For SMBs & Enterprises Worldwide
laws-regulations

Your products need CRA compliance. You need to know what that actually means.

Selling tech in Europe means the CRA applies—whether you're ready or not. Get a clear compliance snapshot and a prioritized roadmap to fix what matters and protect your EU market access.

You'll Receive:

  • Gap analysis report with recommendations
  • Prioritized gap remediation roadmap
  • Clear next steps for implementation
Get my free consultation
Response within 2 hoursFree 30-min consultationNo commitment required
CRA Product Compliance Dashboard
Product Classification3 products in scopeStandard class
SBOM GenerationNot implemented200+ dependencies unknown
Secure Development LifecyclePartially documentedCRA formalization needed
Vulnerability DisclosureNo formal processProduct-specific gap
CE Marking ReadinessNot startedDec 2027 deadline
3 Products In Scope|200+ Dependencies Untracked|Dec 2027 Deadline
HOW IT WORKS

How It Works: Our 4-Step Gap Analysis Process

A systematic approach to CRA compliance assessment that gives you evidence-based answers, not generic checklists.

01

Scope Definition

Define the perimeter of the gap analysis and the criteria (the standard or regulation). We establish clear boundaries for the assessment, identifying which systems, processes, and controls will be evaluated against the Cyber Resilience Act (CRA) requirements.

  • Assessment scope and framework selection
02

Documentation Review

Analysis of the documentation against the criteria and best practices. We examine your existing product security policies, procedures, technical configurations, and operational evidence to identify what's already implemented and documented against CRA requirements.

  • Documentation analysis against CRA requirements
03

Situation Appraisal

Gaps or nonconformities are rated based on the existing context and objectives. Each gap is evaluated considering your risk profile, business objectives, and implementation maturity—prioritizing gaps that have the greatest impact on your product security posture and CRA compliance goals.

  • List of gaps and non-conformities with risk-based prioritization
04

Reporting

A report is provided with recommendations and a roadmap. You receive a comprehensive gap analysis report with prioritized remediation recommendations, cost estimates, timeline options, and a strategic roadmap for achieving CRA compliance.

  • Gap analysis report with recommendations and remediation roadmap

Every step is transparent. Every deadline is clear. Every deliverable is actionable. Timeline varies based on organization size and complexity.

Quick Assessment

CRA Product Applicability Assessment

Answer 6 questions to find out if CRA applies to your products and what you need to do to comply before December 2027.

Find Your Perfect Match
👥 Meet the team

Meet Your Compliance Experts

Swiss-trained professionals with decades of combined experience in regulatory compliance, risk management, and strategic advisory

Henri HAENNI - Expert in Business Continuity, Risk Management and Information Security Governance

Henri HAENNI

Expert in Business Continuity, Risk Management and Information Security Governance

ISO 27001 Lead Implementer & Auditor • ISO 37301 Lead Implementer • ISO 31000 Lead Risk Manager • Sorbonne University Paris 1 Lecturer

Alexis HIRSCHHORN - Expert in Information and Cyber Security, Cloud Security, Risk Management and Governance

Alexis HIRSCHHORN

Expert in Information and Cyber Security, Cloud Security, Risk Management and Governance

ISO 27001 Lead Auditor • CISSP® Certified • ISO 42001 Lead Implementer • PECB MS Certifying Auditor

Laura Menétrey - Data Protection & Information Security Legal Expert

Laura Menétrey

Data Protection & Information Security Legal Expert

LLM in Data Protection Law • Certified GDPR Practitioner • Information Security Laws (NIS2, DORA) • Privacy Law Specialist

Jean MUNYARUGERERO - Information Security & Business Continuity Trainer

Jean MUNYARUGERERO

Information Security & Business Continuity Trainer

ISO 27001 Lead Implementer • CISM® Exam Bootcamp • ISO 27005 Risk Manager • NIST Cybersecurity Professional

All team members are background-checked, bonded, and hold active compliance certifications

Trusted by Leading Organizations

Real results from real clients who transformed their compliance operations

"We were building secure products, but when the board asked 'Where do we stand compared to CRA requirements?'—we had no clear answer. The gap analysis gave us a compliance scorecard and showed us we were spending remediation resources on low-impact gaps. Now we know exactly what's documented, what needs attention, and where to focus for maximum impact before December 2027."

