Skip to main content
🎀 Speaking at KubeCon EU 2026 Lessons Learned Orchestrating Multi-Tenant GPUs on OpenShift AI View Session
🎀 Speaking at Red Hat Summit 2026 GPUs take flight: Safety-first multi-tenant Platform Engineering with NVIDIA and OpenShift AI Learn More
Preparing Your Organization for the CRA: A Step-by-Step Action Plan
DevOps

Preparing Your Organization for the CRA

A practical 12-month action plan for CRA compliance. From product assessment to conformity declaration, everything your organization needs to do before 2027.

LB
Luca Berton
Β· 1 min read

Your 12-Month CRA Action Plan

Here’s a step-by-step plan to achieve CRA compliance before the December 2027 deadline.

Month 1-2: Assessment Phase

Product Inventory

For each product, document:
- [ ] Product name and version
- [ ] CRA classification (Default/Class I/Class II/Critical)
- [ ] Applicable ETSI standards
- [ ] Current security posture
- [ ] Gap analysis vs CRA requirements

Stakeholder Alignment

  • Brief executive leadership on CRA obligations
  • Assign CRA compliance ownership (CISO, VP Engineering, or dedicated role)
  • Budget allocation for compliance activities

Month 3-4: Foundation Building

SBOM Pipeline

  • Implement SBOM generation in CI/CD
  • Choose format (CycloneDX recommended)
  • Automate vulnerability scanning against SBOM
  • Set up dependency monitoring

Vulnerability Handling

  • Create or update security.txt
  • Establish coordinated vulnerability disclosure policy
  • Set up incident response procedures
  • Define ENISA reporting workflow

Month 5-8: Implementation

Security Engineering

  • Conduct threat modeling for each product
  • Implement security testing in CI/CD (SAST, DAST, fuzzing)
  • Review and harden security defaults
  • Ensure secure update mechanisms

Documentation

  • Begin technical documentation
  • Document security architecture
  • Record security design decisions
  • Prepare conformity assessment evidence

Month 9-10: Testing and Validation

Conformity Assessment

  • Self-assessment for Default/Class I products
  • Engage third-party assessor for Class II/Critical
  • Conduct penetration testing
  • Validate SBOM completeness

Process Verification

  • Test vulnerability reporting workflow end-to-end
  • Verify 24-hour ENISA reporting capability
  • Test security update delivery mechanism
  • Conduct tabletop exercise for incident response

Month 11-12: Launch

Go-Live

  • Publish EU Declaration of Conformity
  • Apply CE marking
  • Publish security update policy
  • Announce CRA compliance to customers

Ongoing

  • Continuous vulnerability monitoring
  • Regular security testing
  • Periodic SBOM updates
  • Maintain technical documentation

Key Success Factors

  1. Executive sponsorship β€” CRA compliance needs budget and authority
  2. Cross-functional team β€” engineering, security, legal, and product
  3. Start early β€” 12 months is tight for complex products
  4. Automate everything β€” manual compliance doesn’t scale
  5. Document as you go β€” don’t leave documentation for the end

Need help building your CRA compliance roadmap? I help organizations plan and execute cybersecurity regulation compliance. Get in touch.

Related Articles

Git Worktrees: Work on Multiple Branches at Once
DevOps

Git Worktrees: Work on Multiple Branches at Once

Git worktrees let you check out multiple branches simultaneously in separate directories. Stop stashing and switching -- work on your feature, hotfix, and review in parallel.

Podman vs Docker in 2026: Which One Should You Use
DevOps

Podman vs Docker in 2026: Which One Should You Use

A practical comparison of Podman and Docker in 2026 covering rootless containers, Kubernetes integration, CI/CD workflows, and when each tool is the right choice.

Quay robot accounts for container registries
DevOps

Quay Robot Accounts for CI/CD Container Pulls

How to create and use Quay.io robot accounts for secure, automated container image pulls in CI/CD pipelines without exposing personal credentials.

Fix: OpenClaw in Docker β€” Connection Refused, Port Mapping, and Network Issues
DevOps

OpenClaw Docker: Connection Refused Fix

Running OpenClaw in Docker and getting connection refused? Common issues with port mapping, bind addresses, DNS resolution, and WebSocket upgrades.

All Articles
Luca Berton Ansible Pilot Ansible by Example Open Empower K8s Recipes Terraform Pilot CopyPasteLearn ProteinLens TechMeOut