Applicable Standards
Who Needs CRA Compliance
- ✓Connected product manufacturers (IoT devices, smart appliances, industrial sensors) targeting EU markets
- ✓Industrial Control System (ICS/SCADA/OT) operators and critical infrastructure suppliers requiring IEC 62443
- ✓Taiwan EMS/ODM/OEM manufacturers producing connected products for European brands
- ✓TISAX or ISO 21434 certified automotive suppliers extending to broader industrial cybersecurity frameworks
Four-Step Certification Pathway
Gap Assessment & Risk Analysis
Map product design and organizational processes against EU CRA requirements and IEC 62443 framework, identify cybersecurity gaps, and define compliance scope and Security Level (SL 1-4) targets.
Security Requirements Design & Documentation
Establish product Security Requirements (SR) per IEC 62443, design cybersecurity architecture, and complete Technical Documentation and Declaration of Conformity (DoC).
Implementation Verification & Penetration Testing
Execute cybersecurity function verification, vulnerability scanning, and penetration testing to confirm the product meets CRA Essential Requirements.
CE Marking & Continuous Monitoring
Support Notified Body selection, complete conformity assessment procedures, obtain CE marking, and establish post-market vulnerability management and security update mechanisms.
Frequently Asked Questions
What is the EU CRA and when does it become mandatory?▼
The EU Cyber Resilience Act is the EU's mandatory cybersecurity regulation for all products with digital elements (connected devices). It entered into force in December 2024 with a 36-month transition period — from September 2027, all connected products sold in the EU must comply with CRA requirements and bear CE marking, or they cannot be sold in the EU market.
What is the relationship between IEC 62443 and EU CRA?▼
IEC 62443 is the international cybersecurity standard for Industrial Automation and Control Systems (IACS). The EU CRA designates IEC 62443 as a primary Harmonised Standard for meeting its Essential Requirements. Compliance with relevant parts of IEC 62443 creates a presumption of conformity with corresponding CRA requirements, significantly reducing the complexity and cost of conformity assessment.
Which products need to comply with EU CRA?▼
The EU CRA applies to all products with digital elements, categorized as: Default products (self-assessment), Important products Class I (third-party review — e.g., operating systems, routers, industrial controllers), and Important products Class II (strict third-party certification — e.g., industrial firewalls, HSMs, smart meters). Taiwan-manufactured connected devices, IoT products, and industrial control system components exported to the EU are almost universally in scope.
What are the penalties for CRA non-compliance?▼
Violations of CRA essential requirements: up to €15 million or 2.5% of global annual revenue, whichever is higher. Other obligation violations (reporting, documentation): up to €10 million or 2%. Provision of false information: up to €5 million or 1%. Taiwan manufacturers unable to obtain CRA-compliant CE marking before September 2027 will be unable to sell connected products in the EU market.
How does IEC 62443 differ from TISAX / ISO 21434?▼
TISAX and ISO 21434 address automotive supply chain cybersecurity. IEC 62443 covers the broader field of Industrial Automation and Control Systems (IACS), including manufacturing, energy, water treatment, and smart buildings. EU CRA covers all connected consumer and industrial products. Winners Consulting can integrate all three frameworks, avoiding duplicate build-out and maximizing cross-framework synergies.
Request a Free Compliance Assessment
Discover how far your products are from EU CRA compliance
Request Free Assessment