EU Cyber Resilience Act (CRA) Readiness

The EU CRA's vulnerability reporting obligations take effect 11 Sep 2026, with full compliance by 11 Dec 2027. ThunderShield provides CRA applicability checks, gap assessments, SBOM/VEX, penetration testing, and continuous compliance subscriptions to help Taiwanese manufacturers export to the EU.

CRA Compliance Preparation Process

ThunderShield's standard process for getting EU-bound manufacturers ready on the CRA timeline

  1. Applicability determination:Determine whether the product is in CRA scope and its Default/Important/Critical class, and clarify what must be done before 11 Sep 2026 and 11 Dec 2027
  2. Gap assessment:Review all 21 Annex I requirements clause by clause, producing a gap report and remediation roadmap
  3. Remediation & documentation build:Establish a vulnerability-reporting channel, an Article 14 reporting SOP, and the technical documentation structure to close process gaps
  4. Testing & evidence:Run penetration testing, SBOM/VEX generation, and firmware testing, with reports delivered in Annex VII format ready to file into technical documentation
  5. Continuous monitoring & reporting readiness:Per-release SBOM generation and retention, new-vulnerability monitoring and alerts, documentation maintenance, and annual test scheduling to stay reporting-ready

Frequently Asked Questions

Is my product regulated by the CRA?

If your product has digital elements, can connect directly or indirectly, and is sold in the EU market (including through brand customers), it is in principle within the CRA's scope. Products already covered by sector-specific law, such as medical devices and vehicles, follow their own regulations instead. ThunderShield's applicability check gives you a clear answer within 1–2 weeks.

What must be in place before 11 September 2026?

The Article 14 reporting obligations take effect: when a manufacturer becomes aware of an actively exploited vulnerability or a severe security incident in its product, it must submit an early warning to the ENISA platform within 24 hours, a follow-up notification within 72 hours, and a final report within 14 days. In practice you need a vulnerability-reporting channel, an internal reporting SOP, and vulnerability monitoring that tells you in time when your own product is affected.

Do products already on the EU market have to comply?

The reporting obligations apply to all products still on the market, including those placed before December 2027; the full product security requirements apply to products placed on the market or substantially modified after 11 Dec 2027.

What SBOM format does the CRA require?

A commonly used machine-readable format (such as CycloneDX or SPDX JSON), covering at least top-level dependencies. To also align with Germany's BSI TR-03183, you additionally need component purls, SPDX license identifiers, hashes, and a tree-structured dependency graph. ThunderShield's SBOM service delivers to exactly this standard.

How severe are the penalties for violating the CRA?

Violating the essential security requirements can be fined up to €15 million or 2.5% of global annual turnover, whichever is higher, and the product can be forced off the market or barred from entering the EU.

Can ThunderShield get the CE marking for me?

The CE marking is affixed by the manufacturer itself based on the outcome of conformity assessment; third-party assessment for Important/Critical class products must be performed by an EU notified body. What ThunderShield provides is pre-submission gap assessment, testing, and technical documentation preparation, helping you complete self-assessment or submission in the strongest possible position — we do not issue certifications, and you should be wary of any vendor claiming to 'handle certification for you'.

We already have ISO 27001 — do we still need to prepare for the CRA?

Yes. ISO 27001 governs your organization's information security management system; the CRA regulates the product itself — its security requirements and external obligations (SBOM, vulnerability handling, reporting). The two are complementary, not interchangeable: an existing ISMS is an excellent foundation, but you must add product-level evidence and processes on top of it. ThunderShield offers both ISO 27001 and CRA services and can help you bridge the two sets of requirements with minimal rework.

We're just a contract manufacturer — isn't the CRA our brand customers' problem?

The legal obligations do sit with your brand customers, but the SBOMs, security test reports, and vulnerability information they need to comply all come from the contract manufacturer — and these requirements are being written into RFQs and supplier contracts. For ODM/OEMs, CRA readiness is shifting from a nice-to-have to a ticket to play — and it is also an opportunity to cement your position in the supply chain.

Contact ThunderShield for a consultation · View pricing plans