Insta brings together cyber security, secure development, and regulatory compliance expertise

Cyber Resilience Act (CRA) - preparing products for the EU market

The Cyber Resilience Act sets baseline cyber security requirements for products with digital elements sold on the EU market. Insta brings together cyber security, secure development, and regulatory compliance expertise

Contact usExplore our references

Cyber Resilience Act (CRA) — preparing products for the EU market

The Cyber Resilience Act sets baseline cyber security requirements for products with digital elements sold on the EU market. It applies across the EU and covers a broad range of hardware and software products. If a product falls within scope, it must meet the CRA requirements and carry the CE marking before it can be placed on the market. The main obligations sit in Article 13, Article 14, and Annex I.

Most of the substantive obligations start to apply on 11 December 2027. The earlier reporting duties for actively exploited vulnerabilities and severe incidents start on 11 September 2026. For many manufacturers, that work cannot wait until the end of the transition period because product design, release processes, and documentation are already taking shape now.

Insta is one of Finland's leading cyber security service providers. Our Data & Cyber Compliance team helps manufacturers work out which products are in scope, what needs to change in development and vulnerability handling, and what technical documentation is needed to support compliance with CRA requirements and CE marking.

CRA timeline

The regulation applies in stages. In practice, each date matters because it affects what manufacturers need to have in place and how much time is left to close gaps without disrupting product plans.

11 September 2026. Reporting obligations apply. From that point, manufacturers must notify ENISA and the relevant coordinator CSIRT of actively exploited vulnerabilities and severe incidents via the CRA reporting process under Article 14.

The timing is tight, so reporting processes need to be ready well before the main product obligations begin.

11 December 2027. The main product obligations apply. Only products that meet the CRA requirements and carry the CE marking may be placed on the EU market. Importers and distributors share the responsibility.

Contact us

Which products the CRA covers

The CRA covers a wide range of products with digital elements, from consumer devices to large industrial systems and their software. A product is in scope if its intended purpose or reasonably foreseeable use includes a data connection to another device or network. That can be true for hardware, software, or both. The idea of a data connection is broader than a network cable or wireless link. It can include hardware interfaces, APIs, file exchange, integrations, and other software interfaces. Indirect connection also matters. For example, a device may have no external network function of its own but still fall within scope if it is built into a connected control system or a larger connected environment.

Some categories are carved out because other Union product rules already apply to them, including medical devices, certain vehicles, marine equipment, and aircraft. Products developed exclusively for national security or defence are also excluded. Most cloud services, including Software as a Service, are outside the CRA unless the service functions as a remote data-processing solution for a covered product.

Products that are in scope are not all treated the same way. The CRA distinguishes between the default category, important products in Annex III, and critical products in Annex IV. Some can generally follow self-assessment, while others face a stricter conformity assessment route. That makes early classification important because it affects evidence, timing, and whether third-party assessment may be needed.

What the CRA requires

  • The Cyber Resilience Act sets requirements in three areas through Article 13 and Annex I:

  • The development process and the procedures that cover a product's lifecycle, from design to the end of the support period.

  • The cyber security properties of the product itself.

  • Vulnerability handling.

Design, development, and production
Article 13 and Annex I require products to be designed, developed, and produced with a level of cyber security that matches their risks. In practice, that means compliance cannot be left to the end. Product, engineering, testing, release, and supplier decisions all affect the outcome.

Product properties
Annex I also sets the core security expectations for the product itself. That includes safe default settings, protection of data, and the ability to address vulnerabilities through security updates. Products should not be placed on the market with known exploitable vulnerabilities. The exact measures depend on the product, its use case, and its risk profile.

Vulnerability handling
Annex I, Part II expects a working vulnerability-handling process. Manufacturers need to identify components and vulnerabilities, maintain an SBOM, and remediate issues without undue delay. Where possible, security fixes should be separated from feature updates.

Regular security testing, coordinated vulnerability disclosure, secure update delivery, and clear reporting channels are all part of that picture. Article 14 adds the related reporting obligations for actively exploited vulnerabilities and severe incidents. For many teams, this is where the real operational work starts.

Cyber Resilience Act

Penalties

The CRA allows market surveillance authorities to impose significant administrative fines for non-compliance. The highest fines can reach €15 million or 2.5% of global annual turnover. Authorities can also require corrective action, withdraw products from the market, or order recalls.

How conformity is shown
For products covered by the CRA, the CE marking is the visible sign of conformity. To get there, the manufacturer needs the right conformity assessment route, technical documentation, an EU declaration of conformity, user instructions, and a defined support period. Article 13, Annex I, and the CRA's conformity assessment rules determine what that route looks like. Some products can generally be self-assessed, while others may require a notified body.

