What
Requirements
Notification Obligation
11 September 2026
Vulnerability Notification
Notify ENISA without undue delay when an actively exploited vulnerability is identified.
Incident Reporting
Report severe security incidents that significantly impact product security.
24-Hour Notice
Submit an initial incident notification within 24 hours of awareness.
72-Hour Follow-up
Provide a detailed follow-up report including mitigation measures.
User Communication
Inform affected users and customers when action or mitigation is required.
Record Keeping
Maintain documented records of all incidents, vulnerabilities, and notifications.
Full conformity
11 December 2027
Declaration of Conformity
Formally declare that the product complies with all applicable CRA requirements before placing it on the market.
Technical Documentation
Maintain comprehensive technical documentation demonstrating compliance throughout the product lifecycle.
Secure by Design
Ensure security is embedded into the product architecture from the earliest design stages.
Secure by Default
Deliver products with secure configurations enabled by default, minimising user action.
Vulnerability Management
Implement ongoing processes to identify, assess, remediate, and disclose vulnerabilities.
Pick a time
Schedule CRA STRATEGY
Health Check
Our CRA specialists are offering a free, one‑hour health check of your EU CRA compliance strategy. No obligations and no strings attached
FAQ
Your Title Goes Here
Your content goes here. Edit or remove this text inline or in the module Content settings. You can also style every aspect of this content in the module Design settings and even apply custom CSS to this text in the module Advanced settings.
1. Why is it free? What’s the catch?
There’s no such thing as a free lunch!
Well, sometimes there is. All SecureHabits team members are also active volunteers in various non‑profit initiatives like OWASP and ISO. We don’t expect any work assignments from you after this health check.
We’re happy to build new relationships and help the industry become more resilient.
But of course, if we discover an opportunity for a win‑win collaboration, we’re absolutely open to it.
2. For who is this health check?
This health check is designed for manufacturers of products with digital components or on‑premise software who plan to sell their solutions on the European market.
Even if you already work with internal teams or external consultants on CRA compliance, we can help validate whether your current strategy is solid and on the right track.
3. Who should join the call?
The EU Cyber Resilience Act focuses on the security of the products you place on the European market.
Its primary concern is the risks faced by your end users – not the manufacturers themselves.
The ideal participants for this call are product owners, development managers, and members of application security teams.
4. What are the deliverables?
After the call, our team will deliver a tailored report on the current state of your secure software development lifecycle.
We’ll highlight any gaps that may lead to unacceptable risks.
You’ll also receive a list of missing controls required for baseline CRA compliance, along with an effort estimate for the investment needed to achieve it.
5. What can we expect after the health check?
After you receive your tailored report with our recommendations for your CRA readiness strategy, we won’t spam you or chase you with pushy sales messages.
If you’re interested in exploring a win‑win collaboration, we’ll be happy to follow up – at your pace and only as long as it’s valuable for you.