Implement the Cyber Resilience Act
and reduce
complexity
From December 2027 there will be no CE marking without CRA conformity. We guide manufacturers of industrial and railway components through CRA and IEC 62443 in a structured way — with a clear roadmap, the right priorities and security engineering that fits your existing product roadmap.
your CRA roadmap
instead of scattergun
CRA effort and budgets
The Cyber Resilience Act in brief
The CRA links the CE marking to cybersecurity requirements. Without proof of conformity, products with digital elements may no longer be placed on the EU market from December 2027. Violations are subject to fines of up to EUR 15 million or 2.5% of worldwide annual turnover.
In force since December 2024 · Reporting obligation from September 2026 · Full conformity from December 2027
IEC 62443 AS THE IMPLEMENTATION FRAMEWORK
IEC 62443 forms the technical basis for CRA implementation. We work along the standard parts for risk analysis, development process, component requirements and system requirements
- IEC 62443-4-1
- IEC 62443-4-2
- IEC 62443-3-2
- TS 50701/ IEC 63452
- IEC 62443-3-3
Our CRA solution for manufacturers
If you are a manufacturer of connected devices, software or IoT products struggling with the requirements of the Cyber Resilience Act, you are not alone.
MANY COMPANIES WASTE VALUABLE RESOURCES BECAUSE THEY ...
- ... misjudge the cybersecurity requirements.
- ... implement all requirements in an overly complex way.
- ... start implementation too late and miss statutory deadlines.
OUR STRUCTURED COMPLIANCE APPROACH WAS DESIGNED TO ELIMINATE THIS COMPLEXITY.
It helps you achieve CRA conformity faster, more easily and without unplanned costs or technical overload.
CRA READINESS CHECK
The structured entry point into your CRA project. After a runtime of 4-6 weeks you will hold a reliable maturity report with a prioritised action plan and effort estimate — the basis for your internal decision-making and budget planning.
What you achieve with our CRA offering
As a manufacturer, you bear responsibility across the entire product lifecycle — from development through operation to updates, strict requirements apply for conformity, vulnerability management and security updates. This is exactly where we come in: we prioritise what is really necessary and guide you to CRA conformity with clear priorities and predictable effort.
As a component manufacturer, you are the primary point of responsibility for CRA obligations. We make sure your components meet the CRA requirements in time and remain CE-compliant even after 11 December 2027. You avoid being removed from tenders and delivery stops imposed by your customers.
You receive a prioritised action plan with effort estimate that fits into fixed release cycles. Security by design instead of expensive rework just before the deadline — and no surprises from the audit.
Operators of railway and industrial infrastructure increasingly require IEC 62443 evidence in tenders. Those who deliver earlier than the competition win contracts. Compliance turns from a cost factor into a selling point.
We do not work behind closed doors. We hand over methodology, tools and processes to your development teams, so you can develop follow-up products and variants in a standard-compliant way on your own.
Typical course of a CRA project
Phase 1
PRODUCT ANALYSIS AND CATEGORISATION
Assessing your products comes right at the beginning. All relevant devices, software products and connected components are recorded and classified into the CRA product classes.
Products with digital elements must undergo a risk assessment, and vulnerabilities must be documented and handled to ensure conformity with the requirements of the CRA.
Products in higher risk classes are subject to more demanding security measures, including deeper risk assessments and advanced security mechanisms.
METHODEN & FRAMEWORKS
STRIDE • MITRE ATT&CK FOR ICS • MITRE EMB3D • ATTACK TREES • DATA FLOW DIAGRAMS • 62443-4-1 PRACTICES • CRA ANNEX • MATURITY ASSESSMENT
Phase 2
IMPLEMENT REQUIREMENTS
Implementing the security-by-design and security-by-default principles forms the core of this phase. Products must be supplied with security updates throughout the entire support period — at least five years, and correspondingly longer where a longer expected service life is anticipated (as is common for railway and industrial components).
A systematic process for monitoring, reporting and remediating vulnerabilities is mandatory for companies. Manufacturers must also maintain a precise Software Bill of Materials of the components and third-party libraries they use.
Companies are further obliged to provide regular security updates and patches over a defined period. This phase transforms technical requirements into concrete development and operational processes.
METHODEN & FRAMEWORKS
DEFENSE IN DEPTH • LEAST PRIVILEGE • SECURE BOOT • KEY MANAGEMENT • LIBFUZZER • AFL++ ASAN / MSAN • CI/CD
Phase 3
ENSURE ONGOING CONFORMITY
The declaration of conformity is required to demonstrate that a product meets all requirements of the CRA. The conformity assessment procedure varies by product category — from self-assessment for standard products to external evaluation for critical components.
The CE marking is proof of conformity for products that must meet the security requirements.
In parallel, documentation and reporting procedures are established, as the obligation for manufacturers to report actively exploited vulnerabilities and security incidents comes into force on 11 September 2026.
METHODEN & FRAMEWORKS
SBOM MAINTENANCE • CVE TRACKING • VULNERABILITY HANDLING • INCIDENT REPORTING • CE CONFORMITY
No guesswork. No wasted effort.
Just structured progress towards full CRA compliance.
01 Scoping
Definition of the target security level and project scope.
02 Analysis
Gap analysis and threat modeling based on the system architecture.
03 Concept
Security concept with concrete measures and prioritisation.
04 Implementation & test
Implementation, pentesting, fuzzing against IEC 62443-4-2.
05 Lifecycle support
Vulnerability handling, SBOM maintenance, secure updates.
"Only those who know complex systems such as process control technology or train control in detail can embed security holistically."
Structured implementation with concrete results
We do not work from standard checklists. We derive recommendations and protective measures from a concrete analysis of your product and its operating environment, so the result really fits your component. Four examples from our practice.
