Hack the CRA: self-certify on a budget step by step

July 14, 2026

The EU Cyber Resilience Act (CRA, formally Regulation (EU) 2024/2847) introduces binding cybersecurity requirements for products with digital elements sold in the EU, with fines reaching EUR 15 million or 2.5% of global turnover for non-compliance. Manufacturers must prepare for vulnerability reporting obligations beginning on September 11, 2026, and broader conformity assessment and CE-marking requirements by December 11, 2027.

Hack the CRA does not mean bypassing the rules—it means understanding them well enough to avoid unnecessary cost and effort. The good news is that roughly 90% of products can follow the self-assessment route (Module A), avoiding costly third-party certification. However, self-certification still requires meeting applicable Annex I cybersecurity requirements, building Annex VII technical documentation, and signing a legally binding Declaration of Conformity. The challenge is focusing on what matters most: risk assessment, security testing, vulnerability remediation, and technical documentation.

The practical implementation guide below is contributed by Julian Meroi, founder of Meroi Security, and outlines the CRA compliance process in two phases and eight steps that manufacturers can follow to achieve compliance efficiently and cost-effectively.

Phase 1: Reporting readiness (deadline: September 11, 2026)

Phase 2: Formal compliance and CE marking (deadline: December 11, 2027)

When should you start the compliance process?

Manufacturers who begin now can spread the effort and cost over a reasonable timeline. Those who wait will face compressed schedules, higher costs, and the risk of falling behind competitors who are already compliant.

The EU Cyber Resilience Act sets legally binding cybersecurity requirements for products with digital elements sold in the EU. Roughly 90% of products can self-certify (Module A), but that still means meeting Annex I requirements, building Annex VII documentation, and signing a Declaration of Conformity. Non-compliance results in fines up to EUR 15 million or 2.5% of global turnover, whichever is the higher.


Julian Meroi is the founder of Meroi Security, an EU cybersecurity regulatory compliance consulting company based in the Netherlands and Taiwan, specializing in CRA compliance, trainings, and EU Authorized Representative services.