Clear compliance scorecard and resource optimization
Product Security Manager
at IoT device manufacturer

"Our product security practices were informal—we had secure development processes but no formal SBOM generation or documented vulnerability disclosure. We were doing the work but didn't know if we were meeting CRA requirements or just keeping our head above water. The gap analysis showed us exactly where we stand and gave us a prioritized remediation plan. Finally, objective answers instead of assumptions."

Objective assessment of product security maturity
VP of Engineering
at Software development company

"The gap analysis revealed we had good security practices but lacked the systematic, documented approach CRA requires. We were handling product security reactively, but the assessment showed us what's structured versus what's informal. The prioritized remediation plan helped us allocate resources efficiently—focusing on gaps with highest CRA compliance impact first, especially SBOM generation and vulnerability disclosure processes."

Resource-efficient gap prioritization
Compliance Officer
at Hardware manufacturer
🔗 Related services

Services That Complement This

These complementary services work together to create a comprehensive compliance framework

📋
laws-regulations

CRA implementation

Meet CRA requirements for EU market

Meet CRA requirements for EU market
Explore Service

Frequently Asked Questions

Everything you need to know about this service

A CRA gap analysis compares your products with digital elements against Cyber Resilience Act requirements. You'll receive a compliance scorecard showing where you stand, a prioritized list of gaps (High/Medium/Low) with resource impact assessment, a remediation roadmap with cost and effort estimates, and strategic recommendations on where to focus resources for maximum CRA compliance impact. This gives you objective answers about your products' compliance status before the December 2027 deadline.

Our gap analysis typically takes 2-3 weeks: Week 1 for scope definition and product inventory, Week 2 for documentation review of your product security practices (SBOM generation, vulnerability disclosure processes, secure development lifecycle), and Week 3 for situation appraisal and reporting. The timeline can vary based on the number of products and complexity, but we'll give you clear deadlines upfront.

CRA applies to products with digital elements sold in Europe—hardware, software, and IoT devices. This includes everything from smart home devices to enterprise software applications. If your product connects to the internet, processes data, or has software components, it likely falls under CRA. Our gap analysis helps you identify which of your products are in scope and what requirements apply to each product category.

That's exactly why you do a gap analysis—to get objective answers about resource allocation. If you're spending remediation resources on low-impact gaps, you'll get a prioritized roadmap showing what to fix first based on CRA compliance impact. Some gaps are quick wins (documentation, SBOM generation tools), others take longer (secure development lifecycle implementation). The gap analysis helps you allocate resources efficiently and focus on gaps with highest regulatory compliance impact.

Not always, but it's highly recommended. If you already know your gaps (maybe from an internal assessment), you can jump straight to implementation. But if you're unsure where you stand compared to CRA requirements and best practices, the gap analysis gives you objective answers before investing time and budget. It's a separate 2-3 week engagement that pays for itself by preventing wasted resources on the wrong gaps.

You'll receive: (1) Compliance scorecard with product security maturity assessment across SBOM generation, vulnerability disclosure, secure development lifecycle, and CE marking readiness, (2) Prioritized gap list with risk-based ranking and resource impact assessment, (3) Remediation roadmap with cost/effort estimates for each gap, (4) Strategic recommendations on resource allocation for maximum CRA compliance impact, and (5) Clear next steps with timeline options to achieve CE marking compliance by December 2027.

Maybe, but CRA requires specific, documented evidence—not just good practices. While you may have secure development processes, CRA mandates formal SBOM generation, documented vulnerability disclosure procedures, and evidence of security-by-design principles. Most product teams have good security practices but lack the structured, documented approach CRA requires. The gap analysis shows you exactly what's documented, what's informal, and what needs attention for CE marking.

Yes, absolutely. We offer CRA implementation services as a separate engagement. After the gap analysis, you'll have a clear compliance scorecard and prioritized remediation plan. If you want us to handle the implementation—setting up SBOM generation, formalizing vulnerability disclosure processes, implementing secure development lifecycle—we can start immediately. Many clients do the gap analysis first to understand where they stand and allocate resources efficiently, then engage us for implementation.

Ready to Transform Your Compliance?

Let's discuss your specific needs

Expert Guidance
Swiss Quality Standards
Proven Track Record
Book Your Free Strategy Call

Response within 2 hoursFree 30-min consultationNo commitment required