Nemko Digital, a leader in AI governance and digital trust, has unveiled a free compliance roadmap and checklist designed to assist organizations in preparing for the European Union’s Cyber Resilience Act (CRA). As companies face the crucial deadline of September 11, 2026, they must be ready to report actively exploited vulnerabilities and significant incidents within 24-hour and 72-hour windows. This development is particularly significant for manufacturers, who must act quickly to align with one of the EU’s most comprehensive cybersecurity mandates.
The CRA imposes mandatory cybersecurity standards for digital hardware and software sold within the EU, impacting a wide range of products from consumer IoT devices to industrial control systems. While full compliance is required by December 2027, the immediate focus is on the operational readiness milestone set for September 2026. Organizations need to establish robust governance, consolidate software bills of materials (SBOMs), and develop auditable incident response protocols. According to Pepijn van der Laan, Global Technical Director of AI Trust at Nemko Digital, this milestone emphasizes readiness throughout the product lifecycle, not just at launch.
Highlighting the urgency, Nemko Digital’s recent webinar on CRA compliance attracted nearly 600 registrants, with almost 400 attending live, reflecting significant industry concern. Despite this interest, around 70 percent of manufacturers are in the early stages of compliance, seeking knowledge and support. To aid these companies, Nemko Digital has introduced a structured, 6-step action framework that transforms the complex regulatory demands into a manageable program. This roadmap, validated by over 500 compliance professionals, guides organizations through crucial phases such as discovery, gap analysis, and continuous monitoring, supported by a detailed 30-item checklist.
Bas Overtoom, Global Business Development Director at Nemko Digital, emphasizes the importance of starting compliance efforts immediately to avoid potential bottlenecks, particularly given the traditional summer slowdown across Europe. By completing initial work by early July, organizations can utilize the quieter summer months to finalize procedures and ensure readiness for the September deadline. The roadmap, accessible at digital.nemko.com/cra-compliance-roadmap, is freely available without registration, ensuring broad access to this essential resource.
Organizations already certified under the Radio Equipment Directive (RED) will find some overlap in requirements, easing their path to CRA compliance. However, new obligations around vulnerability management and secure development practices highlight the need for immediate action. Nemko Digital remains committed to supporting global enterprises in navigating these digital regulatory challenges, leveraging its extensive expertise in product certification and testing to build trust in the digital landscape.