A practical guide to scope, classification, and compliance planning
This article gives you a concrete, practical answer. We walk you through how to determine whether your products fall under the CRA, how to identify your role and obligations as a manufacturer, importer, or distributor, how to classify each product (default, important, or critical), and how to turn those findings into a realistic compliance plan, with clear owners, timelines, evidence requirements, and milestones.
Whether you are just beginning to assess your exposure or are ready to move into execution, this guide will help you cut through the complexity and take the right first steps. It does not replace legal advice, and it does not attempt to cover every CRA obligation in depth. Think of it as the starting point that unblocks execution.
What is the EU Cyber Resilience Act and why does it matter now?
The Cyber Resilience Act (CRA) is an EU regulation that establishes mandatory cybersecurity requirements for products with digital elements, such as software, hardware, and connected devices placed on the EU market. Its main objective is to address the long‑standing issue of insecure digital products by enforcing security‑by‑design, security‑by‑default, and effective vulnerability management throughout the entire product lifecycle.
The CRA places primary responsibility on manufacturers, while also introducing obligations for importers and distributors, and requires conformity assessments, technical documentation, incident and vulnerability reporting, and CE marking. Entered into force in December 2024, the CRA will apply fully from December 2027, and complements existing frameworks such as NIS2 by focusing specifically on product level cybersecurity rather than organisational security.
Key deadlines you cannot miss: September 2026 and December 2027
By 11 September 2026, the CRA introduces its first binding operational obligations, limited to incident and vulnerability reporting. From that date, manufacturers of products with digital elements must notify actively exploited vulnerabilities and severe security incidents once they become aware of them. Notifications must follow strict timelines, including an early warning within 24 hours, a detailed report within 72 hours, and a final report once corrective measures are available within 14 days or 1 month, using the CRA Single Reporting Platform coordinated by ENISA and national CSIRTs. These reporting duties apply not only to new products but also to legacy products already placed on the EU market, even though the broader product conformity requirements are not yet in force.
From 11 December 2027, the CRA applies in full. As of that date, all products with digital elements placed on the EU market must comply with the essential cybersecurity requirements set out in the Regulation, including secure-by-design and secure-by-default development, documented risk assessments, lifecycle vulnerability handling processes, and the provision of security updates. Manufacturers must draw up technical documentation, perform the relevant conformity assessment procedures, issue an EU Declaration of Conformity, and affix the CE marking. Importers and distributors must verify that these obligations have been fulfilled before making products available on the EU market.
Does the CRA apply to your organisation?
In practice, how do you know if you are falling under the CRA and if so, how will you proceed to be compliant with the expectations of the regulation?
The answer starts with understanding your role. The CRA distinguishes between manufacturers, importers, and distributors, and assigns different obligations to each. Determining which role applies to your organisation, and for which products, is the foundation of everything that follows.
CRA compliance is a journey. At Approach Cyber, we structure it in three concrete steps: scope assessment, gap analysis, and retro-planning, each building on the previous one. And because our approach is modular, you can engage at any stage, whether you need a full assessment, a targeted gap analysis, or hands-on support turning your plan into action.
Step 1 | Scope assessment: Building your product inventory
The scope assessment is the first action that you must take. Indeed, if you want to know if your products fall under the CRA, it’s mandatory to assess every product with digital elements that you sell, import or distribute on the EU market.
At Approach Cyber, this is something we can support you with. We will assess your products by reviewing your documentation and perform interview with the stakeholders to determine which products falls under Class I, Class II, or the standard category. This will be carried out using our assessment files, which are systematically aligned with the law text, its annexes, and the standards that have been published to support its implementation.
This step is crucial: the path to compliance differs significantly depending on product class and does not apply uniformly across all categories. Our methodology is technology-agnostic and classification-agnostic, it applies whether you build embedded hardware, SaaS products, or connected devices.
Step 2 | Gap analysis: Where do you stand today?
Following the completion of the scope assessment, we will evaluate your current level of compliance by distinguishing between existing compliant measures, ongoing initiatives, and remaining gaps. During this gap analysis, we will together discuss about specific actions depending on the scope and context of your company to comply with the CRA.
It is worth noting that CRA compliance is not purely a legal exercise. It requires concrete technical capabilities: secure-by-design development, software bill of materials (SBOM), vulnerability management, and documented risk assessments. These are areas where Approach Cyber already operates daily, independently of the CRA, through our Secure Development Advisory practice.
Step 3 | Retro-Planning: Structuring your path to compliance
Finally, once the recommended actions required to achieve compliance have been identified, it will be necessary to estimate the time needed to implement each one. Based on applicable deadlines and business constraints, we establish a retro‑planning to structure and organise the implementation of each recommendation.
A first concrete action on the retro-planning could be to implement a Coordinated Vulnerability Disclosure to report actively exploited vulnerabilities. The estimate time could be 1 to 4 weeks depending on if you have already something in place or if you are under the NIS2 directive.
Why work with a partner who is subject to the CRA themselves?
Beyond advising others, we are ourselves subject to the regulation through the products we are currently developing. As a result, we have built our expertise from direct, hands‑on experience. We assess our own compliance rigorously and have a clear, end‑to‑end understanding of every step required to achieve and demonstrate regulatory compliance.
At Approach Cyber, we combine technical expertise in secure software development with regulatory compliance and product security, and we support hands-on implementation all the way through.
Ready to find out where you stand?
Our goal is simple: to give your team the clarity, structure, and confidence to face the CRA without panic and without guesswork. What we call cyber serenity.
Download the CRA Quick Guide for free