Loading...
CONTINUOUS CRA SUPPORT

Finite State Managed
CRA Services

Finite State delivers the artifacts and workflows manufacturers need to support EU Cyber Resilience Act (CRA) self-assessment generated from the designated product and maintained over time.

Request CRA WalkthroughRequest CRA WalkthroughReview CRA DeliverablesReview CRA Deliverables
Aptiv logo
Hitachi Energy logo
Google logo
Quectel logo
Hubbell logo
Jhonson Controls logo
Aptiv logo
Hitachi Energy logo
Google logo
Quectel logo
Hubbell logo
Jhonson Controls logo

How It Works

Turn Product Evidence
Into CRA Compliance

Finite State's managed CRA services turn product inputs into maintained artifacts and workflows for CRA self-assessment.

Monitoring & disclosure

VEX support • CVD workflow

Technical docs

Audit-ready package • DoC template

Finite StateFinite State

Finite State is the Product Security Automation Platform that functions as an autonomous Product Security OS: design → verify → prove, grounded in what you ship.

Platform

Platform Overview
Ground Truth Inventory
Exploitability-Based Prioritization
Design-Time Architecture Security
Automated Evidence-Backed Compliance

Software Analysis

Living SBOM- Component inventory

Risk & Vulnerability

Reachability-based risk assessment

Monitoring & disclosure

VEX support • CVD workflow

Technical docs

Audit-ready package • DoC template

Software Analysis

Living SBOM- Component inventory

Risk & Vulnerability

Reachability-based risk assessment

Five Maintained Deliverables for CRA Self-Assessment

Reviewable, product-specific deliverables that support CRA self-assessment and ongoing readiness.

What's Included

Living SBOM

Binary software inventory for efficient management

Vulnerability Monitoring

Ongoing vulnerability correlation, notification, and VEX support

Vulnerability Support

Draft notifications, CVD policy, and reporting workflow support

Cybersecurity Risk

Threats, controls, gaps, and remediation guidance

Tech Docs

Documentation assembled to support self-assessment and declaration execution

CRA Deliverable Mapping

How We Deliver CRA Support

Explore how Finite State’s managed services map each deliverable to CRA requirements and ongoing product obligations.

Software Composition from Firmware and Binaries

Generates and maintains a product SBOM from customer-provided binaries, with exportable output in standard formats.

CRA alignment

  • Updated on new versions
  • No source required
  • SPDX / CycloneDX

Supports CRA software transparency and technical documentation requirements.

Ownership + Scope

We Carry the Weight.You Keep Control.

We generate the proof

What Finite State carries

  • Generates SBOM & VEX from what you ship

Planning Milestones

Key CRA Dates That Shape Service Planning

CRA obligations phase in over time, but evidence, monitoring, and reporting workflows need to be established before those deadlines arrive.

The CRA officially entered into force, establishing baseline cybersecurity expectations across EU markets.

Dec 10, 2024
Milestone connectorMilestone connector

Conformity assessment body provisions begin.

June 11, 2026
Milestone connectorMilestone connector

Use reachability, exploit intelligence, and product context to identify what actually matters.

Sep 11, 2026
Milestone connectorMilestone connector

Main obligations apply fully. Technical evidence and documentation required.

Dec 11, 2027

Pricing

Annual pricing, scoped per product.

One product, one annual engagement

All five CRA deliverables, maintained across releases

A defensible, audit-ready self-assessment

See how your product maps to CRA requirements.

We'll walk through the scope, deliverables, and what is required for your designated product.

Get CRA PlanGet CRA Plan

Solutions

Device Manufacturers
Automotive
Medical Devices
Energy & Utilities
Government
Industrial

Resources

Blog
Resource Library
Webinars & Videos
Events
Documentation

Company

About Us
CareersHIRING
Press & News
Contact Sales
Media Inquiries
X

© 2026 Finite State. All rights reserved.

Privacy PolicyTerms of UseCustomer Terms and Conditions

Runs the cybersecurity risk assessment

  • Monitors vulnerabilities continuously

  • Drafts disclosures & your CVD policy

  • Assembles technical docs & the DoC template

  • You own the decision

    What stays yours

    • Remediation & the Article 14 determination

    • ENISA / SRP filing

    • Signed Declaration of Conformity

    Readiness for CRA reporting deadlines

    Start EngagementStart Engagement

    Audit Ready

    Annual scope

    The complete annual scope, five deliverables, full monitoring and disclosure.

  • Manufacturer accountability

  • Finite StateFinite State
    Finite StateFinite State
    Get a DemoGet a Demo