grab a slot directly? Book a 30-minute roadmap call.