The EU Cyber Resilience Act sets binding cybersecurity obligations for connected product manufacturers. If your products weren't designed with security from the start, the path to a defensible compliance position requires a different kind of work.
Most manufacturers built their product portfolios around performance, reliability, and time-to-market, not cybersecurity architecture. That's a reflection of the environment those products were designed in, not a failure of judgement.
The Cyber Resilience Act changes that environment. For products with network interfaces, digital elements, or software update dependencies, the obligations are significant — and the gap between where most manufacturers stand today and where the regulation requires them to be is real.
CRA requires that products placed on the EU market are designed with security in mind, have no known exploitable vulnerabilities, and are supported by documented vulnerability management processes.
Most industrial and commercial product portfolios carry connectivity, components, and update models that were never evaluated through a security lens. That gap doesn't close through documentation alone.
Non-compliance carries administrative fines of up to €15 million or 2.5% of global annual turnover, and creates significant product liability exposure for manufacturers and importers.
The gap isn't just that products weren't designed with security in mind. It's that the decisions which created the gap were reasonable at the time — and closing it now means working through constraints that weren't anticipated when the products were built.
Update mechanisms, communication protocols, and component choices were selected for reliability, cost, and time-to-market. Security wasn't the design constraint. Revisiting those decisions years later — under regulatory pressure and without disrupting products already in the field — is a different kind of problem than greenfield development.
Many industrial products were not designed to receive meaningful security updates after deployment. Where update paths exist, they may be manual, infrequent, or dependent on customer cooperation. CRA's expectation of supported, updatable products doesn't map cleanly onto portfolios built around long lifecycle assumptions.
Most manufacturers don't have a complete picture of what software and firmware components are actually running across their product lines — particularly for older products or products that share components across families. Building a defensible position requires knowing what you have. Most manufacturers are starting from a partial view.
Product, engineering, firmware, cloud, app, and support teams each own a piece of the picture. No single team has a complete view of the portfolio's security posture, and vulnerability handling — where it exists — typically wasn't designed to support product-level regulatory obligations.
Most manufacturers have some form of vulnerability handling. Few have processes built to meet the specific disclosure, notification, and remediation tracking obligations the CRA imposes on product manufacturers. Adapting existing processes — rather than building from scratch — is possible, but it requires understanding where the gaps are.
Cyfenders' CRA Portfolio Readiness Program is built for manufacturers with mixed-maturity product portfolios — where some products are closer to ready than others, and no one quite knows the full picture yet. We work across the portfolio, not product by product in isolation.
Before you can remediate, you need an accurate picture. We interview engineering, product, and relevant management personnel, review your product-family structure, connectivity models, and update practices, and identify the most material readiness gaps across the portfolio — not just the obvious ones.
This phase produces a shared baseline that's credible enough to act on and honest enough to be useful.
We go deeper on each covered product group — assessing architecture, trust assumptions, communications exposure, updateability, and current process realities. We run engineering working sessions to test what's actually achievable and build remediation plans that your teams can execute against.
The output isn't a list of problems. It's a prioritized, sequenced roadmap.
Once your teams have acted on the highest-priority items, we review whether those actions actually address the underlying issues — not just the surface presentations. We identify what's closed, what remains open, and what still needs work before you can build a credible evidence position.
Regulators and market surveillance authorities don't take your word for it. We help you organize and strengthen the body of evidence supporting your readiness position — identifying major gaps, guiding how materials are structured, and reviewing how your remediation claims align with available documentation.
This program is designed for manufacturers with real product portfolios, real engineering teams, and real pressure to reach a defensible position before the enforcement window closes.
Industrial & commercial manufacturersYou make connected products — machinery, industrial equipment, sensors, embedded systems, or similar — that are sold or distributed in EU markets.
Mixed-maturity portfoliosYour product lines vary significantly in how they were designed, how they're updated, and how visible their software supply chain is. You don't have a uniform starting point.
No prior CRA baselineYou haven't yet established a formal view of where your products stand relative to CRA obligations — or the exercise was done at too high a level to be actionable.
Engineering-led, not consultant-ledYou want a working engagement your teams can participate in and learn from — not a report that lands on a shelf. Remediation needs to be executable by your people.
EU market exposure that mattersWhether EU revenue is your primary market or a meaningful segment, non-compliance carries enough financial and reputational risk to warrant serious investment now.
M&A contextYou are acquiring a manufacturer with a product portfolio that carries undisclosed cyber risk — or you are a target preparing to demonstrate a credible readiness position to buyers.
Most compliance engagements treat the technical work as a formality. We don't. The gap between where manufacturers stand and where the CRA requires them to be is a real engineering and process problem — and that's what we solve.
We assess and plan across your full product portfolio, not one product in isolation. Cross-portfolio patterns change the prioritization — and the economics — of remediation significantly.
We tell you what the actual gaps are, not a softened version of them. A readiness position that can't survive scrutiny from a market surveillance authority or an acquirer's due diligence team isn't a readiness position.
Our ongoing support model is designed to function as an embedded resource — participating in your SSDLC, not observing it. The teams doing your vulnerability management are the same ones who built your readiness baseline.
Cyfenders is based in the greater Chicago area, working with manufacturers and their teams wherever the work needs to happen — with an understanding of both US operational realities and EU regulatory requirements.
We don't produce deliverables designed to look good in a binder. Every phase output is intended to be actionable — by your engineering teams in the near term and by you in any regulatory or commercial context where it matters.
We structure the initial engagement to reach substantial completion well ahead of December 2027, when the CRA's main product obligations apply — giving you time to remediate, build your evidence package, and respond to anything that surfaces late. Reporting obligations arrive sooner, in September 2026, and we factor that into timing from the start.
Yes — that's part of Phase 1. Many manufacturers have products that sit in a gray zone, and the scoping analysis requires a close reading of the product's connectivity, digital elements, and update model against CRA applicability criteria. We work through that with you rather than assuming the answer upfront.
The program is designed for portfolio-level work. We start with a cross-portfolio baseline to understand how products group, which share components or architectures, and where the most material gaps are. That lets us prioritize depth where it matters rather than spreading effort evenly across everything.
If your portfolio is very large, we discuss how to define an appropriate initial scope and can structure coverage to expand over time.
No — but it requires honest assessment of where you stand and a realistic remediation plan, not a compliance documentation exercise layered over an unchanged product. The manufacturers who reach a defensible position are the ones who understand their actual gaps and address them systematically. That's what this program is built for.
The initial engagement does not include adversarial testing, product penetration testing, code review, firmware review, or binary analysis. The focus is on readiness assessment, gap identification, remediation planning, closure review, and evidence support. If technical security testing becomes relevant to your needs, we can discuss that separately.
Cyfenders' work is designed to help you establish a more defensible position relative to applicable CRA requirements — not to certify compliance or guarantee a specific regulatory outcome. We don't provide legal advice, and compliance determinations ultimately rest with regulators and, where applicable, notified bodies. What we can help you build is a position that is honest, documented, and capable of withstanding scrutiny.
Yes. Acquirers are increasingly treating unpriced cyber risk in product portfolios as a deal-level issue. A credible, documented readiness position — built through structured assessment rather than produced in response to a diligence request — is substantially more useful in that context. We work with manufacturers preparing for transactions as well as acquirers assessing post-close risk.
We work with manufacturers across product portfolios to establish a defensible CRA readiness position. Let's talk about where you stand.
Contact Cyfenders