Why

Benefits

The EU Cyber Resilience Act is coming. Make sure your team is ready before the deadline hits.

Understand Your Obligations

---

The CRA introduces far-reaching legal requirements for software and hardware manufacturers. This training gives your team a clear, practical understanding of what applies to you - from notification timelines to conformity assessment -without the legal jargon.

Be Ready for the September 2026 Deadline

---

Notification obligations under the CRA take effect on 11 September 2026. Your vulnerability handling processes, incident detection, and reporting workflows need to be in place before that date. This training shows you exactly what to build and how.

Implement Secure-by-Design from Day One

---

The CRA mandates secure-by-design and secure-by-default for all products with digital elements. Your team will learn the ENISA-endorsed principles and how to apply them to your existing architecture and development processes.

Conduct Your Own Self-Assessment

---

Not every product requires third-party conformity assessment. This training walks your team through the CRA self-assessment process, including how to write a valid Declaration of Conformity and which technical documentation you must maintain.

Reduce Legal and Financial Risk

---

Non-compliance can result in fines of up to €15 million or 2.5% of global annual turnover. Beyond fines, a poorly handled incident or missing documentation can result in product withdrawal from the EU market. Build the habits now that keep you protected.

Align Product, Legal, and Engineering

---

CRA compliance isn't a security team problem - it's a company-wide responsibility. This training creates a shared language and understanding across product managers, developers, architects, compliance officers, and legal teams.

Price

In-Company Practitioner Training

Full-day workshop for up to 25 attendees.

Essentials

---

€5700+VAT

Full-day CRA Practitioner workshop covering all obligations, secure-by-design principles, and self-assessment process.

    • Onsite / remote options
    Printed materials
    • CRA obligations deep dive
    • Notification & incident handling
    • Secure-by-design & secure-by-default
    • SBOM & supply chain obligations
    • CRA self-assessment process
    • Declaration of Conformity walkthrough

    Complete

    ---

    €6900+VAT

    Workshop plus follow-up support to keep the momentum going after the training day.

    Essentials training, plus:
    • 2 CRA gap assessment follow-up calls (1 hour each)

    • 1 CRA readiness review of your product documentation (2 hours)

    Customized

     

    Let's talk

    Some organisations need training tailored to a specific product class, regulatory context, or team structure. Get in touch and we'll figure out what makes sense.

    Schedule a call →

    Download Brochure

    Schedule a call →

    Request a quote

    Make it happen

    Request a quote

    We will prepare a quotation document for your purchasing team within 24 hours.
    No spam afterwards (really).

    Agenda

    Topics Outline

    The EU Cyber Resilience Act at a Glance

    What is the CRA?
    Timeline and implementation phases
    Who is affected: classification of software manufacturers
    High-level obligations overview
    Expected fines and enforcement
    Effects on the Open Source Software ecosystem

    Notification Obligations (11 September 2026)

    Legal obligations overview
    Incident detection: sources and triggers
    Upstream supply chain advisories
    Internal cybersecurity engagements (pen testing, bug bounty, threat modeling, secure architecture reviews)
    Public vulnerability databases
    Incident response fundamentals

    Bill of Materials & Vulnerability Management

    Software Bill of Materials (SBOM)
    Hardware Bill of Materials (HBOM)
    Package managers overview
    Triaging incoming advisories
    Prioritization
    Security hotfix and update delivery

    External Communication & Reporting

    Delivering advisories to users
    Notification to national CERT and ENISA
    Formal reporting timelines
    Hotfixes for physical, software, and industrial products

    CRA Essential Requirements Deep Dive

    CRA requirements readout
    Requirement coverage per security principle
    CRA self-assessment process

    Secure Product Development Lifecycle (11 December 2027)

    Architecture discovery and risk profiling
    Threat modeling in the CRA context
    Security requirements: product and process
    Baseline assessment with OWASP SAMM
    Secure-by-design principles (ENISA Playbook):
    - Trust boundaries and least privilege
    - Strong identity and authentication architecture
    - Attack surface minimisation
    - Defence in depth
    - Open design
    - Logging, monitoring, and alerting
    - Vulnerability and patch management
    - Supply chain controls
    Secure-by-default principles:
    - Default hardening
    - Minimisation of default services
    - Restrictive initial access
    - Secure communication by default
    - Unique device identity and secrets by default

    Conformity, Documentation & Post-Release

    Declaration of Conformity: how to write and deliver it
    Technical Documentation requirements (10-year obligation)
    User Documentation requirements
    Staying in touch with your users: communication channels, languages, and timelines
    5-year security fixes and hotfixes obligation

    What's Next?

