Nemko Digital, a leading authority in AI governance and digital trust, has launched a comprehensive compliance roadmap and checklist to aid organizations in gearing up for the European Union’s Cyber Resilience Act (CRA). The initiative addresses an urgent deadline for manufacturers: by September 11, 2026, companies must have systems in place to report actively exploited vulnerabilities and significant incidents within 24-hour and 72-hour windows, respectively.
This announcement follows the success of a recent webinar on CRA compliance, which attracted nearly 600 registrants, with close to 400 attending live. This high turnout highlights the growing concern within the industry as the timeline for one of the EU’s most extensive cybersecurity mandates approaches. The CRA mandates cybersecurity requirements for hardware and software products with digital elements sold in the EU, affecting a wide range of products from consumer IoT devices to connected vehicles. Although full compliance is required by December 2027, the urgency of the September 2026 reporting milestone necessitates immediate action in establishing governance, consolidating software bills of materials, and developing auditable incident response capabilities.
Pepijn van der Laan, Global Technical Director for AI Trust at Nemko Digital, emphasized the importance of the upcoming milestone, noting that manufacturers must be operationally ready to detect and report product vulnerabilities within the required timelines. The consequences for non-compliance are significant, with companies facing penalties of up to €15 million or 2.5 percent of their global annual turnover for major violations. Despite this, polling data from Nemko Digital’s webinar suggests that around 70 percent of manufacturers are still in the initial stages of their compliance journey, seeking foundational knowledge and structured guidance.
The new CRA Compliance Roadmap from Nemko Digital offers a structured six-step framework to simplify the complex regulatory requirements into a manageable program. The roadmap, available at https://digital.nemko.com/cra-compliance-roadmap, was developed by CRA experts and has been validated by over 500 compliance professionals. It guides teams through discovery, executive alignment, applicability assessment, gap analysis, remediation and process build-out, validation and testing, and continuous monitoring. Complementing this is a 30-item checklist breaking down each phase into actionable tasks for product teams, security leaders, and compliance officers.
Bas Overtoom, Global Business Development Director at Nemko Digital, warned of the challenges presented by the summer months, recommending that organizations complete the majority of their compliance work by early July. This allows for the summer period to be utilized for finalizing procedures and testing processes ahead of the September deadline. Companies with RED (Radio Equipment Directive) certification already have a head start, as many requirements overlap with the CRA, although the latter introduces new obligations around vulnerability handling and secure development practices. The CRA Compliance Roadmap and checklist are freely available for download without registration, enabling widespread sharing among compliance teams.
