Cyber Resilience Act (CRA) Compliance Made Simple

Specialist CRA compliance support for embedded Linux devices, firmware and software components.

Our partners

Get CRA compliant fast with pi3g

pi3g is a specialist German firm with over 16 years of experience in IoT devices, with a special focus on embedded Linux.

We offer a range of bespoke Cyber Resilience Act (CRA) compliance solutions including gap analysis, system re-engineering and legal certification designed to rapidly deliver full CRA readiness.

Our team can ensure CRA compliance for solutions including:

IoT devices with embedded Linux software
Industrial devices based on Raspberry Pi Compute Module (CM5 / CM4)
Gateway solutions
Edge AI devices
Microcontrollers, including ESP32 and RP2350 / RP2040
Server APIs
AI generated code

Cyber Resilience Act Compliance (CRA) Services

We help small and medium businesses at every step of their compliance journey.

CRA readiness assessment

Understand your compliance requirements and get actionable next steps.

Compliance-supporting engineering

Support your internal team with specialist engineering expertise.

Full CRA compliance service including legal review

Go from zero to fully CRA compliant with attestation from legal experts.

AI generated code compliance review

Ensure CRA compliance for AI generated code with minimum overhead.

Vendor neutral next steps and recommendations.

This short engagement will show you the current gap between your product’s technical realities and what's needed for CRA compliance with clear actions and next steps.

It's ideal as a standalone service for companies with unclear compliance requirements. Designed to feed directly into engineering work done internally or with cost-effective external support.

Assess your product versus the latest Cyber Resilience Act requirements and show your technical and management teams the necessary next steps to ensure full compliance and continued market participation.

A bespoke CRA readiness assessment includes:

A short, free, initial call to understand your needs and the scope of the work on our side
An all-inclusive, fixed-price offer from our side
We brief your team on the CRA requirements in a training session
We conduct interviews with stakeholders on your side, including your engineering team
We assess your products, the existing documentation and report procedures in your company
You will receive an easy-to-follow CRA compliance recommendations report
In a final presentation we will introduce the report, and answer your open questions

Compliance-Supporting Engineering Service

Accelerate time-to market for CRA-compliant products in a sustainable manner.

The logical next step from our CRA readiness assessment for companies needing additional engineering bandwidth.

We support you in implementing what is necessary for compliance with the EU Cyber Resilience Act (CRA).

Our dedicated engineering service helps your engineers to save time and focus on product features.

We are familiar with a wide range of embedded technologies, including Yocto, Docker, Raspberry Pi OS and other Debian derivates, and the corresponding programming languages - from C / C++ to Python, TypeScript and node.JS.

Enabling your team continuously is important to us. We focus on sustainable communication of best practices. Your engineers will benefit from a skill and knowledge transfer, allowing them to understand and reuse the implemented solutions for future products.

CRA compliance-supporting engineering includes:

An initial free consultation discussing your requirements - including the technologies which need to be covered
Briefing of your management team and engineering team on suggested code / product compliance recommendations and deliverables
A realistic estimate of total engineering cost on our side for the agreed deliverables
A concrete plan of deliverables along with a suggested timeline
Deep cooperation with your engineering team in the form preferred by you and your engineering team
Relevant project milestones with regular progress reports and deliverables
Focus on unblocking your team to progress faster towards a finished product
Support in building internal engineering best-practices for compliance purposes

Full CRA compliance service including legal review

Make your product fully compliant and CRA-ready, as attested to by our legal partners.

This service includes the CRA readiness assessment, followed by an implementation phase with extensive engieneering support from our side.

Finally, our legal partners review the solutions thoroughly.

We recommend this all-inclusive service for companies with critical products on tight deadlines who absolutely, positively, need them to be compliant by the December 2027 CRA deadline.

What you can expect with our full CRA compliance service:

An initial free consultation discussing your products and timeline
A realistic estimate of total cost on our side
A concrete plan of deliverables along with a suggested timeline
Deep cooperation with your engineering team in the form preferred by you and your engineering team
Relevant project milestones with regular progress reports and deliverables
Focus on unblocking your team to progress faster towards a finished product
Support in building internal engineering best-practices for compliance purposes
Expert legal review by our partners
Full project and result ownership on our side, a single point of contact for your team for everything related to the CRA

AI generated code compliance review

Fix AI generated code to make it secure and compliant.

For your AI generated code, we will identify security holes and other Cyber Resilience Act (CRA) compliance on a continuous basis.

Our engineering team will help to refactor the code, share best practices for AI code generation prompts, and the common pitfalls to watch out for.

The service can be run in tandem with your internal engineers, to ensure the most economic use of our code reviews, and continous knowledge transfer to your team.

