EU Cyber Resilience Act: Why Manual Compliance Fails and What Manufacturers Need Now
The Deadline Is Set. Preparation Is Not.
On 11 September 2026, the first binding requirement of the EU Cyber Resilience Act (Regulation (EU) 2024/2847) takes effect: Manufacturers of products with digital elements must report actively exploited vulnerabilities and serious security incidents to the responsible CSIRT and ENISA via the central Single Reporting Platform. The timelines are staggered: early warning within 24 hours, full notification within 72 hours, and a final report within 14 days for vulnerabilities or one month for incidents.
By 11 December 2027, all CRA requirements must be fully met. Non-compliant products may no longer be placed on the EU market. Violations carry fines of up to EUR 15 million or 2.5 percent of global annual revenue, whichever is higher.
The CRA applies across industries to all products with digital elements. Only sectors with existing specific regulation are exempt: medical devices (MDR/IVDR), vehicles (UN R155/EU 2019/2144), aviation (EASA), and marine equipment. For manufacturers in industrial automation, mechanical engineering, IoT, energy and building technology, agricultural technology, and telecommunications, the message is clear: the CRA applies to you.
What the CRA Actually Requires
The requirements go far beyond what most companies have in place today. At its core, the regulation demands:
- A Software Bill of Materials (SBOM) for every product
- Documented security-by-design processes including risk analysis and threat modeling
- Continuous vulnerability monitoring with matching against public databases
- The multi-stage reporting obligation under Article 14
- Supplier assessments and supply chain security
- Security support for the entire stated product lifetime
- Complete evidence documentation for audits and declarations of conformity
Critically, the reporting obligation starting September 2026 also applies to products already on the market before 11 December 2027 (Article 69(3)). There is no grandfathering for existing products.
Why Manual CRA Compliance Does Not Work
A mid-sized manufacturer with 50 product variants, each containing dozens of software components, faces the following reality: every component must be captured in an SBOM in standardized formats, continuously matched against vulnerability databases, and reported within tight deadlines when necessary. At the same time, the manufacturer must track which products are affected, how remediation is prioritized, and how the entire process is documented without gaps.
With spreadsheet-based approaches, fragmented point solutions, and manual processes, this cannot be reliably achieved across complex product portfolios with shared components and deep dependency trees. The consequences: information gaps, delayed vulnerability handling, missed reporting deadlines, and increased audit risk.
This is the feedback we receive in hundreds of conversations with manufacturers — regardless of industry or company size.
The Kunnus Platform: CRA Compliance as an End-to-End Process
Kunnus was built for exactly this problem: an all-in-one platform that covers the entire CRA compliance process in a single solution.
Product Inventory and CRA Classification
The product inventory manages product families, variants, and versions in a hierarchical structure. A guided classification wizard automatically assigns each product to the correct CRA category (Default, Class I, Class II, Critical). Existing product data can be synchronized via CSV import or through integration with existing PLM systems.
SBOM Management
SBOM management supports CycloneDX (JSON/XML) and SPDX (JSON/YAML/RDF) with full dependency visualization. Through CI/CD integration, SBOMs are automatically updated with every build. License risks and conflicts are identified automatically.
Vulnerability Tracking and Reporting Obligation
Vulnerability tracking automatically matches SBOM components against public vulnerability databases. Configurable SLA tracking per severity level and management of the multi-stage CRA Article 14 reporting deadlines (24h/72h/14 days) ensure no deadline is missed. Formal risk acceptance workflows with approval processes and audit trails document deliberate risk decisions. Impact analysis shows which products are affected and enables product-specific remediation strategies.
Security Controls and Documentation
Over 50 predefined CRA security controls with automatic gap analysis accelerate implementation. Controls can be simultaneously mapped to IEC 62443 and ISO 27001. Evidence is managed centrally, and reports and declarations of conformity are generated at the push of a button. Real-time notifications via email, Slack, and Microsoft Teams keep the team informed.
Supply Chain and Customer Portal
The supplier portal assesses the CRA maturity of suppliers using customizable frameworks. The customer portal provides security advisories and product security information through individually branded portals. The platform is available as a cloud or on-premise solution.
Four Phases to Compliance
Getting started follows a structured process:
Assess — Import products, match against CRA requirements, and classify by risk.
Implement — SBOM creation, security-by-design documentation, and threat modeling.
Monitor — Continuous vulnerability scanning, automated ENISA reporting, and tracking of regulatory changes.
Support — Dedicated Customer Success Manager, onboarding with team training, and ongoing platform updates.
The Result
Up to 70 percent lower compliance costs. 10x faster audits. Over 50 predefined CRA controls. Full ENISA reporting capability in under 24 hours.
Get Started Now
The CRA is not waiting. The September 2026 deadline for the reporting obligation is less than seven months away. Try Kunnus free for 14 days — no credit card required, EU-hosted.
Contact: kunnus@think-ahead.tech