CRA support — build securely without slowing down

We help product teams meet the Cyber Resilience Act as a by-product of good engineering. An ASVS kickstart and ongoing support that walk alongside you all the way to 2027.

About the service

The Cyber Resilience Act has already entered into force. The major obligations phase in step by step through 2027. That means the right moment to improve how you work is now, while you can still do it at a calm pace.

We don't start in the regulation. We start in the product. With OWASP as the working reference we build security into how the team works every week. Once security is in place, compliance becomes a by-product of good engineering — not a separate project alongside development.

CRA support comes in two parts. A kickstart where we set an ASVS baseline, map the current state and produce a concrete backlog. And ongoing support where we walk alongside the team month by month — with ASVS reviews, regulatory tracking and sparring on concrete decisions.

This isn't a documentation project to tick off. Software and binders don't solve the problem — what's needed is a process that ensures security is actually built into the product over time. That's where ongoing support differs from a one-off engagement.

Core principle

Build securely. Documentation arrives as a by-product.

Ways of working first. Documentation as by-product. Security all the way through.

The challenge

Why CRA projects go wrong

01

The regulation as a checklist

Teams get pushed to start in the legal text instead of in the product. Security becomes a documentation project running alongside development, not a property of the product itself.

02

OWASP without governance

ASVS, Cheat Sheets and SAMM are free on the internet. But without ongoing governance, they get used unsystematically, by individual developers, and disappear when someone changes team.

03

Audits without traceability

When the auditor asks how security was built in, the answer is verbal or in someone's head. The basis for actual decisions is missing — even if the documents look polished.

The result is compliance on paper — not in the product.

CRA support

Two ways into CRA work

Timeframe 4–6 weeks

CRA Kickstart

A one-off engagement to establish an ASVS baseline and a concrete backlog. You get a picture of where you stand against CRA and which controls to prioritise first. A good starting point even if you aren't planning ongoing support right away.

  1. 1

    Rapid interviews

    Tech lead, security lead and product owner. We get to know the product, the architecture and how the team actually makes decisions today.

  2. 2

    ASVS baseline

    Choose the ASVS level based on product and risk. Map what you already do. Identify and prioritise gaps.

  3. 3

    SAMM maturity assessment

    A lightweight SAMM assessment that gives a picture of where you stand over time — not just a snapshot.

  4. 4

    Backlog and leadership report

    Concrete backlog with prioritised controls and ways of working. Leadership report with current state against CRA, risk picture and plan forward.

Book CRA Kickstart
Timeframe Ongoing, 3/6/12 mo

CRA Sustain

Ongoing support that walks alongside your team month by month. ASVS reviews, regulatory tracking and sparring on concrete decisions. Builds compliance over time instead of in a panic push before audit.

  1. 1

    Monthly touch point

    Tech lead and security champion meet with us every month. We go through what has happened, what is coming, and which decisions need to be made.

  2. 2

    Quarterly ASVS review

    A larger review where we update gap status, adjust prioritisation and invite more of the team. SAMM maturity is measured anew.

  3. 3

    Regulatory tracking

    Changes in CRA technical standards (ETSI/CEN-CENELEC), ENISA guidance and relevant CSIRT publications are summarised and translated into actionable suggestions.

  4. 4

    Everyday decisions

    When the team faces a concrete choice — how should we handle this? — we are there as a sparring partner via Cheat Sheets and ASVS.

  5. 5

    Audit readiness

    When the time comes, the documentation support is already in place. We answer the auditor alongside you — not instead of you.

Get in touch

Comparison

CRA Sustain compared with a typical one-off project

Pace

Typical one-off project

Big project, then silence

Verit CRA Sustain

Ongoing, low tempo, high presence

Focus

Typical one-off project

Produce documents

Verit CRA Sustain

Ways of working that produce documents as by-product

Standard

Typical one-off project

Builds its own framework

Verit CRA Sustain

OWASP (ASVS, Cheat Sheets, SAMM)

Regulation

Typical one-off project

Fresh at delivery, ages from there

Verit CRA Sustain

Tracked continuously, you get updates

Audit readiness

Typical one-off project

Rush effort before audit

Verit CRA Sustain

Traceable documentation built over time

Value over time

Typical one-off project

Drops as the report ages

Verit CRA Sustain

Rises as the team's maturity grows

What it looks like in practice

From CRA worry to traceable maturity

Anonymised product-team case. This is what ongoing CRA support looks like in everyday work.

01

Starting point

Knew CRA was coming, not where they stood

A product team with a SaaS product on the EU market knew the Cyber Resilience Act was phasing in through 2027. They had read the regulation, become worried, and tried to start from the documentation end — without knowing which controls the product actually met.

02

What we did

ASVS baseline plus ongoing sparring

We set an ASVS baseline tailored to the product's risk and mapped what the team already did. Cheat Sheets became a natural reference in code reviews. A monthly touch point with the tech lead and security champion kept maturity visible — instead of letting it gather dust in a document.

03

Outcome

Compliance built over time, no panic

After six months the team had a concrete backlog with three quarters of the ASVS controls ticked off. Documentation was produced automatically as a by-product of code reviews. When the audit question came half a year later, the basis was already there — not in a binder, but in how the team actually worked.

What you get

What the team and leadership get from CRA support

  • An ASVS level tailored to your product and risk — not a generic checklist.

  • A concrete backlog of prioritised controls, not a list of words.

  • Cheat Sheets embedded in the team's everyday decisions, so secure choices become the easy choice.

  • SAMM maturity measured and tracked over time — so improvement is visible, not claimed.

  • Regulatory tracking without your team having to read the regulation.

  • Traceable documentation built as a by-product of development, not as a separate track.

  • An external party who can answer the auditor alongside you — not a consultant who has disappeared.

  • Predictable monthly cost instead of a large project every other year.

If you also need support at the organisation and operations level we complement with NIS2 work or CISO-as-a-Service. CRA support is focused on the product.

Related services

FAQ

Questions product teams and leadership ask us

Do we need to be certified to anything for CRA?

No. But ASVS and SAMM work gives auditors evidence they can work from — concrete controls and traceable maturity rather than a binder of words.

We already have a consultant doing our NIS2. Does this clash?

No. NIS2 / the Cybersecurity Act is about organisation and operations. CRA is about the product you sell. They complement each other and we're happy to coordinate with your existing NIS2 advisor.

Does the whole development team need to be involved ongoing?

No. Often the tech lead plus one security champion at the monthly meeting is enough. Larger reviews happen quarterly with more of the team invited.

What happens in 2027 if we aren't ready?

Sanctions can be imposed and products can be withdrawn from the EU market. The whole point of ongoing support is that you don't end up there — you build maturity over time rather than in a panic push the final year.

Last reviewed: June 2026.

Ready to start?

Book a 30-minute CRA check. A short qualifying conversation where we look at where you stand today and whether ongoing CRA support is right for your product.

Book a 30-minute CRA check