EU CRA • END-TO-END READINESS • PORTFOLIO OF SOLUTIONS  

EU Cyber Resilience Act (CRA) Readiness One Partner. Complete Portfolio.

From first CRA assessment to audit-ready DevSecOps pipelines

Codelab provides a complete, engineering-led portfolio to prepare your products and organization for the Cyber Resilience Act

Map your CRA journey with CodelabCheck solutions

Trusted by automotive OEMs, Tier-1 suppliers and industrial manufacturers building safety- and business-critical systems

Hero fota HubSpot

The EU Cyber Resilience Act is here. Are you ready?

The clock is ticking. By September 2026, vulnerability reporting becomes mandatory. By December 2027, full CRA compliance - including security-by-design, SBOM, CE marking - is required for every product with digital elements sold in the EU. 

There's good news: With the right partner, CRA compliance becomes manageable - not overwhelming. 


Stay ahead of CRA vulnerability reporting

Deadline for: 24h early warning | 72h full notification | ENISA reporting

days

hours

minutes

seconds
skukurenda_q

In short: CRA is not a single checklist to tick at the end of development. It is a continuous way of building, testing and documenting your products - and the evidence that proves it.

Sławomir Kukurenda Codelab Lead Project Manager

CRA non-compliance doesn’t just mean fines

€15M
penalties for non-compliance
2,5%
of global annual turnover
€€€
potential product withdrawal from the EU market

It means your product cannot legally be placed on the EU market. For suppliers, it means failing your customer’s compliance review - and losing the relationship.

CRA Is Not Just About Security Testing. It’s About Proving It.

Your embedded devices are increasingly distributed, connected and exposed to growing regulatory pressure, including the Cyber Resilience Act.  
Every firmware update is no longer just about functionality – it is about security, remote rollout capability and a repeatable, auditable process.  
Codelab’s Secure Bootloader gives you a proven, flexible foundation so you can focus on developing your product instead of reinventing the update mechanism.  

How Codelab supports you at every step for CRA Compliance

Fast, Fixed-Price, Engineering-Grade

Codelab provides end-to-end CRA compliance solutions - from initial gap analysis to full implementation and ongoing maintenance. Our approach is practical, scalable, and tailored to your product and industry context.

process validation

CRA Compliance Check

What: Fixed-price gap assessment in 1 week - map your products, processes, and artifacts against CRA requirements.

You get: Executive summary additionally detailed findings additionally 30/60/90-day remediation roadmap with prioritized actions.

Ideal for: Organizations unsure where they stand vs. CRA obligations.

More details
register (1)

Secure Pipeline

What: Pre-integrated DevSecOps stack (GitLab + SonarQube + ScanOSS) producing automatic SBOM, SCA, and audit-ready evidence - deployed in 6 weeks.

You get: On-prem, Docker-based environment with enforced quality gates, CI/CD templates, and immutable audit logs.

Ideal for: Teams needing automated evidence generation for CRA compliance.

More details
ai-assistant

Secure Bootloader

What: Production-hardened secure boot implementation ensuring only authenticated firmware runs on your devices - compliant with CRA Article 13 (secure boot verification).

Features: Cryptographic signature verification (SHA256, RSA), Firmware authenticity & integrity checks at every boot, Protection against unauthorized firmware updates

Ideal for: Industrial controllers, IoT devices requiring boot-level security.

More details

Other related solutions

Test Automation as a Service

What: Automated testing solutions for hardware-in-the-loop (HIL) and software-in-the-loop (SIL) validation, ensuring products meet security and functional requirements.

You get: HIL Test Automation: SIL Simulation, Security Test Cases, Regression Testing, Test Management & Reporting.

Ideal for: Embedded system manufacturers, automotive suppliers, industrial equipment producers requiring rigorous validation.

More details

Legacy Software Redesign

What: Security audits of your codebase, architecture, and infrastructure to identify vulnerabilities and configuration weaknesses.

You get: Code Security Audit, Architecture Review, Container & Kubernetes Security, Penetration Testing, Security Posture Report.

Ideal for: Organizations preparing for CE marking, companies with legacy codebases, teams needing external validation for stakeholders.

More details

What the CRA demands from manufacturers

secure_bootloader-2

Security by Design & Default:

Products must be secure from conception, with safe default configurations

Vulnerability Handling:

Establish processes to detect, analyze, and respond to security flaws - including 24-hour reporting of active exploits to ENISA

Risk Assessment & Documentation:

Conduct and document comprehensive cybersecurity risk assessments

Continuous Support & Updates:

Provide security patches and updates for at least 5 years (or the product's expected lifetime)

Supply Chain Accountability:

Take responsibility for third-party components, open-source libraries, firmware, and SDKs

"Regulators are increasingly holding boards and individual executives personally liable for compliance failures. Cyber risk must now be treated as a critical business risk, necessitating formalised collaboration between legal, procurement, and technical teams."