Because the assessment route can affect timing, testing, and documentation, it is worth working it out early.

How Insta helps

Insta brings together cyber security, secure development, and regulatory compliance expertise. The five services below are common starting points for CRA preparation. Some clients need a quick view of product classification and the main gaps; others need hands-on support through process changes, testing, documentation, and assessment.

CRA current-state assessment

This three-to-five-week engagement maps the product portfolio against the CRA, classifies products, and identifies the main compliance gaps. The result is more than a summary deck. It is a practical decision package with priorities, dependencies, effort estimates, and a backlog the engineering team can work from.

Secure development lifecycle (SDL) implementation

Insta SDL is based on IEC 62443-4-1 and can be aligned with an ISO 27001 management system. In practice, teams usually need help in specific places rather than everywhere at once: threat modelling, security requirements, supplier components, release checkpoints, remediation workflows, and evidence capture. If an organisation already works with frameworks such as NIST SSDF, IEC 62443-4-1, or OWASP SAMM, the additional work needed for CRA compliance is often smaller than it first appears.

Vulnerability handling and SBOM

Insta helps teams put a workable vulnerability-handling process in place. That can include coordinated vulnerability disclosure, intake and triage, ownership and escalation, SBOM generation in the build pipeline, and the reporting workflows needed from 11 September 2026 onward.

Technical documentation and CE marking

Insta supports the preparation of the technical file, the EU declaration of conformity, the support-period commitment, and the user instructions required by the CRA. A common problem in this phase is that the documentation and the shipped product do not fully match. We work with product, engineering, and legal teams to close that gap before assessment.

Penetration testing and conformity assessment support

Insta's team provides hardware, firmware, and software security testing. Where third-party assessment is required, we support the preparation of evidence, pre-assessment testing, remediation rounds, and the practical work needed before and during notified-body review.

Insta's CRA experts

Satu Streng, Senior Compliance Consultant — advises on data and cyber regulation across GDPR, NIS2, the AI Act, the Data Act, and the CRA. Her work includes regulatory interpretation and implementation planning for Nordic organisations that need to turn legal requirements into operating practice.

Jyrki Nivala, Senior Director, Cyber Consulting — leads Insta's cyber security consulting practice. He has worked for two decades across critical infrastructure, manufacturing, and the public sector.

Related services

NIS2 Directive

Insta's experts help your organization to prepare for the new Network and Information Security Directive (NIS2 Directive) and its obligations.

NIS2 Directive

Cyber security for automation systems IEC 62443

Embark on your journey to IEC 62443 compliance with Insta, leveraging our comprehensive Insta SDL framework.

Cyber security for automation systems IEC 62443
Insta Cyber icon

Cyber Security Risk Management Measures

Organizations must implement measures to manage cyber risks posed to the security of the network and information systems they use in their operations and service offerings, as well as to prevent and minimize the impact of incidents. A risk-based approach should be used when assessing the level of risk management measures.

AI Act

Insta's expertise combining law, technology, and cybersecurity, we support our clients in achieving compliance with the AI Act obligations and ensuring thereto required level of cybersecurity.

AI Act
Cyber security lock

Secure Development Lifecycle (SDL)

Security Management, the cornerstone of Insta Secure Development Lifecycle, focuses on setting SMART targets and integrates seamlessly with broader systems like ISO 27001 and IEC 62443, ensuring a comprehensive and cohesive security posture.

Secure Development Lifecycle (SDL)

Threat modeling

Threat modeling is a systematic approach to identify threats present in the service, determine the risks posed by these threats and select mitigation measures for the threats.

Threat modeling

Cyber security consultation

Our services help your organization choose the right strategies for cyber risk management. We can also provide assistance with the strategies, policies, guidelines, and requirements that are required for the further development of information security and data protection.

Cyber security consultation
ISO27001 standard

Data and cyber compliance services

NIS2 Directive | Data Act | AI Act | Cyber Resilience Act | IEC 62443 | ISO 27001

Data and cyber compliance services

ISO 27001 management system

The ISO/IEC 27001 certificate indicates a reliable and secure management system.

ISO 27001 management system

Data Act

Insta's experts help your organization meet the obligations of the data act, such as obligations regarding data sharing and transparency.

Data Act

NIS2 Directive

Insta's experts help your organization to prepare for the new Network and Information Security Directive (NIS2 Directive) and its obligations.

