40+ Years of cybersecurity evaluation
50+ Accreditation schemes
Global laboratory network
Part of the SGS Group
40+ Years of cybersecurity evaluation
50+ Accreditation schemes
Global laboratory network
Part of the SGS Group
REGULATORY OVERVIEW
What is the Cyber Resilience Act?
The Cyber Resilience Act (CRA) is an EU regulation introducing cybersecurity requirements for products with digital elements placed on the EU market.
The regulation will become fully applicable from December 2027, with some obligations applying earlier.
Depending on the product category, demonstrating conformity may involve a CRA Notified Body or certification under an EU cybersecurity scheme such as EUCC.
Key facts
Mandatory cybersecurity requirements for products with digital elements, including hardware and software.
Applies to products incorporating third-party components, including open-source software.
Covers the full product lifecycle, from secure design and development to vulnerability handling.
Applies to manufacturers, importers, and distributors placing products with digital elements on the EU market.
Non-compliance may lead to fines, market restrictions, and corrective measures.
REGULATORY OVERVIEW
What is the Cyber Resilience Act?
The Cyber Resilience Act (CRA) is an EU regulation introducing cybersecurity requirements for products with digital elements placed on the EU market.
The regulation will become fully applicable from December 2027, with some obligations applying earlier.
Depending on the product category, demonstrating conformity may involve a CRA Notified Body or certification under an EU cybersecurity scheme such as EUCC.
Key facts
Mandatory cybersecurity requirements for products with digital elements, including hardware and software.
Applies to products incorporating third-party components, including open-source software.
Covers the full product lifecycle, from secure design and development to vulnerability handling.
Applies to manufacturers, importers, and distributors placing products with digital elements on the EU market.
Non-compliance may lead to fines, market restrictions, and corrective measures.
CONFORMITY PATHWAYS
CRA conformity assessment routes
The Cyber Resilience Act defines conformity assessment routes based on the product category and associated cybersecurity risk.
Module A - self-assessment
Self-assessment performed by the manufacturer to demonstrate compliance with the CRA essential cybersecurity requirements, based on technical documentation and internal verification.
Module B + C - third-party assessment
Conformity assessment involving a Notified Body, combining EU-type examination (Module B) and conformity to type based on internal production control (Module C).
Module H - full quality assurance
Conformity assessment based on full quality assurance, where a Notified Body audits and surveils the manufacturer’s quality managements system (QMS) covering design, production, and vulnerability handling processes.
CRA READINESS FLOW
The CRA compliance journey
This structured CRA readiness flow outlines the key steps to achieve compliance and shows how Brightsight supports each stage.
Understand CRA
Build awareness of CRA scope, essential requirements and available conformity assessment routes.
RELATED SERVICE
CRA workshops
Determine product category & conformity assessment route
Identify how your product fits within the CRA based on its characteristics and intended use. Choose the right CRA conformity assessment route for your product.
RELATED SERVICE
CRA product classification analysis
Leverage existing certifications
Map existing certifications and security evidence (e.g. GSMA, PSA/SESIP, IEC 62443, EUCC, RED EN 18031, ETSI EN 303 645) to CRA requirements.
RELATED SERVICE
Evidence mapping analysis
Assess readiness
Validate how essential CRA requirements are translated into practical controls and supporting evidence.
RELATED SERVICE
CRA requirements alignment review
Review processes
Evaluate vulnerability handling, reporting and product lifecycle processes against CRA requirements.
RELATED SERVICE
Vulnerability handling process assessment
Prepare for conformity assessment
Prepare technical documentation and pre-audit activities for conformity assessment (Module B or Module H).
RELATED SERVICE
Module H quality system assessment
START PREPARING
Preparing for the CRA today
Organizations do not need to wait for the formal designation of CRA Notified Bodies to begin preparing. Key technical and organizational activities can be initiated today.
Formal conformity assessment will be carried out by designated Notified Bodies once the regulation is fully applicable.
Where to start
Define the product category and intended use under the CRA
Determine the applicable CRA conformity assessment path
Perform cybersecurity risk assessments
Prepare structured technical documentation in line with CRA requirements
Establish Software Bill of Materials (SBOM) and ensure supply chain transparency
Implement vulnerability handling, vulnerability disclosure policy, reporting and lifecycle processes
Map existing controls and evidence against CRA essential requirements
START PREPARING
Preparing for the CRA today
Organizations do not need to wait for the formal designation of CRA Notified Bodies to begin preparing. Key technical and organizational activities can be initiated today.
Formal conformity assessment will be carried out by designated Notified Bodies once the regulation is fully applicable.
Where to start
Define the product category and intended use under the CRA
Determine the applicable CRA conformity assessment path
Perform cybersecurity risk assessments
Prepare structured technical documentation in line with CRA requirements
Establish Software Bill of Materials (SBOM) and ensure supply chain transparency
Implement vulnerability handling, vulnerability disclosure policy, reporting and lifecycle processes
Map existing controls and evidence against CRA essential requirements
OUR APPROACH
How Brightsight supports CRA
Brightsight's CRA approach is built on four strategic pillars combining regulatory engagement, technical experience and a structured evaluation approach.