Gartner Top Cybersecurity Trends for 2026

When does CRA apply to your product?

check

CRA applies

Products with digital elements (software, firmware, connectivity) placed on the EU market commercially 

Products distributed publicly (sold, licensed, offered via platforms or app stores) 

Components (APIs, SDKs, firmware, libraries) integrated into commercial products sold in the EU 

Embedded systems, IoT devices, industrial controllers, connected hardware 

cross

CRA does not apply

Custom software developed exclusively for one client's internal use (not redistributed) 

Products used solely internally without commercial distribution 

Open-source software developed without commercial intent (but becomes subject to CRA if commercialized) 

Pure hardware with no digital processing or connectivity 

The consequences of non-compliance

Market exclusion:

Products without CE marking cannot be sold in the EU

Financial penalties:

Fines up to €15 million or 2.5% of global annual turnover

Product withdrawal:

Regulators can force removal from market

Reputational damage:

Public disclosure of non-compliance harms brand trust

Supply chain disqualification:

B2B clients will drop non-compliant suppliers

Legal liability:

Boards and executives increasingly held personally accountable

The CRA challenge - why manufacturers struggle

Meeting CRA requirements is complex, resource-intensive, and technically demanding. The requirements go far beyond "running a scanner" - they demand structured, demonstrable evidence across the entire product lifecycle.


Evidence Gap -"We Do Security, But Can't Prove Compliance"

  • We don't know what evidence we need to retain: CRA requires specific documentation - security-by-design rationale, vulnerability handling records, SBOM, risk assessments, security advisories. Most teams lack a clear mapping of what's required vs. what they currently produce.
  • We do security activities, but we can't prove them reliably: Ad-hoc scanning, informal reviews, and undocumented triage don't survive a formal review. CRA demands consistent, traceable records - not "we usually do this."
  • Our customers are already asking for things we can't provide: OEMs and prime manufacturers are cascading CRA obligations down the supply chain. Supplier questionnaires are getting harder. Without structured compliance evidence, you risk losing contracts.

Workflow Fragmentation - Tools Exist, But Compliance-Ready Processes Don't

  • Approvals, scan results, and SBOM data live in separate silos: You run scans, but can't produce structured audit trails. Evidence is scattered across tools, wikis, emails, and tribal knowledge.
  • Every team, every repo, every project follows its own rules: No enforced quality gates, no mandatory reviews, no consistent traceability. CRA requires the same standard of evidence across your entire product portfolio - standardization isn't optional.
Limited AppSec capacity: SMEs and mid-market manufacturers rarely have a dedicated DevSecOps team. They need solutions that work out-of-the-box.

Timeline Pressure - Deadlines Are Fixed, Resources Are Not

  • Limited time to implement: With vulnerability reporting starting in September 2026 and full compliance by December 2027, organizations have less than two years to overhaul security practices
  • Long product lifecycles: Embedded systems and industrial products often have 10-15 year lifecycles, requiring retroactive security improvements
  • Coordination across teams: CRA touches development, legal, supply chain, and operations - requiring cross-functional collaboration
  • Building a compliant toolchain from scratch takes months: Months you may not have

Technical Complexity - Regulatory Requirements Meet Engineering Reality

  • Security by design requirements: Retrofitting security into legacy products is costly and technically challenging
  • Vulnerability management processes: Establishing 24-hour reporting workflows, ENISA integration, and incident response capabilities demands specialized expertise
  • SBOM generation & SCA: Software Bill of Materials (SBOM) creation and Software Composition Analysis (SCA) require automated tools and processes
  • Supply chain visibility: Tracking third-party components, open-source dependencies, and firmware origins across complex supply chains is overwhelming
On-prem constraints: IP sensitivity, regulated industries, and air-gapped networks make "just use SaaS" a non-starter for many manufacturers 

The question isn't whether CRA applies to youit's how quickly you can demonstrate readiness.

What is the Cyber Resilience Act (CRA)?

man_comp_sq-1

The Cyber Resilience Act (CRA) is the EU's most sweeping cybersecurity regulation in a decade - effective December 2024. It demands that every manufacturer, importer, and distributor of products with digital elements demonstrates verifiable compliance across the entire product lifecycle.

This isn't just about running security scans. CRA requires:

  • Security-by-design documentation showing cybersecurity was built in from conception
  • Structured SBOM (Software Bill of Materials) for every product release
  • Vulnerability handling processes with mandatory 24-hour ENISA reporting
  • Risk assessments documented and traceable for each product
  • CE conformity declarations proving compliance before market access
  • Supply chain accountability extending to all third-party components

Who Does CRA Impact?

