Successful CSRD implementation with Hays

CRA-compliant with Hays
without tying up resources

We get your products with digital elements safely through EU certification.

Start your compliance check now
Many German companies are struggling with the uncertainty of the new requirements of the Cyber Resilience Act (CRA). We understand these challenges. As your specialised partner for CRA compliance, we not only help you to minimise risks and avoid costly fines, but also turn the CRA requirements into a strategic advantage that strengthens the trust of your customers and secures your market position in the long term.

These customers
already trust us

How we are there for you

We are familiar with the complex legal and technical requirements of the Cyber Resilience Act and develop practical, realisable strategies for you. We understand the ambiguities and challenges of implementing new regulations within existing corporate structures.

We offer a comprehensive view of your CRA challenges and optimise your organisation, processes and IT systems.

What happens after
you contact us

Number 1
Make an appointment with Hays Experts
Number 2
Consultancy and gap analysis
Number 3
Development of a clear roadmap
Number 4
Implementation and review of effectiveness

What is the
Cyber Resilience Act?

The Cyber Resilience Act (CRA) is an EU regulation that aims to improve the cyber security of products with digital elements (PDE). It directly affects German manufacturers, importers and retailers and forces them to integrate cyber security throughout the entire product life cycle - from development to the end of its useful life.
The regulation came into force on 10 December 2024, although the reporting obligations for vulnerabilities are already mandatory from 11 September 2026. Non-compliance could result in severe fines of up to 15 million euros or 2.5% of annual global turnover, whichever is higher.
Secure laptop

The ultimate CRA checklist: Are you prepared?

Download our CRA checklist now and make sure you are fully prepared for the upcoming regulation.
From developing "secure products ex works" to ensuring seamless updates and effective vulnerability management throughout the entire life cycle - the new EU regulations require a far-reaching adaptation of your processes. We know that you are not only looking for compliance, but also pragmatic and future-proof solutions that strengthen your business while avoiding high penalties.

What do you
need to do?

If you are affected by CRA, it is important that you think about cyber security from the outset. Make sure that you fulfil all requirements and provide proof of compliance. Report possible vulnerabilities to the central reporting platform.

Requirements for
affected companies

The CRA places certain requirements on affected products with digital elements.
Development icon

Cybersecure development

Manufacturers must develop products with cyber security (security by design) in mind from the outset. An assessment and documentation of cyber security risks is mandatory.
Evaluation icon

Conformity assessment and CE marking

Products may only be sold if they have successfully undergone a conformity assessment procedure and bear the CE marking - as proof that they fulfil the CRA requirements.
Category icon

Categorisation according to risk classes

Products with digital elements are categorised according to risk (e.g. critical infrastructure, consumer applications) with different requirements and test procedures.
Product cycle icon

Cybersecurity throughout the entire product life cycle

Manufacturers must provide free security updates for at least five years (or the expected service life of the product if this is longer) and ensure the security of the products throughout their entire life cycle (development, deployment, maintenance, disposal).
Update Icon

Security update and vulnerability management

There is an obligation to provide security updates in good time and to set up processes for the recording, handling and communication of vulnerability reports. There is an explicit obligation to report actively exploited vulnerabilities and security incidents to the authorities.
Software Icon

Software bill of materials

A comprehensible list of all software components used (SBOM) is mandatory for integrated software components.
User icon

User information

Manufacturers must provide cybersecurity information and guidance on safe use, including documentation on expected conditions of use and recommended secure configurations.
Supply chain icon

Responsibilities in the supply chain

Importers and distributors are also obliged to check compliance with cybersecurity requirements, establish effective control mechanisms and inform authorities and users in the event of vulnerabilities or incidents.
Liability icon

Liability and sanctions

Violations can result in severe fines (up to 15 million euros or 2.5% of annual global turnover) as well as sales bans or product recalls.

Contact
us now

Yesterday's solutions don't solve tomorrow's problems!

FAQ

What are "products with digital elements" (PDE)?

This includes all hardware and software products that can be directly or indirectly connected to a device or network, such as smartphones, smart home devices, industrial systems, B2B software and mobile applications that are provided commercially.

This includes all hardware and software products that can be directly or indirectly connected to a device or network, such as smartphones, smart home devices, industrial systems, B2B software and mobile applications that are provided commercially.


What does "important" or "critical" mean in relation to the CRA?

"Important" or "critical" refers to products with higher cybersecurity relevance that are listed in Annexes III and IV of the CRA regulation , such as firewalls or smart cards, and require more stringent third-party conformity assessment procedures.

"Important" or "critical" refers to products with higher cybersecurity relevance that are listed in Annexes III and IV of the CRA regulation , such as firewalls or smart cards, and require more stringent third-party conformity assessment procedures.


What does "security by design" and "by default" mean?

"Security by design" means integrating cybersecurity into the product development process from the outset, while "secure by default" requires products to be delivered with the most secure default settings that require minimal user intervention.

"Security by design" means integrating cybersecurity into the product development process from the outset, while "secure by default" requires products to be delivered with the most secure default settings that require minimal user intervention.


What is the software bill of materials?

The Software Bill of Materials (SBOM) is a detailed inventory of all software components and their dependencies used in a product, comparable to a list of ingredients for food.

The Software Bill of Materials (SBOM) is a detailed inventory of all software components and their dependencies used in a product, comparable to a list of ingredients for food.


What is CVE monitoring?

CVE (Common Vulnerabilities and Exposures) monitoring is the continuous monitoring and management of known security vulnerabilities in products and their components in order to identify, fix and report them as quickly as possible.

CVE (Common Vulnerabilities and Exposures) monitoring is the continuous monitoring and management of known security vulnerabilities in products and their components in order to identify, fix and report them as quickly as possible.