Information Security · CRA Compliance

A structured path to EU Cyber Resilience Act compliance

ins2outs gives you a ready-to-use ISMS, a CRA-specific Know-How Set, and consulting support to close the gaps, without stalling your roadmap.

Let's talk
Cyber Resilience Act

Why this matters now

The EU just made cybersecurity a market-access requirement

The Cyber Resilience Act (Regulation (EU) 2024/2847) is the first horizontal EU regulation that mandates cybersecurity for all products with digital elements — hardware, software, and connected devices — placed on the European market. It entered into force in December 2024.

The regulation applies regardless of where your company is headquartered. If you sell into the EU, you comply. If you don’t, your products can be blocked from the market, withdrawn, or physically recalled.

11 September 2026
Mandatory vulnerability reporting and incident notification to ENISA/CSIRTs begins for all in-scope products already on the EU market.
11 December 2027

Full compliance required. CE marking, technical documentation, conformity assessment — all in place before products are placed on the market.

Who has to comply

Products with digital elements need product-level security proof

Unlike ISO 27001 or NIS2, the Cyber Resilience Act doesn’t certify your organisation. It certifies each product you ship. Every in-scope product needs a documented risk assessment, a technical file, vulnerability handling processes, an SBOM, and — for the first time — CE marking for cybersecurity.

CRA does not apply to devices that are already part of other domain regulations, like MDR or Marine equipment (2014/90/EU).

Hardware with embedded software

    • IoT devices,
    • industrial controllers,
    • medical instruments,
    • consumer electronics
    • anything with firmware or an embedded OS that connects to a network.

Standalone software products

    • Desktop apps,
    • mobile apps,
    • SDKs,
    • operating systems,
    • and any downloadable software placed on the EU market.

Connected and network-capable products

    • Smart home devices,
    • wearables,
    • industrial automation systems,
    • connected vehicles,
    • any product whose intended use includes a data connection.

Check CRA applicability in 5 minutes

Check whether and how the EU Cyber Resilience Act applies to your products.
We’ll follow up with a summary of where you stand and what to focus on first.

Take the CRA gap assessment
What we offer

Three levers to get you CRA compliant

The Cyber Resilience Act is a product regulation, not an IT security framework. If you manufacture, import, or distribute hardware with embedded software, standalone software, or connected products for the EU market, the obligations apply to you.

Ready-to-use Compliance Management System

The platform

Integrated, fully operational workspace for all your teams to manage compliance across all products, markets, and certifications.

  • Define scope, assign roles, and activate security policies on day one
  • Track risks, controls, and treatment plans in a single workspace
  • Manage incidents, vulnerabilities, and supplier security from one system
  • Maintain audit-ready evidence across documents, training, and CAPAs
Regulatory guidance mapped to CRA requirements

 The know-how set

Pre-built templates and procedures that translate CRA obligations into tasks your team can act on. Available with your ISMS workspace or as a stand-alone set.

  • Map products against CRA classification tiers (Default, Important I/II, Critical)
  • Generate technical documentation aligned with Annex VII requirements
  • Implement vulnerability handling and ENISA reporting workflows
  • Prepare conformity assessment evidence and EU Declaration of Conformity

Explore CRA know-how set ->

Support from gap assessment to audit readiness

Consulting services

Our consultants help you determine what applies, where the gaps are, and how to close them, scoping to your products, your classification, and your timeline.

  • Assess CRA applicability and classify products by risk tier
  • Run a gap assessment against essential cybersecurity requirements
  • Build a prioritised remediation roadmap aligned to CRA deadlines
  • Guide you through conformity assessment and notified body processes
How we work

From gap assessment to audit readiness and certification

Every engagement starts with understanding what applies to your products and where you stand today. From there, we build a practical path forward — scoped to your products, your risk profile, and the Cyber Resilience Act timeline.

  • Understand where you stand today and what is required

CRA Gap Assessment, Strategy, and Roadmap

A structured CRA audit covering scope determination, manufacturer obligations, alignment against essential cybersecurity requirements, organisational readiness (roles, processes, ownership), technical documentation gaps, and vulnerability and incident handling readiness.

Deliverables
  • CRA gap assessment report per product
  • Classification rationale
  • Prioritised remediation roadmap
  • Recommended compliance strategy
  • Prepare for the reporting obligations that apply from 11 September 2026

September 2026 Compliance Package

We help you build vulnerability handling processes, incident detection and internal escalation, reporting workflows to CSIRT and ENISA, coordinated vulnerability disclosure procedures, and internal decision-making structures.

Deliverables
  • Vulnerability handling and disclosure procedures
  • Incident reporting workflows
  • Authority interaction readiness
  • Practical implementation guidance
  • Achieve full CRA compliance and CE marking readiness

Full CRA Compliance

We work with you on technical documentation, risk management, and secure-by-design evidence, SBOM generation and dependency governance, conformity assessment preparation, EU Declaration of Conformity, and market surveillance readiness.

Deliverables
  • Complete technical file per product
  • Conformity assessment evidence
  • EU Declaration of Conformity
  • CE marking readiness
  • Post-market monitoring framework

Cyber Resilience Act training for your teams

Awareness

Introductory sessions for broad teams covering CRA fundamentals, timelines, and what changes for your organisation.

For who:
Management, product owners, and anyone who needs to understand why this matters and what it means for their work.

Deep dives

Role-specific sessions on manufacturer obligations, product classification and its impact, secure development expectations, and incident and vulnerability handling procedures.

For who:
Engineering, quality, and compliance functions.

Workshops

Hands-on sessions linked to your actual products, working through classification decisions, technical documentation structure, and vulnerability reporting workflows.

For who:
Cross-functional teams preparing to implement CRA.

Information security training

Foundational information security

Foundational security awareness covering information security principles, organisational policies, access management, data handling, and incident recognition.

For who:
All employees, new hires, and teams onboarding into roles with security responsibilities.

Cybersecurity in AI-based solutions

Security considerations specific to AI and machine learning systems — covering data pipeline integrity, model protection, adversarial threat awareness, and the intersection of CRA and EU AI Act.

For who:
Engineering, data science, and product teams building or integrating AI capabilities.

Risk and threat modelling

Practical methods for identifying, evaluating, and treating information security risks, including threat modelling techniques, risk scoring, control selection, and documentation for audit readiness.

For who:
Security leads, architects, and compliance teams responsible for risk management.

September 2026 is closer than it looks

Ready to explore the platform, or want to figure out the right path together?

Show me the platformTalk to the team
Hey AI, Peek Inside