CYBER RESILIENCE ACT
Be CRA reporting-ready by September 2026, without building a fourth silo.
The Cyber Resilience Act adds product-level cybersecurity duties on top of NIS2 and DORA. Acuna maps them onto the controls you already run, so one documented process covers all three instead of three disconnected ones.
CRA IN ONE SENTENCE
From 11 September 2026 you must report actively exploited vulnerabilities within 24 hours; Acuna gives you one place to run the vulnerability handling, the reporting clock and the evidence that a market surveillance authority will actually accept. Read the [CRA guide](/frameworks/cyber-resilience-act).
You already know how to do this. The CRA just moves it onto your products.
If you already run ISO 27001, NIS2 or DORA, the CRA does not introduce a new idea. It moves familiar work -- vulnerability handling, risk, evidence -- onto a new object: the products you place on the EU market, not just your organisation. From 11 September 2026, manufacturers must report actively exploited vulnerabilities and severe incidents to ENISA within 24 hours. From 11 December 2027, every product with digital elements needs secure-by-design evidence, a stated support period, a software bill of materials and a declaration of conformity. Most teams are not short on security work. They are short on a single place to run it, per product, on a clock they can prove.
One control set, mapped across CRA, NIS2 and DORA.
Stop treating the CRA as a project and run it as one more obligation on a control set you already operate. The core idea is one control, many frameworks: collect a piece of evidence once and reuse it for CRA, NIS2, DORA and ISO 27001, rather than rebuilding it per regime. //CONFIRM crosswalk capability
The clock is the risk. Documentation is the proof.
| What one control set unlocks | What waiting costs |
|---|---|
| File once, mapped: one incident record serves CRA, NIS2 and DORA reporting instead of three rebuilds. | The Inverted Bottleneck: finding vulnerabilities scales, but remediating and documenting them by hand does not. |
| A defensible, timestamped trail that answers a market surveillance authority instead of a scramble. | A regulator will not accept "we are working on it"; screenshots and chat threads fail an audit. |
| Product classification and support periods tracked in one place, not a spreadsheet per product. | A CVSS-only triage posture is hard to defend when the CRA asks for business-aligned risk decisions. |
| Readiness for 11 September 2026 built on detection and escalation you can start now. | The same incident can trigger CRA, NIS2 and DORA on three clocks; three playbooks multiply the risk of contradictory disclosures. |
| Top-tier fines reach EUR 15 million or 2.5 % of worldwide turnover, and the reporting duty is the first to bite. |
We have no customer count to quote, so here is the mechanism instead. One actively exploited vulnerability in a shared component can trigger a CRA report to ENISA, a NIS2 report to your CSIRT and a DORA report to your financial authority, on three different clocks. Run them from one mapped control set and you prepare the facts once and file three views of them. Run them from three tools and you rebuild the same evidence three times, under a 24-hour clock, and hope the versions agree. The saving is not a percentage; it is the difference between one defensible process and three fragile ones.
The objections we hear first.
GRC ROI is genuinely hard to prove precisely. Use your own numbers below to build the internal case. These inputs are yours; the output is your estimate, not ours.
Pipeline at risk
Enterprise deal value
typical affected deal, annualised
CHF 200K
Deals blocked or slowed
per year, your estimate
3 deals
Security questionnaires
your team fills out, per month
5 / month
Questionnaire overhead
Hours per questionnaire
across all people involved (SIG/CAIQ often run 6–12 hrs)
6 hrs
All-in hourly cost
fully-loaded: salary + overhead of the person filling it
CHF 125
Acuna starts from
CHF 5'388 / year, all frameworks included
120×
your est. cost
These are your estimates, not ours. GRC ROI is notoriously hard to measure: most of the value is in deals not lost, incidents not escalated, and audits not rebuilt from scratch. Use this to structure the internal conversation, not as a number we stand behind.
Built by the people who have run these programmes.
Acuna is a GRC platform, not an SBOM scanner, a code analyser or a notified body. It operationalises the governance, reporting and evidence duties of the CRA inside your programme. Conformity assessment and CE marking remain with you and, where required, a notified body.
Practitioner-built, including a former ISO 27001 certification auditor (Alexis Hirschhorn). //CONFIRM
Swiss-sovereign: data hosted in Switzerland and the EU. //CONFIRM wording
50+ frameworks in one platform, so CRA is an addition, not a migration. //CONFIRM count
Transparent CHF pricing with no per-seat fees. //CONFIRM current figure before quoting
One control, many frameworks: evidence collected once and reused across CRA, NIS2 and DORA. //CONFIRM
Start with the deadline that bites first.
See the reporting workflow on your own stack.
Book a CRA walkthrough
Also compounds with