CYBER RESILIENCE ACT Scope Check

The EU Cyber Resilience Act entered into force December 2024. If your company makes or sells software, hardware, or connected products — including IoT devices, apps, or SaaS tools — you may have mandatory vulnerability reporting obligations from September 2026. We determine whether you're in scope and what you need to do.

Get started

The EU Cyber Resilience Act (CRA) entered into force on 10 December 2024. It introduces mandatory cybersecurity requirements for all manufacturers and developers of 'products with digital elements' — software, hardware, IoT devices, and connected systems sold into the EU market.

CRA deadlines for product makers

11 September 2026: Vulnerability and incident reporting obligations to ENISA apply — manufacturers must report actively exploited vulnerabilities within 24 hours. 11 December 2027: Full CRA requirements apply to all in-scope products. Products already on market before December 2024 have transitional provisions.

This service is specifically for companies that make or sell products with digital elements — software companies, IoT manufacturers, hardware producers, or businesses with embedded systems. It is not relevant for companies that purely use software made by others.

The implementation obligations under CRA are largely technical (CE marking, security-by-design, SBOM documentation). This service covers the compliance framework side — are you in scope, what documentation do you need, what policies and processes must be in place. Delivered in Swedish or English.

WHAT YOU GET

Scope determination — does the CRA apply to your products?
Product classification — what category of 'digital element product' you fall under
Role determination — are you a manufacturer, importer, or distributor under the CRA?
Gap assessment against CRA documentation and policy requirements
Vulnerability disclosure policy (VDP) template ready to implement before September 2026
Action plan for achieving CRA compliance in priority order

Who needs this	Companies that develop, manufacture, or sell software products, hardware with digital components, IoT devices, SaaS platforms, or any connected product into the EU market.
Timeline	90-minute intake session + 4-day report turnaround
Delivered as	Written scope assessment + gap report + VDP template — Swedish or English
Price	4,900–7,900 kr

Get started

The right consulting plan for your business

Other services

Explore all services

GDPR Starter Package

We write all four documents every Swedish company legally needs under GDPR: Privacy Policy, Cookie Policy, Data Processing Agreement, and Record of Processing Activities. Fixed price. Delivered in 5 business days.

Privacy by Design

GDPR

Data Sovereignty

GDPR Starter Package

Privacy by Design

GDPR

Data Sovereignty

Regulatory Policy Package

We draft the four internal policies your organisation needs for 2026 compliance: AI Acceptable Use Policy, Data Retention Schedule, Information Security Policy, and IT Usage Policy. Delivered in Swedish and English.

Internal Policies

AI Act

NIS2

Regulatory Policy Package

Internal Policies

AI Act

NIS2

NIS2 Readiness Assessment

The Swedish Cybersecurity Act (Cybersäkerhetslagen) entered into force 15 January 2026. We assess whether your company is in scope, identify your compliance gaps, and deliver a written report with a prioritised action list — in one session.

Gap Analysis

Cyber Resilience

Board Liability