    Team skills and roles needed for CRA compliance
    Action planning: your organisation's next steps
    Follow-up deep-dive courses available:
    - Threat Modeling Practitioner
    - Security Architecture
    - OWASP SAMM Practitioner
    - Secure Coding / OWASP Top 10
    - DevSecOps & CI/CD Pipeline Security
    - SBOM & Supply Chain Security

    Download Brochure

    Schedule a call →

    Request a quote

    Details

    Trainers

    Nariman Aga-Tagiyev

    Nariman Aga-Tagiyev

    Product Security Architect

     

    Nariman Aga-Tagiyev is an Application Security Architect with more than
    20 year experience in software development. Have been working as full
    stack web application developer, backend developer, DevOps engineer,
    cloud developer and since 2016 fully involved in Application Security
    related activities.

    Luc Poulin

    Luc Poulin

    CEO, Senior Information / Application Security & Trustworthiness Advisor at Cogentas inc.

     

    Luc Poulin is a veteran application security expert with a doctorate in
    software engineering and over four decades of experience in IT,
    specializing in integrating and auditing security throughout the
    application lifecycle and contributing internationally to ISO/IEC
    standards, including as lead editor of ISO/IEC 27034.

    Dagmar Moser

    Dagmar Moser

    Consultant, Auditor and Lecturer

     

    Dagmar Stefanie Moser is a seasoned IT security expert and founder of blueheads GmbH, with over 25 years of experience in IT architecture, secure software engineering, and information security, and currently serves as a certified ISO/IEC 27001 Lead Auditor and guest lecturer at the Hochschule der Bayerischen Wirtschaft (HDBW)

    Details

    FAQ

    Your Title Goes Here

    Your content goes here. Edit or remove this text inline or in the module Content settings. You can also style every aspect of this content in the module Design settings and even apply custom CSS to this text in the module Advanced settings.

    Why does my team need CRA training now?
    The CRA has a phased rollout, and the first real deadline - notification obligations for actively exploited vulnerabilities and severe incidents - lands on 11 September 2026. The Secure Product Development Lifecycle requirements follow on 11 December 2027. Neither of those timelines leaves much room to build processes from scratch. The teams in the best position will be the ones who started preparing 12 to 18 months before the deadlines, not in the final quarter.
    Who is this training for?

    It works best as a cross-functional session. The content is relevant to anyone who touches a product that falls under the CRA - not just the security team.

    • CISOs and Information Security Officers get a clear picture of their legal obligations and what a compliance programme needs to look like.
    • Compliance Officers, Legal, and Risk Managers come away with a solid grasp of the regulatory framework, the timelines, and what documentation needs to exist.
    • Software Architects and Tech Leads learn how secure-by-design and secure-by-default principles translate into real architectural decisions.
    • Product and Application Managers understand where CRA obligations intersect with product roadmaps, release cycles, and post-release support.
    • Developers and DevOps Engineers get clarity on what changes day-to-day: SBOM generation, vulnerability triaging, and patch delivery timelines.
    • Software Testers understand what CRA-relevant security verification looks like in practice.
    No prior CRA knowledge is required.
    What is the course approach?
    It's a mix of presentation, discussion, and applied exercises. Participants work through real CRA requirements and map them to scenarios that are relevant to their own products. The day ends with a structured action-planning session - so the team leaves with something concrete, not just notes.
    Does our product fall under the CRA?
    The CRA covers all products with digital elements placed on the EU market where there's a reasonably foreseeable consumer or business use - which includes most software products. The main exclusions are products already regulated under sector-specific legislation (like the Medical Device Regulation) and certain categories of open-source software. The training includes a product classification module so your team can work out exactly which obligations apply to what you ship.
    What facilities do you need for onsite delivery?
    1. A projector and power outlet for the trainer
    2. Enough space for participants to work in small groups of 3 to 5
    3. A whiteboard or flip chart per group

    Participants don't need to bring laptops. All exercises use printed materials.
    Can the training be delivered remotely?
    Yes, for up to 25 participants. Groups work in virtual breakout rooms with trainer support, and reconvene for discussion after each exercise block.

    Public sessions

    For Individuals

    17 July 2026

    09:00 - 17:00 CET

    Classroom CRA Practitioner Workshop

    🎫 €1000 (per person, excl. VAT)

    A full-day on-site workshop. You will walk away knowing exactly what the EU Cyber Resilience Act requires, what needs to be built, and who owns what.

    Download training brochure

    Online teleconference

    21 August 2026

    09:00 - 17:00 CET

    Remote CRA Practitioner Workshop

    🎫 €800 (per person, excl. VAT)

    A full-day remote workshop. You will walk away knowing exactly what the EU Cyber Resilience Act requires, what needs to be built, and who owns what.

    Download training brochure

    KASerne

    Willemspoort 1,
    5223WV, 's-Hertogenbosch,
    Netherlands

    Watch online

    What is EU CRA