Platanor Technologies

Make your device CRA-ready — without slowing down development.

We translate cybersecurity requirements into practical engineering — from device identity and provisioning to secure firmware and backend integration.

Contact usGet a Free CRA Readiness Assessment

What CRA Means for Device Manufacturers

The EU Cyber Resilience Act (CRA) requires all manufacturers of products with digital elements — including IoT devices, smart home products, and connected hardware — to implement embedded cybersecurity measures before selling in the European Union. The compliance deadline is December 11, 2027. Non-compliance results in fines up to €15 million or 2.5% of global annual turnover, and products may be banned from the EU market entirely.

For many teams, the challenge is not understanding the regulation — but implementing it correctly in real systems.

Where Teams Struggle

  • Translating requirements into device architecture
  • Designing secure provisioning and identity
  • Implementing secure firmware updates (OTA)
  • Integrating device and backend trust chains
  • Producing documentation required for audits

What We Do

We provide the engineering foundation required to build CRA-aligned device systems.

This includes:

  • Security architecture (device identity, provisioning, authentication)
  • Threat modeling and risk analysis
  • Secure firmware and update mechanisms
  • Backend integration and trust infrastructure
  • Production and manufacturing flows

CRA-Ready Documentation

We produce technical artifacts that form the basis for compliance:

  • Security architecture documentation
  • Threat model and risk assessment
  • SBOM (Software Bill of Materials)
  • Provisioning and identity flows
  • Secure firmware update design
  • Integration requirements for backend systems

These documents support certification and audit processes without turning engineering into paperwork.

How We Work

  1. Define requirements and scope
  2. Build a threat model
  3. Design security architecture
  4. Implement firmware and flows
  5. Deliver documentation and handover

What You Get

  • Production-ready secure firmware components
  • Clear, auditable security architecture
  • CRA-aligned documentation
  • Integration guidelines for your backend and production systems

Frequently Asked Questions

What is the EU Cyber Resilience Act (CRA) and when does it apply?

The EU Cyber Resilience Act (CRA) is a regulation requiring all manufacturers of connected and IoT devices sold in the European Union to implement embedded cybersecurity measures and maintain technical documentation. The compliance deadline is December 11, 2027. Non-compliance results in fines up to €15 million or 2.5% of global annual turnover, and products may be banned from the EU market.

Who does the Cyber Resilience Act apply to?

CRA applies to any manufacturer that places products with digital elements on the EU market — regardless of where the company is based. This includes IoT devices, smart home products, industrial equipment, medical devices, automotive components, and any hardware with network connectivity or software components.

What documentation does CRA require?

CRA requires manufacturers to produce: (1) a Software Bill of Materials (SBOM), (2) a threat model and risk assessment, (3) security architecture documentation, (4) secure firmware update design, and (5) vulnerability handling procedures. These documents must be maintained throughout the product lifecycle.

What is the difference between CRA and NIS2?

CRA regulates manufacturers of hardware and software products — it applies to what you build and sell. NIS2 regulates organizations that operate critical infrastructure. If you manufacture IoT devices for sale in the EU, CRA is your primary compliance obligation.

How much does CRA compliance cost for a small IoT manufacturer?

CRA compliance cost depends heavily on when security is added. Designed from the start, embedded security typically adds 15–25% to development costs. Adding security retroactively can cost 2–5x more and may require hardware redesign. Working with an experienced partner from early prototyping is the most cost-effective approach.

Does Platanor provide CRA compliance documentation?

Yes. Every Platanor engagement includes a full CRA documentation package: SBOM, threat model and risk assessment, security architecture documentation, and secure firmware update design — delivered alongside production-ready source code.

Preparing for CRA?

We help you turn requirements into working systems — quickly and correctly.

Contact usGet a Free CRA Readiness AssessmentView Services