Product Security Solution: end-to-end CRA compliance
For hardware manufacturers, SaaS editors, IoT makers and industrial equipment suppliers placing products with digital elements on the EU market.
Simulate how attackers reach your OT and IoT
DAGSIM builds an attack graph from your CMDB and runs a Monte-Carlo simulation of how a compromise spreads over time across your IT, OT and IoT assets. Exploit timing is calibrated on real CVSS vectors and KEV/EPSS data, with a clear split between Enterprise and ICS techniques.
- Lateral movement via IEC-62443 zones and shared network segments
- MITRE ATT&CK ICS techniques (T0883, T0866) on your OT assets
- IEC-61508 safety impact combined with business criticality
Jour 0 / 21
Your 2026-2027 CRA challenges
CRA applicable in 20 months
The Cyber Resilience Act applicable on 11 December 2027 imposes cybersecurity CE marking, SBOM, CVD, Annex I matrix. Fines up to €15M or 2.5% of global turnover.
SBOM: impossible inventory manually
Your products contain 100-10,000 open-source components. Impossible to track manually, let alone cross-reference with emerging CVEs.
CVD mandatory but no process yet
You must publish a coordinated disclosure policy + security.txt. Without tooling, researcher reports get lost in a generic mailbox.
5-15 year support hard to track
Long support obligations break with typical product cycles. You need a system that automatically triggers EOL alerts and patch cadence.
What ResiPlan delivers
Complete PDE Registry
Inventory every product, its classification (non-critical → critical), assessment route, CE status. Linked to your existing CMDB.
Automated CycloneDX / SPDX SBOM
Drag-and-drop import, instant parsing, automatic CVE cross-reference per component. Alerts on new vulnerabilities.
Turnkey CVD portal
RFC 9116 compliant security.txt + public form + 8-state triage workflow + 30-day SLA tracking for CVSS ≥ 7.
Patch lifecycle
5-year or 15-year support clock per classification. Patch history linked to fixed CVEs. Customer notification log.
Annex I evidence matrix
13 essential requirements × products, evidence attachments (tests, pentest, code review). Readiness score for Declaration of Conformity.
Audit dossier ready
Pre-assembled audit pack per product. Mock audit mode. 15-business-day timer when a real request arrives from an authority.
Built for
If you are one of these roles, you'll find in ResiPlan the tooling to steer your CRA compliance.
From product to CE-ready
- 1
Inventory products
Register every product with digital elements and its CRA classification.
- 2
Build the SBOM
Import CycloneDX/SPDX and cross-reference components against emerging CVEs.
- 3
Open the CVD channel
Publish a coordinated disclosure policy and triage reports with SLA tracking.
- 4
Prove conformity
Fill the Annex I evidence matrix and assemble the audit dossier per product.
Frequently asked questions
Which products count as products with digital elements (PDEs)?
Any product with software or a data connection placed on the EU market — from connected devices to SaaS. The registry classifies each into the CRA's risk categories.
What happens if a market-surveillance request lands?
You keep a pre-assembled Annex VII technical dossier per product, so you can respond within the authority's deadline instead of scrambling.
Do we need this before December 2027?
Yes — the core CRA obligations apply from 11 December 2027, but SBOM, CVD and evidence take time to build; starting now avoids a last-minute rush.