Nemko Digital, a leading figure in AI governance and digital trust, has unveiled a detailed compliance roadmap and checklist designed to aid organizations in meeting the European Union’s Cyber Resilience Act (CRA) requirements. This initiative arrives at a crucial time, as manufacturers must be prepared by September 11, 2026, to report actively exploited vulnerabilities and significant incidents within stringent 24-hour and 72-hour windows. This compliance framework is essential for companies, as failure to meet the CRA’s requirements could result in severe penalties, including fines up to €15 million or 2.5 percent of global annual turnover for serious infractions.
The CRA imposes new cybersecurity mandates on hardware and software products with digital elements sold within the EU, affecting a wide range of products from consumer IoT devices to industrial control systems. While full compliance is required by December 2027, the September 2026 milestone emphasizes operational readiness for tracking vulnerabilities and incident reporting. As articulated by Pepijn van der Laan, Nemko Digital’s Global Technical Director for AI Trust, this phase is not just about initial product compliance but also managing obligations throughout the product’s lifecycle.
Despite the looming deadlines, a large portion of manufacturers—about 70 percent, according to a Nemko Digital webinar poll—are in the early stages of their compliance processes. The newly released Nemko Digital CRA Compliance Roadmap provides a structured six-step action framework to transform this complex regulatory requirement into a manageable task. It includes phases such as discovery, applicability assessment, gap analysis, process build-out, validation, and continuous monitoring. Accompanied by a 30-item checklist, this resource gives product teams, security leaders, and compliance officers actionable steps to follow.
Time is of the essence, as summer slowdowns across Europe could hinder progress. Nemko Digital advises completing most compliance groundwork by early July to avoid the August bottleneck, allowing organizations to focus on finalizing procedures and testing operational processes well ahead of the September deadline. Bas Overtoom, Global Business Development Director at Nemko Digital, emphasizes the importance of immediate action, noting that starting now can still be effective but delaying further could complicate compliance efforts significantly.
Organizations with existing RED (Radio Equipment Directive) certifications have a head start as there is a significant overlap with CRA requirements. However, CRA introduces new obligations, particularly in vulnerability management and secure development practices, necessitating ongoing maintenance of software bills of materials over a minimum five-year support period. The free CRA Compliance Roadmap is readily available for download, requiring no registration or paywalls, and serves as a comprehensive guide for compliance teams aiming to navigate these new regulations effectively.