CYBER RESILIENCE ACT

Be CRA reporting-ready by September 2026, without building a fourth silo.

The Cyber Resilience Act adds product-level cybersecurity duties on top of NIS2 and DORA. Acuna maps them onto the controls you already run, so one documented process covers all three instead of three disconnected ones.

CRA IN ONE SENTENCE

From 11 September 2026 you must report actively exploited vulnerabilities within 24 hours; Acuna gives you one place to run the vulnerability handling, the reporting clock and the evidence that a market surveillance authority will actually accept. Read the [CRA guide](/frameworks/cyber-resilience-act).

You already know how to do this. The CRA just moves it onto your products.

If you already run ISO 27001, NIS2 or DORA, the CRA does not introduce a new idea. It moves familiar work -- vulnerability handling, risk, evidence -- onto a new object: the products you place on the EU market, not just your organisation. From 11 September 2026, manufacturers must report actively exploited vulnerabilities and severe incidents to ENISA within 24 hours. From 11 December 2027, every product with digital elements needs secure-by-design evidence, a stated support period, a software bill of materials and a declaration of conformity. Most teams are not short on security work. They are short on a single place to run it, per product, on a clock they can prove.

One control set, mapped across CRA, NIS2 and DORA.

Stop treating the CRA as a project and run it as one more obligation on a control set you already operate. The core idea is one control, many frameworks: collect a piece of evidence once and reuse it for CRA, NIS2, DORA and ISO 27001, rather than rebuilding it per regime. //CONFIRM crosswalk capability

A documented, owner-assigned vulnerability-handling process with an auditable history, run on a cadence rather than in ad-hoc threads (Annex I). //CONFIRM

One incident workflow that captures the ENISA data fields and tracks the 24h / 72h / final-report clock. Because the single reporting platform launches without an API, Acuna structures the record for fast manual submission, not system-to-system filing (Art. 14). //CONFIRM

Classify each product and prioritise vulnerabilities by real exploitability and impact, a defensible risk-based decision rather than a raw CVSS score. CVSS and EPSS are useful inputs, not legal requirements. //CONFIRM

A structured evidence store for the technical file (Annex VII), including references to the SBOM and conformity records, ready for a market surveillance authority request. Acuna stores and tracks the SBOM as evidence; it does not generate SBOMs from source. //CONFIRM whether any module ingests SBOMs

Framework-specific extension

Third-party and supplier oversight through Supplier Shield, including supplier risk scoring, to support the manufacturer due-diligence duty (Art. 13). //CONFIRM

The clock is the risk. Documentation is the proof.

What one control set unlocks vs What waiting costs
What one control set unlocksWhat waiting costs
File once, mapped: one incident record serves CRA, NIS2 and DORA reporting instead of three rebuilds.The Inverted Bottleneck: finding vulnerabilities scales, but remediating and documenting them by hand does not.
A defensible, timestamped trail that answers a market surveillance authority instead of a scramble.A regulator will not accept "we are working on it"; screenshots and chat threads fail an audit.
Product classification and support periods tracked in one place, not a spreadsheet per product.A CVSS-only triage posture is hard to defend when the CRA asks for business-aligned risk decisions.
Readiness for 11 September 2026 built on detection and escalation you can start now.The same incident can trigger CRA, NIS2 and DORA on three clocks; three playbooks multiply the risk of contradictory disclosures.
Top-tier fines reach EUR 15 million or 2.5 % of worldwide turnover, and the reporting duty is the first to bite.

We have no customer count to quote, so here is the mechanism instead. One actively exploited vulnerability in a shared component can trigger a CRA report to ENISA, a NIS2 report to your CSIRT and a DORA report to your financial authority, on three different clocks. Run them from one mapped control set and you prepare the facts once and file three views of them. Run them from three tools and you rebuild the same evidence three times, under a 24-hour clock, and hope the versions agree. The saving is not a percentage; it is the difference between one defensible process and three fragile ones.

The objections we hear first.

GRC ROI is genuinely hard to prove precisely. Use your own numbers below to build the internal case. These inputs are yours; the output is your estimate, not ours.

Pipeline at risk

Enterprise deal value

typical affected deal, annualised

CHF 200K

CHF 10KCHF 1M

Deals blocked or slowed

per year, your estimate

3 deals

015

Security questionnaires

your team fills out, per month

5 / month

020 / month

Questionnaire overhead

Hours per questionnaire

across all people involved (SIG/CAIQ often run 6–12 hrs)

6 hrs

1 hr40 hrs

All-in hourly cost

fully-loaded: salary + overhead of the person filling it

CHF 125

CHF 25CHF 500
Pipeline at riskCHF 600'000
Questionnaire overhead / year (5×/mo × 6 hrs × CHF 125)CHF 45'000
Total identifiable costCHF 645'000

Acuna starts from

CHF 5'388 / year, all frameworks included

120×

your est. cost

These are your estimates, not ours. GRC ROI is notoriously hard to measure: most of the value is in deals not lost, incidents not escalated, and audits not rebuilt from scratch. Use this to structure the internal conversation, not as a number we stand behind.

Built by the people who have run these programmes.

Acuna is a GRC platform, not an SBOM scanner, a code analyser or a notified body. It operationalises the governance, reporting and evidence duties of the CRA inside your programme. Conformity assessment and CE marking remain with you and, where required, a notified body.

  1. Practitioner-built, including a former ISO 27001 certification auditor (Alexis Hirschhorn). //CONFIRM

  2. Swiss-sovereign: data hosted in Switzerland and the EU. //CONFIRM wording

  3. 50+ frameworks in one platform, so CRA is an addition, not a migration. //CONFIRM count

  4. Transparent CHF pricing with no per-seat fees. //CONFIRM current figure before quoting

  5. One control, many frameworks: evidence collected once and reused across CRA, NIS2 and DORA. //CONFIRM

Cyber Resilience Act: common questions.

CRA READINESS

Get reporting-ready for September 2026, on one control set.

See how Acuna maps CRA obligations onto the controls you already run for NIS2 and DORA.