Cyber Resilience Act Advisory
We make your company CRA-ready. For secure market access for your products in the EU.
-
Compliance with the CRA affects products, processes, governance and supply chains alike.
-
Initial reporting obligations will apply as early as September 2026. Companies that act early create planning certainty and can implement CRA requirements in a structured manner, rather than under time pressure.
-
We make your company CRA-ready. Structured, practical and based on a plan that actually works.
Schedule an initial consultation
Non-binding, specific, approx. 30 minutes
Holistic, not isolated
We consider the CRA, NIS2, the AI Act and the GDPR together, ensuring that data protection, IT security and compliance interact effectively within your company.
Practical support for your company
We help establish structures, processes and responsibilities that embed CRA compliance into day-to-day operations.
Legally and operationally robust
From liability issues to vulnerability management, ISiCO supports companies with the technical, organisational and regulatory implementation of the CRA.
We are particularly impressed by ISiCO's interdisciplinary approach: it is legally sound, technically well thought-out and demonstrates an entrepreneurial understanding of our challenges.
Our collaboration with ISiCO on the challenging project of implementing an ISMS and obtaining ISO certification was extremely positive. Thanks to their proactive, collegial and solution-oriented support, we were able to complete the project in record time. ISiCO's extensive technical expertise and experience were key factors in this success.
How we support you with CRA implementation:
- Product analysis and relevance assessment: Which of your products fall within the scope of the CRA? We provide clarity on your organisation’s exposure and the resulting requirements.
- Gap analysis and implementation roadmap: We create transparency around your current implementation status, prioritise the most important measures and develop a roadmap that integrates with your existing processes.
- Reporting processes and vulnerability management: Together with you, we develop clear reporting processes, responsibilities and escalation paths so that your company can reliably meet CRA requirements from September 2026 onwards.
- Technical documentation and SBOM: We support you in preparing software bills of materials (SBOMs) and the evidence required for a successful CRA conformity assessment.
- Supply chain and contract design: We help you clearly define responsibilities along your supply chain and secure regulatory requirements through appropriate contractual arrangements.
- Long-term support: We help you assess new regulatory requirements at an early stage and continuously develop your security and compliance structures.
Dr Jan Scharfenberg
Managing Director & Partner
Together, we will determine which CRA requirements are relevant to your business.
CRA implementation without ISiCO |
CRA implementation with ISiCO |
|---|---|
| Unclear exposure and extensive coordination effort | Clear assessment of which products and processes are affected |
| Separate projects for the CRA, NIS2, the AI Act and data protection | Requirements are considered together and aligned with one another |
| Unclear reporting processes and responsibilities | Reporting processes and escalation paths are in place before the deadline takes effect |
| High documentation effort without a clear structure | Documentation that supports audits, conformity assessments and CE marking |
| Supplier risks are underestimated | Contracts and processes along the supply chain are secured |
| Project completion = the end of support | Long-term support with monitoring and regulatory changes |
| Many requirements, no prioritisation | A clear roadmap with prioritised measures |
| Compliance as an obstacle | Compliance as a foundation for secure, competitive products |
Why companies should act now
In our conversations with companies, we currently often see that the impact of the Cyber Resilience Act is underestimated. Many organisations already have established security measures in place and yet are asking the same questions: Which products are affected? Which processes need to be adapted? And how can the CRA, NIS2, ISO 27001, the AI Act and data protection interact in a meaningful way?
Our approach is therefore to enable, not merely to safeguard. This is precisely where our work begins.
For me, the Cyber Resilience Act is far more than just another regulatory requirement. It is an opportunity to develop security structures, product processes and compliance requirements in a holistic way. Companies that act now not only lay the foundation for CRA conformity, but also strengthen the resilience of their products and build long-term trust with customers and partners. In addition, the first important deadline is closer than many companies expect. From 11 September 2026, the first mandatory reporting obligations will apply to actively exploited vulnerabilities and severe security incidents. Companies that are still discussing responsibilities, reporting channels or documentation requirements at that point will have lost valuable time.
We support companies in integrating CRA requirements into existing processes in a practical way, considering regulatory requirements in context and developing solutions that work in day-to-day operations. In doing so, we combine information security, data protection, AI regulation and compliance into a holistic approach.
In an initial consultation, we will clarify together which requirements are relevant to your company and which steps make sense now.
I look forward to speaking with you.
Jan Scharfenberg
Ready for CRA advisory that does not hold you back, but helps you move forward?
In a free initial consultation, we clarify where you currently stand and what your next meaningful step should be. Legally sound, technically well thought out and applicable to your organisation.