Loading...
Continuous CRA Support

Finite State Managed CRA Services

Finite State delivers the artifacts and workflows manufacturers need to support EU Cyber Resilience Act (CRA) self-assessment—generated from the designated product and maintained over time.

Request CRA WalkthroughRequest CRA WalkthroughReview CRA DeliverablesReview CRA Deliverables
How It Works

Turn Product Evidence Into CRA Compliance

Finite State’s managed CRA services turn product inputs into maintained artifacts and workflows for CRA self-assessment.

Software Analysis

Risk and Vulnerability Context

Monitoring and Disclosure Support

Technical Documentation Package

What's Included

Five Maintained Deliverables for CRA Self-Assessment

Reviewable, product-specific deliverables that support CRA self-assessment and ongoing readiness.

DeliverableDescription
Living SBOMBinary-derived software inventory
Cybersecurity Risk AssessmentThreats, controls, gaps, and remediation guidance
Continuous Product Vulnerability MonitoringOngoing vulnerability correlation, notification, and VEX support
Managed Vulnerability Disclosure SupportDraft notifications, CVD policy, and reporting workflow support
Technical Documentation Package + DoC TemplateDocumentation assembled to support self-assessment and declaration execution
CRA Deliverable Mapping

How Finite State Delivers CRA Support

Explore how Finite State’s managed services map each deliverable to CRA requirements and ongoing product obligations.

SBOM

Software Composition from Firmware and Binaries

Generates and maintains a product SBOM from customer-provided binaries, with exportable output in standard formats.

CRA alignment

Supports CRA software transparency and technical documentation requirements.

  • SPDX / CycloneDX
  • No source required
  • Updated on new versions

Threats, Controls, and Remediation Guidance

Assesses product risk using threat modeling, platform findings, and control mapping aligned to CRA requirements.

CRA alignment

Aligned to CRA Annex I essential cybersecurity and vulnerability-handling requirements.

  • Threat modeling
  • Control mapping
  • Gap-based recommendations

Continuous Vulnerability Tracking with Product Context

Correlates product components to vulnerability intelligence, notifies the customer of actionable findings, and maintains VEX-backed context over time.

CRA alignment

Supports ongoing vulnerability handling, VEX maintenance, and Article 14 reporting readiness.

  • Ongoing correlation
  • VEX support
  • Actionable notifications

Drafted Workflows for CRA Reporting Timelines

Supports required reporting workflows with draft documentation, coordination support, and a customer-owned CVD policy. Submission remains customer-owned.

CRA alignment

Supports CRA Article 14 reporting workflows and Article 13(6) coordinated vulnerability disclosure requirements.

  • 24h / 72h / 14d drafts
  • CVD policy support
  • Customer submits filings

Documentation Package & Declaration Template

Assembles the technical documentation package, drafts a declaration of conformity template, and supports finalization through readiness review.

CRA alignment

Supports CRA Annex VII technical documentation and Annex V declaration of conformity requirements.

  • Standards mapping
  • Readiness review
  • Customer executes declaration
Ownership + Scope

A Defined Service With Clear Ownership

Built to support manufacturer self-assessment with maintained evidence—not replace manufacturer accountability.

Finite State

  • Generates SBOMs
  • Performs risk assessment
  • Monitors vulnerabilities
  • Drafts disclosure documents
  • Assembles technical documentation
  • Drafts declaration template

Customer

  • Provides product inputs
  • Executes remediation
  • Owns incident response
  • Makes final reporting determinations
  • Submits ENISA / SRP filings
  • Executes declaration
  • Retains compliance responsibility
Engagement Workflow

How the Engagement Works

From setup and initial analysis through documentation assembly and steady-state support, the service is structured to help manufacturers build and maintain the evidence, workflows, and deliverables required for CRA self-assessment.

Setup and Onboarding

Product inputs are collected, initial analysis begins, and the first core deliverables are generated.

Documentation and Conformity

Evidence is assembled into a reviewable documentation package, followed by readiness review and final revisions.

Ongoing Managed Support

Deliverables are maintained over time as products, vulnerabilities, and reporting needs evolve.

Planning Milestones

Key CRA Dates That Shape Service Planning

CRA obligations phase in over time, but evidence, monitoring, and reporting workflows need to be established before those deadlines arrive.

  • Dec 10, 2024

    Entered into force

  • June 11, 2026

    Conformity assessment body provisions begin

  • Sep 11, 2026

    Reporting obligations apply

    Manufacturers need workflows for time-bound reporting.

  • Dec 11, 2027

    Main obligations apply in full

    Technical evidence and documentation must be in place.

Most Teams Have

Disconnected tools, manual coordination, late documentation

What CRA Needs

Maintained product evidence tied to what ships

Pricing

Annual Pricing, Scoped Per Product

Each CRA engagement covers one designated product for 12 months, including onboarding, maintained deliverables, and ongoing managed support.

What’s Included in the Annual Engagement:

  • One product, one annual engagement
  • Five maintained CRA deliverables
  • Monitoring and disclosure support
  • Additional products scoped separately*
  • Renewal available*

See How Your Product Maps to CRA Requirements

We'll walk through the scope, deliverables, and what is required for your designated product.

Get CRA PlanGet CRA Plan
Finite StateFinite State

Finite State is the Product Security Automation Platform that functions as an autonomous Product Security OS: design → verify → prove, grounded in what you ship.

Platform

Platform Overview
Ground Truth Inventory
Exploitability-Based Prioritization
Design-Time Architecture Security
Automated Evidence-Backed Compliance

Solutions

Device Manufacturers
Automotive
Medical Devices
Energy & Utilities
Government
Industrial

Resources

Blog
Resource Library
Webinars & Videos
Events
Documentation

Company

About Us
CareersHIRING
Press & News
Contact Sales
Media Inquiries
X

© 2026 Finite State. All rights reserved.

Privacy PolicyTerms of UseCustomer Terms and Conditions
Finite StateFinite State
Finite StateFinite State