NIS2 Directive

Aiheesta lisää: referenssejä ja artikkeleita

The CRA Applies to Companies of All Sizes
Expert blogs-12.5.2026

The CRA Applies to Companies of All Sizes

Cybersecurity has become a fundamental market requirement for both software and hardware products. The Cyber Resilience Act (CRA), formally Regulation (EU) 2024/2847, establishes mandatory cybersecurity requirements for products with digital elements placed on the EU market.

Cyber securitySoftware developmentComplianceCybersecurity consultingDigitalization
CRA velvoittaa kaikenkokoisia yrityksiä
Asiantuntijablogit-8.5.2026

CRA velvoittaa kaikenkokoisia yrityksiä

Kyberturvallisuus on uusi markkinaehto ohjelmisto- ja laitteistotuotteille. Kyberkestävyyssäädös (Cyber Resilience Act, CRA) on EU:n asetus ((EU) 2024/2847), joka määrittää kyberturvallisuuden vähimmäisvaatimukset ohjelmisto- ja laitteistotuotteille.

Cyber securitySoftware developmentComplianceCybersecurity consultingDigitalization
Case Sandvik Mining: Kyberturvallisuuden vahvistaminen kilpailukyvyn tukena
Referenssit-24.11.2025

Case Sandvik Mining: Kyberturvallisuuden vahvistaminen kilpailukyvyn tukena

Sandvik Mining on maailman johtava kaivos- ja urakointiteollisuuden laitteiden, varaosien, palveluiden, digitaalisten ratkaisujen ja kestävää kehitystä edistävien teknologioiden toimittaja. Sen verkottuneet, turvallisuuskriittiset tuotteet toimivat erittäin vaativissa teollisuusympäristöissä. Suomen organisaatio on nostanut kyberturvallisuuden osaksi strategian ydintä. Yritys on jo useamman vuoden kehittänyt turvallista sovelluskehitystä, varmistaakseen että tietoturvallisuus huomioidaan ratkaisujen koko elinkaaren ajan aina suunnittelusta käyttöön ja ylläpitoon saakka.

Crisis and cyber exercisesCybersecurity consulting
Case Sandvik Mining: Strengthening Cybersecurity to Support Competitiveness
References-24.11.2025

Case Sandvik Mining: Strengthening Cybersecurity to Support Competitiveness

Sandvik Mining is a business area within the Sandvik Group and a global leading supplier of equipment and tools, parts, service, digital solutions and sustainability-driving technologies for the mining and construction industries. Its networked, safety-critical products operate in highly demanding industrial environments. Sandvik’s Finnish organization has elevated cybersecurity to the core of its strategy. For several years, the company has developed secure application development practices to ensure that information security is considered throughout the entire lifecycle of solutions—from design to deployment and maintenance.

Crisis and cyber exercisesCybersecurity consulting
Products with digital elements for 2027 are being designed now – Cyber Resilience Act (CRA) sets requirements for the process already today
Expert blogs-12.12.2025

Products with digital elements for 2027 are being designed now – Cyber Resilience Act (CRA) sets requirements for the process already today

The Cyber Resilience Act (“CRA”) is an EU regulation ((EU) 2847/2024) that defines minimum cybersecurity requirements for software and hardware products. This horizontal regulation is directly applicable in EU countries and concerns many digital products sold in the EU market. Products within the scope of the regulation, including hardware and software, must in the future be accompanied by a CE marking.

Cyber securitySoftware developmentCompliance
Vuoden 2027 digitaaliset tuotteet suunnitellaan nyt – EU:n kyberkestävyyssäädös (Cyber Resilience Act, CRA) asettaa vaatimuksia kehitysprosessille jo tänään
Asiantuntijablogit-1.12.2025

Vuoden 2027 digitaaliset tuotteet suunnitellaan nyt – EU:n kyberkestävyyssäädös (Cyber Resilience Act, CRA) asettaa vaatimuksia kehitysprosessille jo tänään

Kyberkestävyyssäädös (Cyber Resilience Act, ”CRA”) on kyberturvallisuuden vähimmäisvaatimukset ohjelmisto- ja laitteistotuotteille määrittävä EU:n asetus ((EU) 2847/2024). Horisontaalinen asetus on suoraan sovellettavaa oikeutta ja koskee laajasti EU-markkinoilla myytäviä tuotteita, joissa on digitaalinen elementti. Säädöksen piiriin kuuluvilla tuotteilla, mukaan lukien ohjelmistotuotteilla, on oltava jatkossa CE-merkintä, jotta niitä voi myydä EU-alueella.

Cyber securitySoftware developmentCompliance

Stay on top of the industry trends and subscribe to our newsletter

The most important news, inspiring articles, and up-to-date insights from our experts across various industries and information about our upcoming events.