We model threats based on the actual system architecture. For a control component from a pump manufacturer, we analyse communication interfaces (MVB, WTB, TRDP, PROFINET, OPC UA, MQTT), firmware update mechanisms and fall-back behaviour under attack scenarios.
OUTPUT
Threat catalogue with risk assessment
Prioritised list of measures, mapped to IEC 62443-4-2 Foundational Requirements
Understanding the standard is usually not the problem — estimating the effort is. Without it, compliance becomes a perpetually postponed initiative.
That is why we assess maturity on two levels, because one alone says too little: the development process against IEC 62443-4-1, the product against 62443-4-2. Both compared against CRA Annex I. The valuable output is, alongside the findings, a reliable effort estimate.
OUTPUT
Structured maturity report
Identified gaps with recommended actions and effort estimate
In many embedded projects we discover the same patterns: insecure fall-back mechanisms, weakly protected key material, missing separation between components. Anyone who only notices this after release either builds expensive workarounds or lives with the risk. That is why we anchor security requirements as early as the architecture phase.
OUTPUT
Security architecture concept
incl. software requirements mapped to IEC 62443-4-2
We have built fuzzing firmly into the CI/CD pipeline — as an ongoing process rather than a one-off action. For OT protocols such as PROFINET or TRDP we developed dedicated test inputs that the stack actually processes — random data would otherwise be rejected straight away as invalid, without learning anything. This way vulnerabilities surface early and reproducibly, spread over weeks instead of in a single reporting week.
OUTPUT
Continuous vulnerability analysis
Reproducible crash reports, code coverage reports over time, prioritised fix list
WHY CODEWERK
SYSTEM KNOW-HOW MEETS SECURITY ENGINEERING
We develop software for safety-critical systems and bring this knowledge into every security assessment.
INDUSTRY & OT
Many years of development experience in process control technology (SIMATIC PCS 7 / neo) and industrial communication (PROFINET, OPC UA, Modbus/TCP). We know OT environments from the implementation side, not just from the pentest report.
COMPLETE RAILWAY STACK
Vehicle control and train communication from hands-on development: MVB, WTB, TRDP, ETCS environment. This lets us cover TS 50701 and IEC 63452 from deep system understanding, not just from a standards perspective.
ISO 27001 CERTIFIED
Information security is lived practice for us, certified to ISO 27001 since 2020 and audited annually. What we require of you, we practise ourselves.
RESEARCH & STANDARDISATION
Active involvement in international research and standardisation projects in the railway industry. We see new requirements before they appear in the standard.
Frequently asked questions
Here you will find answers to frequently asked questions about the Cyber Resilience Act and our services.
The Cyber Resilience Act (CRA) is an EU-wide regulation that, for the first time, establishes binding security requirements for all products with digital elements. The aim of this regulation is to significantly raise the level of cybersecurity within the European Union and to better protect consumers and businesses against cyber threats.
The CRA obliges manufacturers, importers and distributors to ensure that their products — whether hardware or software — meet fundamental cybersecurity requirements and are supplied with up-to-date security updates throughout the entire product lifecycle.
The scope of the CRA covers all products with digital elements made available on the European market. This includes classic IT hardware, smart devices, industrial controllers, software products and connected applications. The regulation applies both to new products and to existing products that are substantially modified after the CRA enters into force.
Manufacturers must demonstrate that their products comply with the requirements of the Cyber Resilience Act (CRA) before they may sell them in the EU.
With the CRA, the EU sets a new standard for cybersecurity and product safety that is relevant to every company that develops, manufactures or imports digital products. Compliance with the security requirements is a prerequisite for market access and strengthens the trust of users and consumers in the security of digital products.
The Cyber Resilience Act is being implemented in stages through to the end of 2027. With our structured approach, most companies reach full conformity within 6-12 months, depending on product complexity and existing processes. Important: the reporting obligations already take effect from September 2026.
That depends on your product class. For standard products we support your team with clear specifications, templates and checklists, so you can implement much of it yourself. Important and critical products require an external conformity assessment — here we take on the necessary security engineering and guide you through the evaluation.
Violations of the CRA requirements are monitored by national supervisory authorities and can be penalised with substantial fines of up to 15 million euros or 2.5% of worldwide annual turnover. Sales of non-compliant products can be prohibited, and products can be withdrawn from the European market. The market surveillance authorities of the EU member states have extensive powers to verify and enforce compliance.
Standard products (around 90% of all products with digital elements) can carry out a self-assessment. Important products of class I can be self-assessed, provided the relevant harmonised standards are fully applied — otherwise an external conformity assessment is required. Class II products generally require the involvement of a notified body or an EU certification. Critical products are subject to the strictest requirements, with an EU certification scheme at the substantial level.
The CE marking is a central element of the Cyber Resilience Act and signals that a product meets the security requirements applicable in the EU. For manufacturers, this means they must carry out a comprehensive conformity assessment before placing their products with digital elements on the market. This process ensures that all requirements of the CRA — from technical security to organisational measures — are met.
As part of the conformity assessment, manufacturers document how their products meet the specific requirements of the CRA. Once this process has been successfully completed, a declaration of conformity is issued confirming compliance with the EU requirements. Only then may the CE marking be affixed and the product offered on the European market.
The CE marking is therefore not only a legal requirement but also a visible sign to consumers and business partners that the product meets current security standards. For companies, carrying out the conformity assessment correctly is crucial to minimise liability risks and secure access to the European market.
Start your CRA project today
The earlier you start, the more predictable effort and budget remain — and the more reliably you will meet the deadline of 11 December 2027.
DO NOT WAIT UNTIL THE DEADLINES BECOME CRITICAL.