EU Cyber Resilience Act · Regulation (EU) 2024/2847
Know what a CRA auditor will reject — before your CE mark depends on it.
The conformity workbench for OT and ICS manufacturers — whether you are based in the EU or selling into it. It walks each product through the six-step conformity workflow, scores your evidence the way an assessor will, and bridges existing IEC 62443 work onto CRA requirements — so you reach a reviewer-ready package, faster.
Key compliance dates
Article 14 reporting applies to all in-scope products within months.
The six-step package
From product profile to a reviewer-ready conformity package
Start from a structured OT product profile — not a blank prompt. The workbench produces each step of the manufacturer's legal obligation chain, with citations.
Classify the product
Default, important class I & II, or critical — with a defensible, documented rationale.
Annex III / IV · Article 7Assess cybersecurity risk
A risk assessment tied to the specific Annex I requirements it activates.
Article 13Produce the gap report
Product properties and vulnerability handling scored Met / Partial / Not met, with remediation.
Annex I Part I + IIDetermine the route
Self-assessment versus third-party conformity assessment — and what makes the route flip.
Article 32Stand up the vulnerability programme
Coordinated disclosure plus the 24h / 72h / final reporting playbook.
Article 14 · Part IIAssemble the technical file
A technical-documentation skeleton populated from the steps above — ready for review.
Annex VII
Who the CRA applies to
Selling into the EU? The CRA applies — wherever you build.
The Cyber Resilience Act governs products with digital elements placed on the EU market, regardless of where the manufacturer is established. An OT device built in Milwaukee or Munich faces the same Annex I essential requirements once a European operator can buy it.
Conformity is the market-access gate
Without a CE mark, an EU Declaration of Conformity and an Annex VII technical file, an in-scope product cannot be lawfully sold on the EU market.
A global OT maker, one EU rulebook
If you ship industrial or ICS products to European plants, integrators or distributors, the same obligations bind you — Annex I requirements, CE conformity, and Article 14 vulnerability reporting — even with no EU office.
Your EU buyers will ask for it
European operators procuring control-system equipment increasingly require CRA conformity evidence in tender. The workbench produces the package they — and a notified body — will scrutinise.
Why it's reliable
Generators fill in forms. This workbench knows what fails scrutiny.
The six-step deliverable is table stakes. Two things make it defensible for OT/ICS manufacturers — and neither comes from a template tool.
Auditor-grade judgment
Every conclusion carries assessor review notes: why current evidence is weak, what an auditor would likely reject, and what stronger evidence looks like — each with a confidence level.
PARTIAL is where files quietly fail. A security feature that ships disabled does not satisfy secure-by-default — the file must prove the shipped default, not the hardening guide.
CRA ↔ IEC 62443-4-1 bridge
If you already run a 62443 secure-development lifecycle, much of your CRA evidence already exists. The bridge maps each CRA requirement to the evidence artefact and the 62443 practice that produces it.
EU funding · Digital Europe Programme
The EU will help pay for your CRA readiness
Through the SECURE programme — “Strengthening EU SMEs Cyber Resilience”, funded under the Digital Europe Programme — micro, small and medium-sized enterprises can claim up to €30,000 in co-funding for CRA gap analysis, product classification, testing and documentation.
Our workbench produces exactly the evidence and documentation these grants are designed to fund — and the structured assessment that makes for a stronger application.
Malkan Solutions is an independent provider and is not affiliated with, or endorsed by, the SECURE consortium, the European Cybersecurity Competence Centre, or the European Commission. Grant availability, eligibility and amounts are set by the programme and its open calls — see secure4sme.eu for current terms.
- Gap analysis & diagnostics — external review of CRA readiness
- Product classification — Default / Class I / Class II determination
- Testing & documentation — evidence the workbench generates
- Pre-audit advisory — preparation ahead of a notified body
Document generation
The workbench writes your documents — not blank templates
Most CRA failures are process failures: no CVD policy, no SBOM procedure, no reporting playbook. Each document is generated from your assessment, public-posture research, and a few answers.
CVD Policy & PSIRT Intake Pack
Coordinated disclosure policy, security contact, intake workflow and advisory template.
SBOM Process Pack
SPDX / CycloneDX generation procedure with a per-release SBOM register.
Reporting Playbook
24h / 72h / final report forms, severity triage and the single-platform runbook.
Risk Assessment Template
Threat-to-requirement risk model with the Article 13(4) justification register.
Technical File Skeleton
The full documentation structure with traceability from claim to evidence artefact.
Declaration of Conformity Draft
EU DoC structure ready to finalise once the assessment route is confirmed.
Built for scrutiny
Engineered to hold up in front of an assessor
Cited to the regulation
Every conclusion traces to the article, annex or part it rests on — no unsupported claims, no generic boilerplate.
Your engineering stays yours
The workbench shows precisely what evidence and controls each requirement needs. It documents conformity — it does not replace your engineering.
Neutral on notified bodies
Where third-party assessment is required, any referral is neutral and unpaid (CRA Art 39; Regulation (EC) 765/2008).