Active role in industry and CRA standardization working groups
Active participation in industry and CRA standardization working groups, providing visibility into emerging standards and interpretations.
Future CRA Notified Body capabilities
Accreditation activities in progress for Module B and Module H, preparing for operation as a CRA Notified Body across conformity assessment routes.
Leverage of existing schemes
Long-standing experience in Common Criteria, EUCC, SESIP, IEC 62443, PSA Certified and EMVCo provides a strong technical foundation, including the ability to map and align requirements across schemes for CRA-related evaluations.
Consistency and predictable evaluation approach
Structured methodologies ensure consistent, predictable and impartial interpretation of CRA requirements, enabling alignment across evaluation projects.
Together, these pillars position Brightsight as a single partner across evaluation, certification, and future CRA conformity assessment activities.
CRA SERVICES
Services supporting CRA preparation
Brightsight offers CRA workshops and assessment-oriented services covering CRA requirements and conformity assessment routes.
CRA workshops
Workshops covering CRA requirements, conformity assessment routes and their application to product contexts.
CRA introduction
Overview of CRA requirements and conformity assessment routes, including product scoping considerations and comparison of Module B and Module H approaches.
Client use case
CRA overview applied to a specific product context, including product scoping considerations and mapping to relevant standards.
Module H application
CRA overview focused on Module H application, including readiness considerations, comparison with Module B approaches, and the role of the Notified Body.
CRA preparation services
Structured assessment activities addressing CRA requirements through analysis, review and evaluation of documented processes and evidence, enabling readiness for Module B and Module H conformity assessment.
CRA product classification analysis
Independent analysis of product characteristics against CRA classification criteria, resulting in a documented determination of the applicable category.
CRA requirements alignment review
Structured review of documented controls and evidence against CRA requirements, identifying areas of alignment and non-alignment.
Vulnerability handling process assessment
Independent assessment of documented vulnerability handling processes against CRA requirements, with an objective report on strengths and gaps.
Module H quality system assessment
Preliminary evaluation of the documented quality system against CRA Module H requirements, including high-level on-site verification and a factual report on the level of alignment.
Evidence mapping analysis
Structured mapping of existing evidence and assessment results against CRA requirements to identify coverage, gaps and limitations.
These services are currently offered by Brightsight as CRA preparation services and do not represent formal CRA conformity assessment activities.
CRA compliance services
Brightsight is currently undergoing the accreditation process to become a CRA Notified Body for Modules B and H and has not yet been designated. When Brightsight receives a formal designation and recognition as a CRA Notified Body, the following services will be available:
Module B - classic product evaluation
Under Module B, the Notified Body focuses on the product:
- security testing,
- conformity assessment,
- guidance and documentation,
- essential requirements.
The Module B conformity assessment covers Critical products, Important Class I, Important class II, Default products.
Module H - full quality assurance
Under Module H, the Notified Body focuses on the organization:
- secure development lifecycle,
- vulnerability management,
- update management,
- supply chain security,
- testing process,
- post-market monitoring
The Module H conformity assessment covers Critical products, Important Class I, Important class II, Default products.
OUR ROADMAP
Brightsight's journey towards becoming a CRA Notified Body
Brightsight is progressing through the accreditation process required to operate as a CRA Notified Body for Module B and Module H. The roadmap below reflects current and upcoming activities.
This accreditation will enable Brightsight to support manufacturers in meeting CRA conformity assessment requirements as the regulation becomes fully applicable.
CURRENT STATUS
Accreditation in progress
Brightsight is progressing through the accreditation process required to operate as a CRA Notified Body for Module B and Module H.
NEXT MILESTONE
Accreditation granted
Accreditation granted by the national accreditation body (RvA), enabling pilot conformity assessment activities in preparation for formal designation.
FINAL MILESTONE
CRA Notified Body designation
Formal designation by the national authority and recognition as a CRA Notified Body across the EU.
CAPABILITIES AND EXPERTISE
Why Brightsight
Brightsight combines decades of cybersecurity evaluation experience, global laboratory presence, and certification expertise to support manufacturers preparing for CRA conformity assessment.
Part of the SGS Group
As part of SGS, Brightsight combines specialist cybersecurity expertise with global testing, inspection, and certification capabilities to support your certification journey.
40+ Years of evaluation experience
Over four decades of experience in cybersecurity evaluation across smartcards, secure components, payment, mobile and connected devices.
50+ Accreditation schemes
Recognitions and accreditations across more than 50 cybersecurity schemes, including EUCC, Common Criteria, SESIP, EMVCo, PSA Certified, and IEC 62443.
Global laboratory network
Laboratories across Europe, North America, and Asia supporting manufacturers operating in regulated markets worldwide.
Active participation in CRA working groups
Participation in CRA-related working groups and standardization initiatives contributing to cybersecurity certification in Europe.
Independent lab and certification services
Independent evaluation laboratory and certification body services available within Brightsight, supporting a seamless certification process.
ANSWERS
Frequently asked questions
Common questions about the Cyber Resilience Act and Brightsight's progress towards CRA Notified Body designation.