This ensures CRA compliance for AI generated code with minimum overhead.

AI generated code compliance including:

An initial free consultation discussing your AI code workflow
Co-Creation of an additional workflow step for AI code security review
Establishment of best practices with your engineering team - including checklists
Ongoing training and briefing of your engineering team for AI-generated code compliance procedures
Regular in-depth reviews of your AI generated code

Business is built on trust.

As owner and general manager of pi3g GmbH & Co. KG trust, openness, mutual benefit and deep knowledge about our products are my highest values.

For example: I would be more than happy to recommend our competitor's products to you if I believe that they would be of better benefit to you.

This, in my opinion, is the way long-term business relationships are built.

- Maximilian Batz (pi3g GmbH & Co. KG)

Questions & Answers

Is my product affected by the CRA?

Most products - software and hardware - with possible connections to other devices are affected. We can help you analyze this question in detail - please get in touch with us.

The definition for products which are affected by the CRA is very broad.

The CRA applies to “products with digital elements made available on the market, the intended purpose or reasonably foreseeable use of which includes a direct or indirect logical or physical data connection to a device or network”.

Some examples what constitutes such products:

Firmware / software meant for integration into hardware devices
Software which is placed on the market with hardware product – pre-loaded or not, for example drivers for a printer, OS, tools to program FPGAs
ICs, motherboards, sensors
Smartphones, laptops, smart fridges
Industrial IoT devices, machinery

But also:

offline text editors and other applications running on operating systems which have or can have a connection to other devices
NFC tags and their readers, for example in doorlocks

There are some exceptions, for example products intended for national security purposes.

A counterexample for devices not affected by the CRA:

a dishwasher with embedded firmware, but without a connection to other devices

My product is already finished and being sold on the market, will it be affected?

Yes, your product will be affected. There is no grandfathering of existing product types, barring some exceptions.

From a legal perspective, each individual unit of a product type is considered as being "placed on the market".

"Placing on the market" translates to the manufacturer or importer making it available on the European market for the first time.

Each individual unit must conform to the European Conformity requirements valid at the time of it's placement on the market.

Thus, once the CRA enters into effect, new units of your product type manufactured and sold into the EU - to distributors, customers, importers - will need to be compliant with the CRA.

To allow products already shipped into the market to be supplied with spare parts, the CRA does not apply to unmodified spare parts.

What are the current deadlines for the Cyber Resilience Act (CRA)?

There are two important CRA deadlines most companies need to consider:

11.SEP. 2026: Start of reporting obligations

The reporting obligations for security incidents, and active breaches, also concern existing products.

11.DEC. 2027: Start of main CRA obligations

All existing products need to be reviewed to meet CRA requirements.

Grandfathering only exists for unmodified components intended to service devices already in the market.

Meeting the CRA requirements is an essential upcoming part of the CE certification.

Why choose pi3g to work with us to ensure CRA compliance?

Be sure that you are covering the CRA requirements appropriately with our expert guidance.

Often it is difficult to tell, whether you are doing enough. Security engineering efforts can increase exponentially, and risk targeting the wrong problem.

A balance with a realistic risk-based approach is key to expending the right amount of efforts on the right problems.

We continuously upskill our team members, and are able to bring CRA best practices into your team.

Thus, pi3g combines market knowledge and deep engineering expertise, to help you pick the right challenges to focus on.

Which technologies does pi3g not cover for the CRA?

Resources

Presentations

pi3g CRA presentation (PDF) - an initial overview of the requirements, penalties and our solution

Website Links

Cyber Resilience Act (European Commission)
Reporting Obligations (European Commission)
ENISA (European Union Agency for Cybersecurity)

Lets talk about your products

Cyber Resilience Act (CRA) Compliance Made Simple

Specialist CRA compliance support for embedded Linux devices, firmware and software components.

Our partners

Get CRA compliant fast with pi3g

Cyber Resilience Act Compliance (CRA) Services

CRA readiness assessment

Compliance-supporting engineering

Full CRA compliance service including legal review

AI generated code compliance review

CRA Readiness Assessment

Vendor neutral next steps and recommendations.

Compliance-Supporting Engineering Service

Accelerate time-to market for CRA-compliant products in a sustainable manner.

Full CRA compliance service including legal review

Make your product fully compliant and CRA-ready, as attested to by our legal partners.

AI generated code compliance review

Fix AI generated code to make it secure and compliant.

Business is built on trust.

Questions & Answers

Is my product affected by the CRA?

My product is already finished and being sold on the market, will it be affected?

What are the current deadlines for the Cyber Resilience Act (CRA)?

Why choose pi3g to work with us to ensure CRA compliance?

Which technologies does pi3g not cover for the CRA?

Resources

Presentations

Website Links