Product Manufacturers

IoT devices, embedded systems, industrial controllers, connected hardware, firmware

Component Suppliers

APIs, SDKs, libraries, modules integrated into commercial products sold in EU

Importers & Distributors

Any organization placing digital products on the EU market

Even if you're a component supplier, your firmware, API, or SDK triggers CRA obligations as part of the supply chain. OEMs and integrators will demand CRA compliance from you.

Speak with our experts

How we proceed: a clear, time-boxed engagement

Every engagement follows a standardized, proven methodology — ensuring consistency, efficiency, and no surprises.

Understand

Start with CRA Compliance Check and, if needed, the CS Risk Assessment workshop. This gives you a factual baseline, a risk view and a prioritised roadmap. 

Stabilise

Use SecureStack Audit and AppHealthCheck where you need deeper insight into high-risk or legacy applications. 

Industrialise

Deploy CRA Secure Pipeline so that security-by-design, SBOM generation and evidence production happen automatically in your day-to-day development. 

Harden Products

Apply Secure Bootloader and other product-specific measures to ensure device-level resilience. 

Scale & Sustain

Leverage Test Automation as a Service and ongoing advisory to keep your portfolio compliant and your teams supported over time 

Why choose Codelab as your CRA compliance partner?

CRA compliance services are emerging fast. But most come from either pure consulting firms or pure tool vendors — rarely both. What sets us apart is this:

codelab_crew

We know, we care, we do.

Codelab delivers high-performance software solutions and services for automotive, IIoT, and mobile. We take ownership of the entire development lifecycle - from concept and architecture to CRA-compliant validation and full system integration. With 220+ engineers in Poland, we support global Tier-1 automotive, industrial, and telecom leaders in building secure, scalable, and regulation-ready systems. For nearly 30 years, we have been executing complex, high-impact international projects — combining deep cybersecurity and embedded systems expertise with technologies from industry leaders. Part of Beta Systems Group — 35 years of global IT excellence, operating in nearly 40 countries and listed on the Frankfurt Stock Exchange.

0

+

years of experience with complex projects

0

+

Business Setup Growth

0

+

product carlines handled

0

%

NPS Score

An ecosystem of trusted Technology & Consulting Partners

Our Audit Process – Step by Step

We follow a methodical process designed for efficiency, with sufficient detail to ensure transparency while respecting your time constraints: 

Discovery Call (~1 hour)

A focused meeting to map your business objectives, technical stack and modernization goals. It allows to better understand key deadlines, pain points and define a tailored approach.

Technical & Process Assessment

Based on the discovery phase, our experts conduct a focused audit tailored to your challenges. It covers software, data flows, integrations, architecture, and delivery practices.

Deep-Dive Workshops (~4 hours)

Session that brings stakeholders together to discuss team dynamics and the development process. It helps uncover tools, blockers, and communication gaps.

Reporting & Recommendations

We compile findings into an executive summary and detailed technical report delivering a report with clear, business-aligned next steps.

Deliverables and Timeline

Executive Summary

High-level overview of findings and business implications.

Deep Technical Report

Clear, actionable report highlighting key issues, inefficiencies, and risks.

Improvement Plan

Prioritized recommendations and a structured improvement roadmap, combining quick wins with long-term strategies. All delivered within business days from project start.

Take the first step toward CRA Compliance

Don't wait until deadlines loom. The CRA compliance journey takes time - starting now gives you a competitive advantage, reduces stress, and ensures uninterrupted market access.

Schedule Your CRA Readiness Assessment

Get clarity on your compliance status, understand your obligations, and receive a practical roadmap tailored to your products and timelines.

What you'll gain:

    • 30-60 minute discovery call: Understand your current situation and identify immediate concerns
    • Tailored assessment proposal: Scope, timeline, and pricing aligned with your needs
    • No-obligation consultation: Walk away with valuable insights, even if you don't proceed
Łukasz Kur

Prepare for CRA – let's talk about first steps

Book now

Frequently asked questions

What is the Cyber Resilience Act (CRA)?

 The Cyber Resilience Act (CRA) is an EU regulation that establishes mandatory cybersecurity requirements for products with digital elements placed on the EU market. It aims to improve the security of connected devices, software, and digital components by enforcing obligations on manufacturers throughout the product lifecycle - from design to decommissioning.

When does the CRA become mandatory?

The CRA entered into force on December 10, 2024. Key implementation dates are:

September 11, 2026: Vulnerability reporting obligations begin (24-hour reporting of actively exploited vulnerabilities to ENISA)

December 11, 2027: Full CRA compliance mandatory - all cybersecurity requirements must be met, and CE marking is required for market access. 

Does the CRA apply to my product?

