In force · CE marking from Dec 2027

The EU Cyber Resilience Act
is now a market-access gate.

CRA compliance kit — £999 one-time + £199/mo monitoring (optional)

AI products with digital elements must be secure-by-design, vulnerability-managed, and CE-marked to enter the EU market. We map every CRA essential requirement to controls, evidence, and a signed attestation.

CRA timeline and penalties

Dec 2024: Cyber Resilience Act entered into force.
Sep 2026: Reporting and vulnerability-handling obligations apply.
Dec 2027: Full CE-marking requirements for products with digital elements.
Penalties: up to €15M or 2.5% global turnover, plus market recall.

Book free readiness check Compare EU AI Act See all protocols

Choose your tier

CRA Quick Scope

£9one-time

Product classification questionnaire and essential-requirements gap summary.

Get £9 Quick Scope

CRA Compliance Kit

£999one-time

Classification guide, security-by-design templates, vulnerability handling policy, technical documentation pack, and one attestation.

Buy — £999

Audit-Prep Bundle

£4,950one-time

Kit + 2-day engagement + CE technical file review + 90-day support.

Buy Audit-Prep — £4,950

Enterprise

£1,499/month

Continuous vulnerability monitoring, SBOM refresh, incident reporting workflows, and unlimited attestations.

Talk sales — £1,499/mo

What's covered

Product classification & CE pathway

Classify your software or AI product under CRA risk tiers, determine applicable essential requirements, and build the technical documentation for CE marking.

Security-by-design & secure development

Threat modelling, secure coding practices, SBOM generation, SLSA provenance, and Sigstore signing aligned to CRA Annex I.

Vulnerability handling & incident reporting

Coordinated vulnerability disclosure process, ENISA reporting timelines, and automated CVE/CISA KEV monitoring for dependencies.

Transparency & update obligations

Support lifecycle documentation, automatic update mechanisms, and user-facing security information required for products with digital elements.

Why this matters now

The EU Cyber Resilience Act is in force. Non-compliance blocks products from the EU market and exposes manufacturers to fines up to €15 million or 2.5% of global turnover.

AI products with digital elements are explicitly in scope. The CRA adds cybersecurity obligations on top of the EU AI Act's risk-management requirements.

CE marking under CRA requires technical documentation, vulnerability handling, and security updates — not just a one-time pentest.

The kit reuses your existing SBOM, SLSA, and Sigstore evidence from MEOK's supply-chain MCPs, so you don't duplicate work.

Frequently asked questions

Does the CRA apply to AI products?

Yes. The CRA applies to any product with digital elements placed on the EU market, including software, embedded systems, and AI-powered applications. AI products may also be subject to the EU AI Act; the two frameworks overlap on risk management, documentation, and security.

When do CRA obligations start?

The CRA entered into force in December 2024. The first reporting and vulnerability-handling obligations apply from September 2026, with full CE-marking requirements from December 2027.

What are the risk classes?

CRA classifies products into default (non-critical) and critical categories, with critical further split into Class I and Class II based on importance and cyber risk. Critical products require third-party conformity assessment; default products can self-assess.

What is the penalty for non-compliance?

Penalties can reach €15 million or 2.5% of global annual turnover for certain infringements, with higher penalties for critical-product violations. Market surveillance authorities can also prohibit or recall non-compliant products.

How does the kit integrate with EU AI Act work?

The CRA kit shares evidence with our EU AI Act and ISO 42001 kits: risk management, technical documentation, SBOM, vulnerability handling, and post-market monitoring. Customers using multiple kits get a unified evidence vault.

Also subject to the EU AI Act?

See the EU AI Act guide →

MEOK AI Labs · CSOAI LTD · UK Companies House 16939677

CSOAI

Initializing...

The EU Cyber Resilience Act
is now a market-access gate.

CRA compliance kit — £999 one-time + £199/mo monitoring (optional)

CRA timeline and penalties

Dec 2024: Cyber Resilience Act entered into force.
Sep 2026: Reporting and vulnerability-handling obligations apply.
Dec 2027: Full CE-marking requirements for products with digital elements.
Penalties: up to €15M or 2.5% global turnover, plus market recall.

Choose your tier

CRA Quick Scope

£9one-time

Product classification questionnaire and essential-requirements gap summary.

Get £9 Quick Scope

CRA Compliance Kit

£999one-time

Classification guide, security-by-design templates, vulnerability handling policy, technical documentation pack, and one attestation.

Buy — £999

Audit-Prep Bundle

£4,950one-time

Kit + 2-day engagement + CE technical file review + 90-day support.

Buy Audit-Prep — £4,950

Enterprise

£1,499/month

Continuous vulnerability monitoring, SBOM refresh, incident reporting workflows, and unlimited attestations.

Talk sales — £1,499/mo

What's covered

Product classification & CE pathway

Classify your software or AI product under CRA risk tiers, determine applicable essential requirements, and build the technical documentation for CE marking.

Security-by-design & secure development

Threat modelling, secure coding practices, SBOM generation, SLSA provenance, and Sigstore signing aligned to CRA Annex I.

Vulnerability handling & incident reporting

Coordinated vulnerability disclosure process, ENISA reporting timelines, and automated CVE/CISA KEV monitoring for dependencies.

Transparency & update obligations

Support lifecycle documentation, automatic update mechanisms, and user-facing security information required for products with digital elements.

Why this matters now

The EU Cyber Resilience Act is in force. Non-compliance blocks products from the EU market and exposes manufacturers to fines up to €15 million or 2.5% of global turnover.

AI products with digital elements are explicitly in scope. The CRA adds cybersecurity obligations on top of the EU AI Act's risk-management requirements.

CE marking under CRA requires technical documentation, vulnerability handling, and security updates — not just a one-time pentest.

The kit reuses your existing SBOM, SLSA, and Sigstore evidence from MEOK's supply-chain MCPs, so you don't duplicate work.

Frequently asked questions

Does the CRA apply to AI products?

When do CRA obligations start?

The CRA entered into force in December 2024. The first reporting and vulnerability-handling obligations apply from September 2026, with full CE-marking requirements from December 2027.

What are the risk classes?

What is the penalty for non-compliance?

How does the kit integrate with EU AI Act work?

MEOK AI Labs · CSOAI LTD · UK Companies House 16939677

The EU Cyber Resilience Actis now a market-access gate.

Choose your tier

What's covered

Why this matters now

Frequently asked questions

The EU Cyber Resilience Actis now a market-access gate.

Choose your tier

What's covered

Why this matters now

Frequently asked questions

The EU Cyber Resilience Act
is now a market-access gate.

The EU Cyber Resilience Act
is now a market-access gate.