Methodology
How We Calculate Our Performance Claims
We believe in transparency. This page documents exactly how the figures cited across our website — particularly the 70%+ cost reduction and 10x faster audits — are derived.
70% Cost Reduction
This figure is derived from comparing the total annual cost of manual CRA compliance against the total annual cost when using the Kunnus platform.
Manual CRA Compliance (Annual)
Personnel
0.5–6 FTE at €80,000/year fully loaded cost (scales with product count: base team + reassessment effort at ~40 hours per substantial product change)
Tooling
€25,000 base + €500/product across 4–5 separate tools: SBOM generation (~30%), vulnerability scanner (~25%), document management (~20%), GRC/process management (~25%)
External consulting
€36,000–€120,000/year depending on company size and number of product lines
With Kunnus (Annual)
Personnel
0.2–1 FTE at €80,000/year (reduced through automation: reassessment effort drops to ~4 hours per substantial change)
Platform
Single subscription replacing all 4–5 separate tools. Pricing scales with product count.
No separate tooling
SBOM management, vulnerability tracking, compliance documentation, ENISA reporting, and audit trails included in one platform
Result: For a reference manufacturer with 35 products, manual annual costs typically amount to approximately €280,000 (2 FTE + tooling + consulting). Kunnus reduces this to approximately €80,000 — a reduction of over 70%. The exact figure varies based on product count, complexity, and existing maturity.
10x Faster Audits
This figure is based on a direct time comparison for product reassessments after substantial changes — the most time-intensive recurring compliance activity.
Manual:Manual reassessment: ~40 hours per substantial product change. Includes gathering updated component lists, re-running vulnerability scans, updating documentation, verifying conformity status, and compiling audit evidence.
Kunnus:Kunnus-assisted reassessment: ~4 hours per substantial change. The platform automatically tracks component changes, runs differential SBOM analysis, updates vulnerability status, and pre-populates documentation. The compliance engineer reviews and approves rather than building from scratch.
40 hours ÷ 4 hours = 10x improvement in reassessment speed.
Sources & References
- Regulation (EU) 2024/2847 — Cyber Resilience Act (Full Text)
- CRA Art. 64 — Penalties up to EUR 15 million or 2.5% of global annual turnover
- CRA Annex I — Essential cybersecurity requirements
- CRA Annex VII — Technical documentation requirements (basis for reassessment time estimate)
- IEC 62443-4-1 — Secure product development lifecycle requirements
- Destatis — Labour cost index, ICT sector (NACE J), Germany 2024
- Cybersecurity Ventures — Global cybercrime cost projections (referenced in CRA Recital 2)
- ENISA — Cyber Resilience Act requirements analysis
Model Assumptions & Limitations
- Reference company profile: mid-sized manufacturer with 35 products with digital elements, 2 product security engineers, no prior CRA-specific tooling in place
- FTE allocation model: time-tracking-based activity decomposition across 7 CRA compliance workstreams (classification, SBOM, vulnerability management, reporting, documentation, assessment, supplier management)
- Cost reduction is measured as total cost of ownership (TCO), not license cost alone — includes personnel time, tooling, and external consulting
- The 10x audit speed improvement applies specifically to reassessment after substantial product changes (CRA Art. 10(12)), not to initial compliance setup
- Figures represent model outputs, not measured client outcomes. Individual results vary based on product complexity, organizational maturity, and scope of CRA obligations
Disclaimer
Actual values vary depending on company size, product count, product complexity, and existing compliance maturity. The figures above represent typical ranges observed in our ROI model. For a personalized estimate, use our interactive ROI calculator or contact us for an individual analysis.