CRA Compliance Assessment and Support

Boost digital trust with the new Cyber Resilience Act. Security by design, protection throughout the entire lifecycle.

The Cyber Resilience Act (CRA) is the European Union Regulation (Regulation (EU) 2024/2847) that entered into force on December 10, 2024, aimed at strengthening the cybersecurity of products with digital elements marketed in the European Union. This regulation seeks to ensure that products with digital elements placed on the European market (whether software or hardware) maintain high cybersecurity standards from their development phase and throughout their entire lifecycle, reducing the presence of vulnerabilities.

A product with digital elements is understood to be one that:

 

Connects directly or indirectly to a network or to another device.

Connects directly or indirectly to a network or to another device.

Processes digital data.

Processes digital data.

Incorporates software or firmware.

Incorporates software or firmware.

The CRA regulation will partially enter into application starting on September 11, 2026, through the mandatory notification of actively exploited vulnerabilities and serious security incidents, and it will become fully mandatory on December 11, 2027.

Who is affected by the CRA?

  • Manufacturers of digital products: both companies established within the European Union and those outside it, as long as the products are placed on or marketed in the European market.
  • Software developers: responsible for designing and maintaining applications so that they comply with the cybersecurity requirements established in the regulation.
  • Importers and distributors: intermediaries in the product supply chain who must therefore ensure that the products they distribute or market comply with the regulation.
  • Other operators: resellers or any other entity involved in the commercialization of products within the EU environment.

 

Service Objective

The objective of this service is to carry out an implementation process of the Cyber Resilience Regulation (EU) 2024/2847 (Cyber Resilience Act) of October 23, 2024, structured in phases with clear goals to achieve compliance with the horizontal cybersecurity requirements for products with digital elements covered by the regulation.

Project Phases

The phases of the project are as follows:

Phase I: Scope Definition and Gap Analysis

Stage I: Scope, Classification, and Gap Analysis

  • All products to which the CRA applies are analyzed.
  • The category to which they belong is determined based on the classification defined by the CRA.
  • A gap analysis is carried out with respect to the articles of the regulation and the fulfillment of the essential cybersecurity requirements (Annex I), and an action plan is prepared to achieve compliance with the regulation before December 11, 2027.

Stage II: Notification of Vulnerabilities and Serious Incidents

  • An analysis is carried out of the current Policies, Procedures, and Processes for managing and reporting vulnerabilities and security incidents.
  • The definition or modification of the Policies or Procedures affected by the vulnerability and serious incident notification process is performed, aligning them with the CRA in order to achieve compliance with Article 14, which enters into application on September 11, 2026.

Phase II: Implementation Support

Stage I: Risk Assessment

  • Objectives: Based on the risk‑based approach, tailor compliance actions according to the type of product, its criticality, its intended use, and the potential impact within the digital environment
  • Activities:
    • Clear definition of in‑scope assets
    • Threat modeling
    • Identification of risks and treatment mechanisms
  • Deliverables:
    • Risk Matrix and CRA Control Mapping
    • Risk Treatment Report
    • Procedure for periodic updates of the Risk Assessment and Risk Register (AARR)

Stage II: Technical Assessment of CRA Requirements

  • Objectives: Review of hardware, firmware, communications, and associated applications with the aim of detecting vulnerabilities, weaknesses, and anomalous behaviors.
  • Methodology:
    • Reconnaissance: Identification of interfaces, documentation, and environment.
    • Analysis: Review of software, hardware, and basic security testing. Review of configurations (hardening).
    • Connectivity testing: Verification of apps, APIs, and local communications.
  • Deliverables: Report and recommendations.

Stage III: Implement and Integrate CRA into the Lifecycle of the Affected Products

  • Objectives:
    • Standardize the CRA compliance process
    • Integrate the CRA compliance process into the affected areas of the organization.
  • Activities:
    • Support for the implementation of the CRA alignment plan defined in Phase I and based on the risks previously identified.
    • Definition or update of Policies, Procedures, and/or Methodologies affected by the CRA to ensure alignment with the regulation.
  • Deliverables:
    • Recommendation reports on compliance with the articles and Annexes I and II of the regulation.
    • Policies, procedures, and methodologies aligned with the CRA.

Stage IV: CRA Compliance Assessment

  • Objectives: Validation of compliance with the articles of the regulation, Annex I – Part I and Part II, and Annex II, as a preliminary step to the conformity assessment through internal control or by a third party (notified body).
  • Activities: Internal audit that evaluates compliance with the measures indicated in the CRA regulation.
  • Deliverables: Report detailing the compliance status..

