Finite State delivers CRA compliance as concrete, auditable outcomes. You pay per product; you get the evidence package regulators require.
Defined deliverables
Per product, all-in
Time to first deliverable
Continuous monitoring included
Tell us a little about yourself — we'll follow up with pricing and next steps within one business day.
By submitting this form, you agree to our privacy policy. We'll never share your information.
Hand us your firmware binary. In 1–2 weeks you'll have a complete SBOM, a matched vulnerability list, and a compliance evidence package your legal team can use.
© 2026 Finite State. All rights reserved.
This is an outcome-based managed service. You don't buy software licenses or consulting hours — you buy completed compliance deliverables, produced and maintained by Finite State on your behalf.
| # | Deliverable | CRA obligation covered | Timeline |
|---|---|---|---|
| 1 | One Living SBOM | Annex I §1(1) · BSI TR-03183-2 | Week 1–2 |
| 2 | One Cybersecurity Risk Assessment | Annex I §1(2) | Week 2–4 |
| 3 | Continuous Monitoring (12 months) | Annex I §2(5) · Article 14 | Active from Week 1 |
| 4 | Managed Vuln Disclosure (incl. drafts) | Article 14 · Annex I §2(1–4) · ENISA SRP | Ongoing, <24hr response |
| 5 | One Declaration of Conformity | Article 28 & 31 · Annex V | Week 4–6 |
A machine-readable, continuously maintained inventory of every software component in your product. Updated on every firmware release, forever.
A complete, enriched SBOM for every firmware or software release of your product — produced from binary analysis alone. You don't need to provide source code. You hand us the binary; we return a CRA-compliant SBOM in SPDX and CycloneDX formats within 1–2 weeks.
A structured, auditable risk assessment aligned to CRA Annex I and IEC 62443 — covering your product's attack surface, identified threats, and the security controls that address them.
A complete cybersecurity risk assessment document — structured for both technical reviewers and EU notified bodies. Built using Assurance Studio, which maps every identified threat to a specific security control, generating the traceability regulators require.
Hourly checks of your product SBOM against 250+ global vulnerability sources. Every new CVE assessed against your component inventory within one hour of disclosure.
CRA requires manufacturers to monitor deployed products for newly discovered vulnerabilities throughout the product lifecycle. Finite State fulfills this by running continuous, automated correlation between your product SBOM and a global stream of vulnerability intelligence — checked hourly.
When a new CVE matches your product, Finite State auto-generates a CRA-compliant disclosure report, you review and approve it, and we upload it directly to the ENISA Single Reporting Platform — within the 24-hour window.
CRA Article 14 requires you to notify ENISA and your national CSIRT within 24 hours of discovering an actively exploited vulnerability. Finite State handles the entire workflow — detection through filing — so you meet every deadline without building an internal team to do it.
CVE-2025-1234 matched to OpenSSL 1.1.1t in Smart-Gateway-FW-v2.4.1. Exploit confirmed in wild · CRA 24hr window active
DRAFT: EARLY WARNING NOTIFICATION · ENISA SRP FORMAT (CRA ARTICLE 14 §1)
The complete technical documentation package required to affix the CE mark and issue your EU Declaration of Conformity — including all supporting evidence artifacts from deliverables 01–04.
The EU Declaration of Conformity is the legal document that permits you to affix a CE mark and sell your product into the EU market. It is backed by a technical documentation dossier that must be retained and available to regulators on request. Finite State produces both.
Manufacturer
Acme Connected Systems GmbH · Musterstraße 12, 10115 Berlin, Germany
Product name & model
Smart Gateway · Model SG-400 Series
Firmware version(s)
v2.4.1 (and all minor releases under v2.4.x)
Legislation
Regulation (EU) 2024/2847 — Cyber Resilience Act, Article 28
Conformity assessment route
Self-assessment under Article 32(1) · No third-party notified body required (Class I product)
Essential requirements met
CRA Annex I, Section 1 (Product Cybersecurity) and Section 2 (Vulnerability Handling) — evidence referenced in Technical Dossier ref. FS-TD-2025-SG400
Technical documentation reference
SBOM: FS-SBOM-SG400-v241 · Risk Assessment: FS-RA-SG400-v1 · Vuln Process: FS-VHP-SG400-v1
Support commitment
Security updates provided for a minimum of 5 years from date of last supply. End-of-life date: December 2030.
Authorized Signatory · CEO / CISO
Date
Place
Required by CRA Article 14 within 14 days of an initial vulnerability report. Finite State drafts and files this for every incident, documenting root cause, remediation actions, patch timeline, and preventive measures.
Drafted and filed by Finite State within 14 days of any initial vulnerability report. Documents what happened, what you're doing about it, and how you're preventing recurrence.
The 14-day final report is the most detailed CRA reporting obligation. It closes out the disclosure loop started at T+24hr and must include root cause analysis, impact assessment, remediation status, and preventive measures. Finite State drafts this automatically from the monitoring data and vulnerability lifecycle captured in the platform.
Pricing
No hidden consulting hours, no software license separate from services. One number covers all five deliverables plus 12 months of managed monitoring and disclosure for a single product.
per product · pricing provided by your Finite State team
Managing multiple products? Pricing scales favorably with volume. Discounts available for 3+ products — contact your Finite State account team to structure a multi-product engagement that fits your portfolio and budget.
Engagements signed and initiated before April 15, 2025 qualify for preferential pricing and priority onboarding slots. Capacity is limited — we run a finite number of concurrent managed engagements. Secure your slot now.