EU Cyber Resilience Act — Guide for Startup Founder & CEO (First-Time CRA Compliance)

The CRA applies to any product with digital elements placed on the EU market — whether manufactured by a large corporation or a two-person startup. If your product is a physical device with network connectivity, a consumer software application, or a software component integrated into other products, it is almost certainly in scope. The key exclusions are: products developed solely for national security or defence purposes; open-source software developed outside of commercial activity (see the stewardship exemption); and certain regulated product categories that fall under sector-specific legislation. Most startup hardware and SaaS products are in scope. The first task is to run each product through the classification test: Default (self-assessment), Class I Important (self-assessment or harmonised standard), or Class II Important (mandatory notified body). Annex III lists the Important Product categories.

Startups should not attempt to implement every possible security control before achieving minimum CRA compliance. The core obligations are: shipping a product free of known exploitable vulnerabilities; maintaining an SBOM for each product in a machine-readable format; having a CVD policy and a working security contact; committing to and delivering security updates for a defined support period; and completing a conformity assessment (self-assessment for Default and most Class I products). The technical file for a simple Default-class product can be surprisingly tractable: an architecture document, a threat model, SBOM, static analysis run records, and a signed Declaration of Conformity. Start with these, add to the file with each release, and build process maturity incrementally rather than attempting a big-bang compliance programme.

Startups must make pragmatic decisions about CRA tooling. SBOM generation should almost always use an existing open-source or commercial tool integrated into the CI/CD pipeline — building SBOM generation from scratch is not a sensible use of engineering time. Vulnerability scanning against the SBOM can similarly be automated using existing CVE database integrations. For the technical file, a structured set of documents in version control is sufficient — specialist document management systems are rarely necessary at the startup stage. CVD policy publication requires only a security.txt file at the correct URL and a monitored inbox. Penetration testing is one area where external specialist engagement is often worth the cost, as it provides independent evidence for the technical file and finds issues that internal teams miss. For Class II Important Products, the notified body assessment cannot be avoided and should be budgeted.

Institutional investors in EU-market B2B and hardware startups are increasingly incorporating regulatory compliance into due diligence, and the CRA is becoming a standard diligence item. Series A and later investors will ask: which products are in scope, what classification applies, what is the conformity assessment timeline, and are there material regulatory risks that could affect the business? Founders who can demonstrate a credible compliance posture — even if conformity assessment is not yet complete — are substantially better positioned than those who have not considered CRA obligations at all. A CRA readiness score provides a structured snapshot of current posture. Founders should also understand that a non-compliant product could be withdrawn from the EU market by a national competent authority, which represents a material business risk that investors will want to see managed.

List every product you sell or plan to sell in the EU and confirm it is in scope for the CRA. Classify each product as Default, Class I, or Class II Important using Annex III and available ENISA guidance. For each product, generate an SBOM from the current build and run it against NVD — address any critical findings before the next release. Publish a security.txt file referencing a monitored disclosure email address and draft a one-page CVD policy. Start a technical file folder for each product: add the architecture document, threat model, and SBOM as initial content. If the company is outside the EU, engage a specialist to serve as EU Authorised Representative. Run the CRA readiness score on CVD Portal to get a structured view of remaining gaps and prioritise accordingly.