What Our Clients Say


At Grupo AR, we highly value the brand protection service provided by Internet Security Auditors for its comprehensive and proactive approach. Their highly qualified team enables us to identify and mitigate risks that could affect the AR Construcciones brand and its different companies. Many thanks for your support!
Nestor Ivan Melo Ballen
Director of Cybersecurity
Grupo AR
As CEO of Beruby, we worked with Internet Security Auditors when we urgently needed to complete a PCI DSS Attestation of Compliance. The entire process was extremely fast, efficient, and professional. Their team provided us with excellent support, demonstrating strong technical expertise and a high level of commitment. Without a doubt, we recommend their services to any company in need of cybersecurity solutions.
Miguel Acosta
Global CEO
Beruby
At Grupo Arbulu, we have worked closely with Internet Security Auditors on the implementation of advanced cybersecurity measures. Thanks to their expertise, we have significantly strengthened our ability to detect and mitigate cyber risks. Their thorough audits and tailored solutions have reinforced our security infrastructure, ensuring the protection of our data and the continuity of our operations.
Marcos Montes de Oca
CIO
Grupo Arbulu
As CISO at Intaremit S.A., the importance we place on logical security is extremely high. Not only because the PCI‑CPP standard requires us to perform four internal and external vulnerability scans and an annual internal and external penetration test, but also because of the security and peace of mind our company aims to provide to each and every one of our customers.We have been working and collaborating with IsecAuditors for more than 10 years thanks to their experience, commitment, and close support, and I therefore recommend them without hesitation.
Sergio Sainz de la Maza
CISO
Intaremit S.A.
As CFO of Fleurop – Interflora Spain, we have been working with Internet Security Auditors for years in the areas of consulting and GDPR compliance. As Interflora is a company fully oriented toward online commerce, the professional services provided by ISEC Auditors give us the support, security, and peace of mind that all our activities remain aligned with GDPR requirements.
Francisco Tébar Prada
CFO Southern Europe (Spain, Italy, Portugal and Romania)
Fleurop - Interflora España
As CFO of Saint Louis University – Madrid Campus, I have had the opportunity to work with Internet Security Auditors, S.L. They have been an indispensable partner in implementing the requirements established by GDPR: preparing the record of processing activities, developing privacy policies, drafting the necessary data‑protection agreements with our service providers, and complementing all of this with thorough training for our staff—an essential element to ensure full compliance with the law. I would like to highlight their availability to address questions and their ability to translate the legal framework into concrete and understandable actions. Their periodic internal audits are efficient and allow us to stay up to date, correcting any deviations in a timely manner.I highly recommend Internet Security Auditors, S.L. to anyone seeking a successful implementation and ongoing oversight of personal data protection within their organization. 
Victoria Villarreal Palazón
Vice-Rector & Associate Vice President Chief Financial Officer
Saint Louis University, Spain
Working with Internet Security Auditors has been a positive experience in every respect. Their team combines strong technical expertise with a great willingness to collaborate, which has strengthened our security posture and regulatory compliance.
Andres Mejia
Head of GRC
PAYVÁLIDA
On behalf of Outsourcing SAS BIC, we would like to express our sincere appreciation for the commitment, professionalism, and dedication demonstrated throughout the implementation of the PCI DSS compliance project in our call center. Thanks to your expertise and guidance at every stage of the process, we were able to establish a secure environment that meets the industry’s most demanding payment‑security requirements, significantly strengthening our security controls and data‑protection practices. We especially value your team’s willingness to provide clear solutions, effective training, and smooth communication, all of which were key to achieving our objectives on time and with full confidence.
Yulian Colmenares
Information Security Officer
OUTSOURCNG SAS BIC
Working with Internet Security Auditors has been a highly satisfactory experience. Their support throughout our migration to the ISO/IEC 27001:2022 standard, the execution of internal audits, and the PCI DSS certification process has been essential in strengthening our information security management system. We especially value the professionalism and interpersonal skills of their team, which have made this collaboration a relationship of trust and great value for Neurona.
Ricardo Andrés Cárdenas Galvis
Information Security and Continuity Officer
Neurona
The strategic support provided by Internet Security Auditors as our CISOaaS has been essential in strengthening our internal team. Their expertise perfectly complements the work of our CISO and has enabled us to accelerate the maturity of our cybersecurity program.
CISO
RACC

Do not hesitate to contact us if you need more information

Send us your questions and we will get in touch with you as soon as possible.
CAPTCHA