The EU CRA's vulnerability reporting obligations take effect 11 Sep 2026, with full compliance by 11 Dec 2027. ThunderShield provides CRA applicability checks, gap assessments, SBOM/VEX, penetration testing, and continuous compliance subscriptions to help Taiwanese manufacturers export to the EU.
ThunderShield's standard process for getting EU-bound manufacturers ready on the CRA timeline
If your product has digital elements, can connect directly or indirectly, and is sold in the EU market (including through brand customers), it is in principle within the CRA's scope. Products already covered by sector-specific law, such as medical devices and vehicles, follow their own regulations instead. ThunderShield's applicability check gives you a clear answer within 1–2 weeks.
The Article 14 reporting obligations take effect: when a manufacturer becomes aware of an actively exploited vulnerability or a severe security incident in its product, it must submit an early warning to the ENISA platform within 24 hours, a follow-up notification within 72 hours, and a final report within 14 days. In practice you need a vulnerability-reporting channel, an internal reporting SOP, and vulnerability monitoring that tells you in time when your own product is affected.
The reporting obligations apply to all products still on the market, including those placed before December 2027; the full product security requirements apply to products placed on the market or substantially modified after 11 Dec 2027.
A commonly used machine-readable format (such as CycloneDX or SPDX JSON), covering at least top-level dependencies. To also align with Germany's BSI TR-03183, you additionally need component purls, SPDX license identifiers, hashes, and a tree-structured dependency graph. ThunderShield's SBOM service delivers to exactly this standard.
Violating the essential security requirements can be fined up to €15 million or 2.5% of global annual turnover, whichever is higher, and the product can be forced off the market or barred from entering the EU.
The CE marking is affixed by the manufacturer itself based on the outcome of conformity assessment; third-party assessment for Important/Critical class products must be performed by an EU notified body. What ThunderShield provides is pre-submission gap assessment, testing, and technical documentation preparation, helping you complete self-assessment or submission in the strongest possible position — we do not issue certifications, and you should be wary of any vendor claiming to 'handle certification for you'.
Yes. ISO 27001 governs your organization's information security management system; the CRA regulates the product itself — its security requirements and external obligations (SBOM, vulnerability handling, reporting). The two are complementary, not interchangeable: an existing ISMS is an excellent foundation, but you must add product-level evidence and processes on top of it. ThunderShield offers both ISO 27001 and CRA services and can help you bridge the two sets of requirements with minimal rework.
The legal obligations do sit with your brand customers, but the SBOMs, security test reports, and vulnerability information they need to comply all come from the contract manufacturer — and these requirements are being written into RFQs and supplier contracts. For ODM/OEMs, CRA readiness is shifting from a nice-to-have to a ticket to play — and it is also an opportunity to cement your position in the supply chain.
Contact ThunderShield for a consultation · View pricing plans