End-to-End CRA Compliance
Regulation (EU) 2024/2847 introduces the most comprehensive cybersecurity requirements ever imposed on products with digital elements. Kunnus maps every obligation to an actionable workflow.
What the CRA Requires from Manufacturers
The EU Cyber Resilience Act establishes essential cybersecurity requirements for all products with digital elements placed on the EU single market. As a manufacturer, you bear primary responsibility under Article 13.
Product Classification (Article 6, Annex III/IV)
Every product must be classified into one of four categories: Default, Important Class I, Important Class II, or Critical. Kunnus provides automated classification based on product attributes and Annex III/IV criteria.
Security by Design (Annex I, Part I)
Products must be designed with appropriate cybersecurity, no known exploitable vulnerabilities, secure default configuration, and protected access control. Kunnus offers 50+ pre-built CRA controls mapped to Annex I.
Vulnerability Management (Article 14, Annex I Part II)
Continuous obligations throughout the product’s expected lifetime (minimum 5 years): identify vulnerabilities, remediate without delay, publicly disclose fixes, and maintain a CVD policy. Kunnus automates the full lifecycle.
Incident Reporting to ENISA (Article 14(2))
Mandatory reporting: 24-hour early warning, 72-hour detailed notification, 14-day final report for actively exploited vulnerabilities. Kunnus tracks every deadline with automated SLA monitoring.
Technical Documentation (Annex VII)
Complete documentation with 13 categories before market placement, retained for at least 10 years. Kunnus generates export-ready packages for notified bodies and market surveillance authorities.
Conformity Assessment & CE Marking (Articles 24–30)
Module A self-assessment for default products, Module B+C third-party assessment for Important/Critical products. Kunnus tracks your conformity pathway and prepares the documentation each module requires.
Key Deadlines You Cannot Miss
The CRA follows a phased enforcement timeline. Missing any deadline exposes your products and organization to regulatory action.
December 10, 2024 – CRA enters into force
The regulation is published and the clock starts. Preparation should begin immediately.
September 11, 2026 – Vulnerability reporting begins
Manufacturers must report actively exploited vulnerabilities to ENISA within 24 hours. This applies to all products already on the market.
December 11, 2027 – Full enforcement
All products with digital elements must fully comply. Non-compliant products cannot bear the CE mark. Penalties: up to €15M or 2.5% of global annual turnover.
Why a Platform – Not Spreadsheets
Fragmented processes break under continuous obligations
The CRA isn’t a one-time checkbox exercise. Vulnerability monitoring, SBOM updates, incident reporting, and evidence collection must happen in parallel, across products, indefinitely.
Regulatory cross-references create invisible gaps
A single product may need to satisfy Annex I Part I, Annex I Part II, Annex VII, and Annex VIII simultaneously. Without systematic mapping, gaps remain invisible until an audit reveals them.
Supply chain complexity compounds the challenge
Article 13(6) requires due diligence on third-party components. At scale, collecting supplier SBOMs and tracking their vulnerabilities is unmanageable without automation.
Start Your CRA Compliance Journey Today
Whether you’re starting from scratch or replacing manual processes, Kunnus provides the structure and automation to achieve compliance efficiently.