Skip to main content
Contact
Submit RFP

      The CRA is a new EU regulation that will apply from December 2027 to all companies that provide products with digital elements in the European single market. The aim of the regulation is to create a uniform level of cybersecurity and to better protect consumers and businesses from digital threats. 

      The CRA obliges manufacturers, importers and distributors to demonstrate the security of their products throughout their entire life cycle – from development and operation to updates and documentation. The impact will be felt not only by large corporations, but also by small and medium-sized enterprises.

      Affected roles and product categories

      Responsible roles within the meaning of the CRA

      • Manufacturers bear primary responsibility for the development, production and conformity of digital products. They must carry out risk analyses, establish secure development processes and provide technical documentation. 
      • Importers and distributors must ensure that only compliant products are placed on the market and assume the obligations of a manufacturer in the event of significant changes.
      • Other actors, such as authorised representatives or commercial open source administrators, may also be held responsible if they make products available in the EU. 

      The risk product categories 

      he CRA distinguishes between product categories according to their risk to cybersecurity. The higher the criticality, the stricter the requirements and testing procedures

      • Important products Class I: for example, operating systems and boot managers.
      • Important products Class II: for example, firewalls and container runtime systems. 
      • Critical products: for example, smart meter gateways, smart cards.
      Ready to talk? Contact us
      grafik

      An overview of the requirements and changes

      • Technical requirements for products with digital elements

        Products must be provided without known vulnerabilities and with secure default configurations ("security by default"). Manufacturers are obliged to ensure security mechanisms such as secure communication, access controls and timely updates. In addition, products must be monitored throughout their entire life cycle and vulnerabilities must be remedied. 

      • Organisational requirements and documentation obligations

        Companies must establish structured risk and vulnerability management, provide technical documentation, and demonstrate compliance with CRA requirements in a verifiable manner. This includes risk analyses prior to market launch, continuous monitoring, and clearly defined processes for updates, notifications, and incident response. 

      • Significant changes and consequences for compliance

        A new conformity assessment is required if significant changes occur that affect the safety level of a product – such as new functions, changes to safety-related mechanisms or additional interfaces. UI adjustments and minor bug fixes, on the other hand, are not considered significant. Non-compliance can result in fines of up to £13 million or 2.5 per cent of global annual turnover, as well as product recalls and market access restrictions.

      FAQs about the CRA

      • When does the CRA come into force? Since December 2024, with full implementation required from December 2027. 
      • Which products are affected? All hardware and software products with network interfaces, regardless of industry or sector. 
      • Are there any exceptions? Yes, for example for medical devices, vehicles and aviation technology.
      • What happens in the event of non-compliance? Fines of up to £13 million or 2.5 per cent of annual turnover, as well as product recalls and market access restrictions, are possible. 
      • How can I prepare my company? Early analysis of the impact, establishment of risk management and integration of security by design are crucial.

      Our services in the field of cyber security

      troubleshoot

      Analysis of the impact and assessment of the need for action

      We check whether and how your products are affected by the CRA and what obligations this entails for your company – providing you with a clear overview of the action required and your next steps.

      query_stats

      Gap analysis and creation of a CRA compliance roadmap

      We identify existing gaps in your products and systems with regard to CRA requirements and develop a customized action plan with priorities and timelines for implementation.

      lock_reset

      Security-by-Design und Software-Development-Life-Cycle

      We support you in integrating security requirements into your development processes - from the initial idea to the finished product. This ensures that cybersecurity is considered from the outset and regulatory requirements are implemented.

      app_shortcut

      Software bill of materials (SBOM), vulnerability and reporting processes

      We provide support in establishing efficient processes for vulnerability management, fulfilling reporting obligations, and creating and maintaining software bills of materials (SBOM) for all products to ensure transparency and traceability.

      query_stats

      Technical conformity assessment and CE marking

      We support you with internal testing procedures and cooperation with notified bodies to ensure CE labelling for your products and guarantee market access.

      Our added value for companies

      Comprehensive consulting from a single source: technical, organisational and legal.

      • In-depth regulatory expertise (including IEC 62443, EN 40000, ETSI EN 303 645).
      • Practical solutions for IoT, industry and software.
      • Early preparation for risk minimisation and sustainable compliance.
      • Individual workshops, training courses and board briefings for your team.