Your product is subject to CRA if it:

  • Contains digital elements (software, firmware, connectivity, APIs)
  • Is placed on the EU market commercially (sold, licensed, distributed publicly)
  • Is integrated into another commercial product sold in the EU

Exemptions exist for:

  • Custom software developed exclusively for one client's internal use (not redistributed)
  • Products used solely internally without commercial distribution

If you supply components (firmware, SDKs, libraries) to OEMs or integrators who sell products in the EU, you have supply chain obligations even if you're not the final product manufacturer. 

What are the main CRA requirements?

The CRA mandates:

  1. Security by Design & Default: Products must be inherently secure, with minimal attack surfaces and safe default configurations
  2. Vulnerability Management: Processes to detect, analyze, and remediate security flaws—including 24-hour reporting of active exploits to ENISA
  3. Risk Assessment: Documented cybersecurity risk analysis
  4. Supply Chain Accountability: Responsibility for third-party components and open-source software
  5. Continuous Updates: Security patches and support for at least 5 years
  6. Technical Documentation: Comprehensive security documentation
  7. Conformity Assessment & CE Marking: Self-assessment (or third-party evaluation for critical products) and CE marking affixing
What is ENISA and why do I need to report vulnerabilities?

ENISA (European Union Agency for Cybersecurity) is the EU body responsible for cybersecurity coordination. Under CRA, manufacturers must report actively exploited vulnerabilities and severe security incidents to ENISA within strict timelines:

  • 24 hours: Early warning notification
  • 72 hours: Detailed notification with technical information
  • 14 days (vulnerabilities) or 30 days (incidents): Final report after remediation[6][7]

Failure to report on time can result in penalties and enforcement actions.

What is an SBOM and why is it important for CRA?

A Software Bill of Materials (SBOM) is a comprehensive inventory of all software components, libraries, and dependencies in your product. CRA requires manufacturers to maintain visibility into their software supply chain - SBOMs enable:

  • Identification of vulnerable components
  • Rapid response when new CVEs are discovered
  • Supply chain accountability and transparency

Compliance with documentation requirements 

What happens if I don't comply with CRA?

Non-compliance consequences include:

  • Market exclusion: Products without CE marking cannot be sold in the EU
  • Financial penalties: Member states can impose fines
  • Legal liability: Manufacturers may face lawsuits for security failures
  • Reputational damage: Public disclosure of non-compliance harms brand trust
  • Customer rejection: B2B clients will demand CRA compliance proof before purchasing

 

Can Codelab help with CE marking and conformity assessment?

Yes. Our Maintenance & Monitoring service includes comprehensive support for:

  • Technical documentation preparation
  • Conformity assessment (self-assessment or support for third-party evaluation)
  • Declaration of Conformity drafting
  • CE marking guidance and regulatory compliance

We ensure your documentation meets CRA requirements and withstands audits.

How long does it take to achieve CRA compliance?

Timelines vary based on:

  • Product complexity and architecture
  • Current security posture
  • Size and maturity of your organization
  • Scope of required changes

Typical ranges:

  • Initial assessment: 2-4 weeks
  • Gap remediation & implementation: 3-12 months
  • Ongoing maintenance: Continuous (as long as product is supported)

Starting early is critical - organizations beginning now have sufficient time to meet 2026 and 2027 deadlines without last-minute crises.

What industries does Codelab serve?

Codelab specializes in embedded systems, automotive, industrial automation, IoT, and telecommunications. We've delivered projects for:

  • Automotive OEMs and Tier-1 suppliers
  • Industrial manufacturing and IIoT
  • Medical device manufacturers
  • Energy and infrastructure
  • Telecommunications providers

Our deep domain expertise ensures we understand industry-specific challenges, safety standards (ISO 26262, ISO, 21434, IEC 61508), and regulatory environments.

 

How does Codelab ensure data security and confidentiality?

Codelab is certified in ISO 27001 and TISAX, demonstrating our commitment to information security best practices. We:

  • Sign NDAs as standard practice
  • Follow strict data protection protocols
  • Implement access controls and encryption
  • Maintain compliance with GDPR and industry-specific requirements

Your intellectual property and sensitive data remain fully protected throughout our engagement.

Can Codelab work with our existing development tools and processes?

Absolutely. Our solutions integrate seamlessly with:

  • CI/CD platforms: Jenkins, GitLab, Azure DevOps, GitHub Actions, Bitbucket Pipelines
  • Version control: Git, SVN, Perforce
  • Issue tracking: Jira, Azure Boards, Redmine
  • Test frameworks: pytest, JUnit, Selenium, Robot Framework, custom frameworks
  • Embedded toolchains: JTAG debuggers, ARM tools, vendor-specific environments

We adapt to your ecosystem rather than forcing tool changes.