EU Cyber Resilience Act — Guide for Sales Engineer & Pre-Sales Consultant

The CRA creates both commercial opportunity and commercial risk for sales teams. The opportunity: enterprise customers — particularly those subject to NIS2, the DORA regulation, or sector-specific cybersecurity requirements — are under increasing pressure to demonstrate that the products they procure meet baseline security standards. Manufacturers who can produce a credible Declaration of Conformity, an up-to-date SBOM, and documented support commitments will win procurement decisions against competitors who cannot. The risk: sales engineers who make overconfident or inaccurate claims about CRA compliance — asserting CE marking before it is achieved, or understating product limitations in customer questionnaires — create contractual liability and potential regulatory exposure for the manufacturer. Accuracy is non-negotiable.

Enterprise customers, especially those in regulated sectors, routinely send multi-hundred-question security questionnaires as part of supplier qualification. CRA-related questions you can expect include: Does the product have a CE mark under the CRA? Has a conformity assessment been completed, and by which route? Is an SBOM available? What is the CVD policy and contact address? What is the product's support period and EOL date? Does the manufacturer have a published process for issuing security patches? Sales engineers should not answer these questions from memory. The product security or compliance team should maintain a master security questionnaire response document, updated with each product version, that sales engineers draw on. Responses must be accurate as of the date of the questionnaire — mark any items as 'in progress' rather than claiming conformity that has not been formally confirmed.

Article 23 requires manufacturers to make the Declaration of Conformity (DoC) available to market surveillance authorities and, where relevant, to customers. The DoC is a formal document signed by the manufacturer that declares the product meets the requirements of the CRA and any other applicable EU directives. Enterprise customers increasingly request the DoC as part of supplier due diligence. Sales engineers should know where the DoC is held and the process for sharing it with customers — typically a controlled copy request through the legal or regulatory affairs team. Customers may also request the technical file; while the full technical file need not be shared, a technical summary or a subset of test reports may satisfy the customer's due diligence requirement. Coordinate with the compliance team before sharing any technical documentation.

Article 13 requires manufacturers to define and communicate a support period at the time of placing the product on the market. This must be an honest representation of the period during which security updates will be provided. Enterprise customers who integrate a product into critical infrastructure or long-lived systems need to understand whether the product's support period is compatible with their operational lifecycle. Sales engineers must communicate EOL dates accurately and in writing, and must not promise extended support informally without confirming availability with the product team. When a product's EOL date approaches, customers should receive formal advance notice — the CRA encourages manufacturers to notify users when the support period is ending so they can make informed decisions about continued use or migration.

Request a current version of the master security questionnaire response document from the product security or compliance team and store it in the sales knowledge base. Confirm with the product team what each product's CRA classification is (Default, Class I, or Class II Important) and what the conformity assessment status is. Identify where the Declaration of Conformity is held and what the process is for providing a copy to a customer. Confirm the support period and EOL date for every product in your portfolio and update CRM records accordingly. Attend an internal briefing with the PSIRT or security team to understand the CVD process and how to direct customers who report a potential vulnerability. Flag any customer questionnaire questions you cannot confidently answer to the compliance team for resolution.