Skip to main content
ResiPlan
New persona

Product Security Solution: end-to-end CRA compliance

For hardware manufacturers, SaaS editors, IoT makers and industrial equipment suppliers placing products with digital elements on the EU market.

Dynamic attack graph

Simulate how attackers reach your OT and IoT

DAGSIM builds an attack graph from your CMDB and runs a Monte-Carlo simulation of how a compromise spreads over time across your IT, OT and IoT assets. Exploit timing is calibrated on real CVSS vectors and KEV/EPSS data, with a clear split between Enterprise and ICS techniques.

  • Lateral movement via IEC-62443 zones and shared network segments
  • MITRE ATT&CK ICS techniques (T0883, T0866) on your OT assets
  • IEC-61508 safety impact combined with business criticality
Dynamic attack graph compromise simulationattackernetAccessexecCodereachvulExistsexploitnetAccessexecCodevulExistsexploitlateral

Jour 0 / 21

Your 2026-2027 CRA challenges

CRA applicable in 20 months

The Cyber Resilience Act applicable on 11 December 2027 imposes cybersecurity CE marking, SBOM, CVD, Annex I matrix. Fines up to €15M or 2.5% of global turnover.

SBOM: impossible inventory manually

Your products contain 100-10,000 open-source components. Impossible to track manually, let alone cross-reference with emerging CVEs.

CVD mandatory but no process yet

You must publish a coordinated disclosure policy + security.txt. Without tooling, researcher reports get lost in a generic mailbox.

5-15 year support hard to track

Long support obligations break with typical product cycles. You need a system that automatically triggers EOL alerts and patch cadence.

What ResiPlan delivers

Complete PDE Registry

Inventory every product, its classification (non-critical → critical), assessment route, CE status. Linked to your existing CMDB.

Automated CycloneDX / SPDX SBOM

Drag-and-drop import, instant parsing, automatic CVE cross-reference per component. Alerts on new vulnerabilities.

Turnkey CVD portal

RFC 9116 compliant security.txt + public form + 8-state triage workflow + 30-day SLA tracking for CVSS ≥ 7.

Patch lifecycle

5-year or 15-year support clock per classification. Patch history linked to fixed CVEs. Customer notification log.

Annex I evidence matrix

13 essential requirements × products, evidence attachments (tests, pentest, code review). Readiness score for Declaration of Conformity.

Audit dossier ready

Pre-assembled audit pack per product. Mock audit mode. 15-business-day timer when a real request arrives from an authority.

Built for

If you are one of these roles, you'll find in ResiPlan the tooling to steer your CRA compliance.

Product Security Officer
CISO for manufacturers
Head of R&D / Engineering
Product Compliance Manager
Head of Quality for connected devices

From product to CE-ready

  1. 1

    Inventory products

    Register every product with digital elements and its CRA classification.

  2. 2

    Build the SBOM

    Import CycloneDX/SPDX and cross-reference components against emerging CVEs.

  3. 3

    Open the CVD channel

    Publish a coordinated disclosure policy and triage reports with SLA tracking.

  4. 4

    Prove conformity

    Fill the Annex I evidence matrix and assemble the audit dossier per product.

FAQ

Frequently asked questions

Which products count as products with digital elements (PDEs)?

Any product with software or a data connection placed on the EU market — from connected devices to SaaS. The registry classifies each into the CRA's risk categories.

What happens if a market-surveillance request lands?

You keep a pre-assembled Annex VII technical dossier per product, so you can respond within the authority's deadline instead of scrambling.

Do we need this before December 2027?

Yes — the core CRA obligations apply from 11 December 2027, but SBOM, CVD and evidence take time to build; starting now avoids a last-minute rush.

Product Security Solution: end-to-end CRA compliance

Product Security Solution — ResiPlan | Manufacturers, editors, IoT