Part 3: From Legal Text to Execution — How to Prepare for the CRA (And Why Most Aren’t Ready)
For most manufacturers, the CRA presents a unique kind of challenge: it combines security engineering, regulatory compliance, documentation management, and supply chain risk into a single legal requirement. Reading the regulation is one thing, implementing it is another entirely.
Start with the fundamentals. You’ll need to demonstrate:
- A secure-by-design development process that includes threat modelling, secure coding, security testing, and appropriate architecture decisions.
- A vulnerability management process for your product—including both internally discovered and externally reported issues.
- A maintained SBOM, with policies for vetting and replacing vulnerable components.
- Security documentation that is up-to-date, accessible, and sufficiently detailed to satisfy Annex VII requirements.
- Evidence of post-market support planning, including security patch delivery and update mechanisms that don’t degrade security or require user intervention.

But meeting these obligations isn’t just about static policies or one-time checks. The CRA expects manufacturers to take a continuous approach, particularly when it comes to vulnerability management and post-market surveillance. That includes monitoring for newly disclosed vulnerabilities affecting both in-house and third-party components, tracking the rollout of patches, and ensuring issues are addressed before they lead to exploitation. In practice, this often requires real-time or near-real-time insight into how your product is behaving in the field, especially for connected devices operating in critical environments. Evidence-based monitoring not only supports faster incident response but also strengthens your compliance posture by making updates, mitigations, and risk decisions fully auditable. But more importantly, your CISO customers will give you tonnes of product kudos!
Yet most manufacturers are not set up to do this effectively. Security teams and legal teams often work in silos. Engineering teams may not know what documentation to produce, or how to map product features to regulatory language. Supply chain security is rarely transparent, and SBOMs are often outdated or incomplete.
At Periphery, our Insights module is designed to break this cycle. We help you:
- Translate regulatory language into concrete engineering tasks.
- Identify security gaps and remediation priorities across your product’s lifecycle.
- Map your documentation and processes against CRA Annex I & VII.
- Provide a prioritised roadmap for compliance based on your product maturity, market needs, and time-to-market pressures.
Our process includes engaging with key stakeholders, analysis of your SDLC, architecture and update mechanisms, and a tailored set of findings delivered in days.
Why act now?
Because many of CRA’s obligations require deep structural alignment. If your team only begins preparing in 2026, you may already be too late to launch. Worse, missing compliance could block your CE mark, and with it, your access to the EU market.
Periphery is helping to ensure that doesn’t happen. Contact us today!