CRA & IEC 62443 Readiness

The Cyber Resilience Act makes cybersecurity a condition of CE marking for every product with digital elements. I get connected machines and devices conformity-ready — without a full in-house product-security team.

The deadline is real

From December 2027, every product with digital elements sold in the EU must meet the Cyber Resilience Act’s essential cybersecurity requirements to carry a CE mark. For a mid-size machine builder or connected-product maker, that’s a new conformity obligation stacked on top of the Machinery and EMC directives you already handle — and it reaches all the way down into your firmware, update mechanism and vulnerability-handling process.

Too big to ignore, too small to staff a full product-security team for. That’s exactly the gap I fill.


Where I help

CRA gap assessment

A concrete, clause-by-clause read of where your product and processes stand against the CRA’s essential requirements — and a prioritised, realistic plan to close the gaps before they block your CE marking.

Secure-by-design architecture (IEC 62443)

IEC 62443 is the practical backbone for meeting the CRA on industrial and connected products. I harden your product architecture — trust boundaries, secure communication, least privilege, secure boot and update — against the parts of 62443-4-1 and 62443-4-2 that actually apply to you.

Vulnerability handling & PSIRT

The CRA requires you to handle vulnerabilities across the whole support period: coordinated disclosure, timely security updates, and reporting of actively exploited vulnerabilities. I set up a right-sized process — no bureaucracy you won’t maintain.

SBOM & secure update

A software bill of materials you can actually keep current, and a secure update path that holds up under audit. Both are non-negotiable under the CRA; both are straightforward once the architecture supports them.

Technical documentation

The conformity file that ties it together — risk assessment, design rationale and evidence — structured so it survives an assessment instead of being assembled in a panic.


Why me

I don’t just map you to clauses. I’ve been breaking embedded devices for fifteen years, and I hold machinery functional-safety credentials (CMSE®/CEFS). So I reconcile the CRA’s new security demands with the safety case you already have — instead of bolting security on where it fights your safety argument. Machine builders in the Heilbronn-Franken region get this on-site, in German.

Book a CRA readiness review