      Performance & Strategy – Strategic implementation of the Cyber Resilience Act

      The requirements of the Cyber Resilience Act apply not only to technology, but also to organisation, processes and governance. We support companies in strategically anchoring CRA requirements and efficiently integrating them into existing product development and control structures.

      Our services in the area of performance and strategy include:

      • CRA gap analysis and maturity assessment

        We analyse the current implementation status in comparison to CRA requirements, identify areas for action and prioritise measures based on risk, effort and impact.

      • Integration of security by design into organisation and processes

        We provide support in embedding security by design and CRA requirements in governance structures, development models and decision-making processes – going beyond purely technical measures.

      • Efficient and scalable implementation

        We design CRA-compliant processes so that they can be efficiently integrated into existing workflows and remain scalable even with growing product portfolios and international structures.

      Interested in our services? Contact us

      Legal advice on CRA provided by KPMG Law *

      Analysis of legal roles and obligations in the CRA context

      Our specialised lawyers classify your company and your products legally in the CRA regime and derive specific obligations from this.

      Governance, responsibilities and directors' and officers' liability

      We translate the CRA requirements into clear responsibilities and reporting lines for business management, product management, IT and security – including an assessment of directors' and officers' liability risks.

      Contract drafting in the supply chain and regulatory protection

      We draft and review contracts along the supply chain in order to regulate CRA obligations, SBOM, update and support obligations as well as liability and indemnification in a legally secure manner.

      Legal structuring of reporting obligations and incident communication

      We define legal reporting obligations, create templates for authority and customer communication and provide support with incident response.

      Documentation, evidence and audits

      We prepare compliance documents for market surveillance authorities and support you during inspections and audits.

      Compliance & Governance

      Regulatorisches Zusammenspiel und nachhaltige Betriebsmodelle

      Wir helfen Ihnen, den Cyber Resilience Act konsistent mit angrenzenden EU-Digitalregulierungen (z. B. NIS2, AI-Act, Data Act) umzusetzen. Ziel ist ein integriertes Zielbetriebsmodell mit effizienten Prozessen, klaren Schnittstellen und einer skalierbaren Struktur für den laufenden Betrieb und künftige regulatorische Erweiterungen.

      Management-Reporting, KPIs und Steuerungsmechanismen

      Wir entwickeln aussagekräftige Steuerungs- und Berichtskonzepte für das Management – inklusive KPIs, Entscheidungsgrundlagen und Eskalationslogiken. Damit wird CRA-Compliance transparent, steuerbar und in bestehende Governance- und Risikostrukturen integriert.

      ServiceNow as a technology platform for CRA implementation

      ServiceNow for risk, vulnerability and compliance management

      ServiceNow combines all relevant functions – from risk management and vulnerability management to compliance and reporting – in a central platform.

      Automated workflows for reporting requirements and compliance processes

      Digital workflows enable the efficient management of reporting requirements, compliance assessments and incident response. This ensures that processes are documented in a traceable and audit-proof manner.

      Integration of existing IT and security systems and SBOM support

      ServiceNow integrates seamlessly with existing IT and security systems and supports the creation and maintenance of SBOMs. AI-powered analytics help identify and prioritise risks early on.

      More about KPMG & ServiceNow

      Compliance & Governance

      Building CRA governance, role and responsibility models

      We support you in the clear organisational anchoring of CRA requirements – from the definition of clear roles and decision-making paths to the interlinking of engineering, IT security, legal and management. This allows you to create resilient governance structures and reduce liability and escalation risks.

      Regulatory interaction and sustainable operating models

      We help you to implement the Cyber Resilience Act consistently with neighbouring EU digital regulations (e.g. NIS2, AI Act, Data Act). The aim is an integrated target operating model with efficient processes, clear interfaces and a scalable structure for ongoing operations and future regulatory expansions.

      Management reporting, KPIs and control mechanisms

      We develop meaningful control and reporting concepts for management, including KPIs, decision-making principles and escalation logic. This makes CRA compliance transparent, controllable and integrated into existing governance and risk structures.

      Your contact

      Andrzej Wozniczka
      Andrzej Wozniczka

      Partner, Consulting - Cyber Security

      KPMG AG Wirtschaftsprüfungsgesellschaft

      * Legal services are provided by KPMG Law Rechtsanwaltsgesellschaft.