Cyber Resilience
Act
The Cyber Resilience Act (CRA) is a new EU regulation ensuring that all products with digital elements — hardware or even purely software — are secure by design and throughout their lifecycle.
It requires manufacturers to manage cyber risks, provide timely security updates, and report incidents. From December 2027, products sold in the EU must comply and carry a CE mark proving cybersecurity conformity. The CRA builds consumer trust, strengthens digital safety, and harmonizes cybersecurity standards across Europe — making digital products safer and more reliable for everyone.
While there is still no published standards supporting the CRA, TrustnGo provides consulting, assessment & testing services to tackle these challenges and allow you to meet the requirements of the CRA the D-day.
Our Approach to CRA
1/ Mapping of products and processes
Lists products and processes of the organization to obtain a clear view on how the organization operates and what kind of products or services it sells.
2/ Gap analysis at organizational level
Use the previous mappings to performa a gap analysis versus the general essential requirements of the CRA at organization level (Secure Development Life Cycle, product life-cycle, vulnerability management, etc.).
3/ Define a compliance roadmap
Define a compliance roadmap at the organization level including setting up a compliant SDLC and life-cycle management as well as establishing a training plan to help technical people to improve their skills.
4/ Risk & Gap analysis at product level
Now the implementation of the compliance roadmap is on the rail at oragnization level, tackle the problem at product level by identifying the technical gaps that really need to be filled to comply with CRA essential requirements.
5/ Fix the gaps with our advices
Actually fix the gaps by effectively deploying new processes and methodologies. Also, prepare check-lists mapping general standard requirements to product specific requirements that can be effciciently and repeteadly implemented by dev teams accross all the products.
6/ Demonstrate compliance
Write supporting technical documentation and carry out penetration tests on products, web interfaces or backends, and mobile applications.
Discover Our Key Strengths
Why choose TrustnGo
Securing an embedded device can be a challenge and demonstrating this security is another one.
During the past years, the EU has severely tightened cybersecurity requirements for IoT & embedded devices. NIS2, RED Directive, CRA, Regulation of machinery, … TrustnGo follows all these topics and has developed a comprehensive and cost-effective methodology based on our expertise in EN 303 645, EN 18031, IEC 62443, etc.
As a one-stop-shop, we also deliver technical advice on how to implement security functions, and we perform penetration testing to assess the robustness of your implementation.
We can act not only at the product level but also at the company level to achieve sustainable and reproducible compliance.
Example Case
A company selling solutions embedding a custom internet gateway, with wireless interfaces and already compliant to EN 18031-1/2, wants to comply with CRA requirements.
The solution is considered as a whole, including the backend and the related mobile application. A risk & gap analysis is conducted and the EN 18031’s evidence are completed to demonstrate the conformity of the solution.
In addition, a secure development life cycle is deployed at company level and vulnerability management is fully integrated to the company’s processes.
