Catalogue / CRA

Cyber Resilience Act

The CRA sets mandatory cybersecurity requirements for products with digital elements sold in the EU — secure-by-design, vulnerability handling, and incident reporting across the whole product lifecycle.

In practice that means building security in from the start, then proving it: a technical file and an EU Declaration of Conformity, CE marking, a coordinated vulnerability-disclosure process and an SBOM, and active reporting of exploited vulnerabilities — evidenced from design through the end of the support period.

Who must comply: Anyone making, importing or distributing products with digital elements on the EU market. A few product classes under their own regimes — medical devices, vehicles, aviation — and pure SaaS sit largely outside scope.

  • Secure-by-design — no known exploitable vulnerabilities at release
  • Vulnerability handling, a CVD policy and an SBOM
  • Article 14 reporting of actively exploited vulnerabilities
BEST VALUE
THE FULL CRA KIT
Complete bundle
450one-time550SAVE €100
All three role packs — manufacturer, importer & distributor
Every CRA document, ready to edit
START-HERE guide + inline “what to change” guidance in every file
The Currency Stamp — kept current as the rules move
Buy now →
Pay once·30-day money-back·EU VAT handled
Just one role, or start at €24? Compare all packs ↓

Does this sound like your CRA project?

Which role are you?

Importer and distributor duties are real, but the market's guidance is written for manufacturers — it's easy to apply the wrong obligations.

Evidence, not just intent

The CRA expects documented conformity — a technical file, records and declarations — not a one-page statement.

A moving deadline

Article 14 reporting begins 11 Sep 2026 and full conformity follows 11 Dec 2027. The clock is already running.

Rebuilding the documentation

Lean teams recreate the same scope record, policies and runbooks from scratch — slowly, and with no one maintaining them.

Your duties depend on what you do with the product

Importer & distributor packs most toolkits skip ↓

Importer — what you must do

You place a non-EU product on the EU market.

Verify
Place only conforming products
Before placing a product on the EU market, satisfy yourself the manufacturer ran the conformity assessment, drew up the technical documentation, affixed CE marking and provided the EU DoC and user information.
Identify
Put your identity on it
Indicate your name, registered trade name or trademark and a contact address on the product — or on its packaging or an accompanying document.
Act on doubt
Withhold, inform, cooperate
If you believe a product is non-conforming, don't place it until it is. Where it presents a significant risk, inform the manufacturer and the market-surveillance authorities and cooperate on corrective action.
Records
Keep the evidence available
Keep a copy of the EU DoC and ensure the technical documentation can be made available to authorities throughout the support period and retention window.
THE Importer PACK6 documents
Importer obligations summary
Pre-market due-diligence checklist
Conformity verification record
Article 14 awareness note
Records & retention template
Market-surveillance cooperation
150one-time · pay once, own it
Buy the Importer packNot sure this is you? Check scope →
See the quality before you buy — one real, watermarked document.Download a free sample (Scope & Classification record) →
PRICING

Pay once, own the documents

QUICK-START
24one-time

The three highest-value documents to start today: the CVD policy, the Article 14 reporting runbook, and the EU Declaration of Conformity.

Start for €24
MOST POPULARROLE PACK · IMPORTER
150one-time

One complete role pack — manufacturer, importer or distributor. Every document that role needs, with inline editing guidance.

Buy the Importer pack — €150
COMPLETE BUNDLE
450one-time

All three role packs in one — for businesses that are more than one role, or consultants serving several clients.

Buy Complete — €450

30-day money-back · EU VAT handled at checkout · not legal advice

The high-liability documents — the Scope & Classification record above all, which sets your conformity route —
are practitioner-built starting points, not “fill-and-rely.” Review them with qualified counsel before you rely on them.

WHY TRUST THIS KIT

Built & maintained by a practicing CISO

The CRA kit is authored and maintained by a practicing CISO in EU-regulated fintech — not a content farm. The Scope & Classification record is reviewed against the consolidated regulation text and flagged for your legal sign-off.

Read the methodology & independence statement →
KEPT-CURRENT PROOFFull changelog →
2026-07-01
v1.4
Updated the Article 14 runbook for the final reporting-platform guidance; added an importer retention table.
2026-05-12
v1.3
Split distributor due-diligence into a standalone checklist; clarified CE-marking verification steps.
2026-02-20
v1.2
Aligned the scope & classification record to the consolidated Regulation (EU) 2024/2847 text.

Questions, answered plainly

No. The kits are practitioner-built templates that require review by you (and, for the high-liability documents, qualified counsel) before you rely on them. The Scope & Classification record is the one to review first — it sets your conformity route. Every document says so in its front matter.

Get the CRA readiness checklist for your role

A free, role-specific one-pager — and the start of a short, practitioner-written email sequence that walks you to a filed document set. No spam, unsubscribe anytime.

Practitioner-built templates — not legal advice.