Five Outcomes. One Compliant Product. One Cost.
Finite State delivers CRA compliance as concrete, auditable outcomes. You pay per product; you get the evidence package regulators require.
Defined deliverables
Per product, all-in
Time to first deliverable
Continuous monitoring included
Five Deliverables.
Every One Maps to a CRA Requirement.
This is an outcome-based managed service. You don't buy software licenses or consulting hours — you buy completed compliance deliverables, produced and maintained by Finite State on your behalf.
| # | Deliverable | CRA obligation covered | Timeline |
|---|---|---|---|
| 1 | One Living SBOM | Annex I §1(1) · BSI TR-03183-2 | Week 1–2 |
| 2 | One Cybersecurity Risk Assessment | Annex I §1(2) | Week 2–4 |
| 3 | Continuous Monitoring (12 months) | Annex I §2(5) · Article 14 | Active from Week 1 |
| 4 | Managed Vuln Disclosure (incl. drafts) | Article 14 · Annex I §2(1–4) · ENISA SRP | Ongoing, <24hr response |
| 5 | One Declaration of Conformity | Article 28 & 31 · Annex V | Week 4–6 |
Living SBOM — Complete Software Transparency for Your Product
A machine-readable, continuously maintained inventory of every software component in your product. Updated on every firmware release, forever.
What we deliver
A complete, enriched SBOM for every firmware or software release of your product — produced from binary analysis alone. You don't need to provide source code. You hand us the binary; we return a CRA-compliant SBOM in SPDX and CycloneDX formats within 1–2 weeks.
- All components identified — OS, open-source libraries, third-party SDKs, modem firmware, embedded stacks
- Version numbers, license classifications, and supplier information for every component
- Known vulnerabilities (CVEs) pre-mapped to each component at delivery
- Delivered in SPDX 3.x and CycloneDX 1.6 — both formats ENISA and BSI TR-03183-2 accept
- Machine-readable and stored in a centralized, auditor-accessible repository
- Updated automatically on each new firmware release throughout your 12-month engagement
Cybersecurity Risk Assessment — Documented Threats & Controls
A structured, auditable risk assessment aligned to CRA Annex I and IEC 62443 — covering your product's attack surface, identified threats, and the security controls that address them.
What we deliver
A complete cybersecurity risk assessment document — structured for both technical reviewers and EU notified bodies. Built using Assurance Studio, which maps every identified threat to a specific security control, generating the traceability regulators require.
- Attack surface analysis for your specific product architecture and intended use
- Threat register using STRIDE/TARA methodology aligned to CRA and IEC 62443-4-1
- Each threat rated by likelihood, impact, and inherent risk score
- Security controls mapped to each threat — with implementation status and evidence references
- Requirements traceability matrix: CRA requirement → threat → control → evidence
- Exportable as a CRA technical documentation artifact — auditor-ready
Continuous Monitoring — 12 Months of Post-Market Security Oversight
Hourly checks of your product SBOM against 250+ global vulnerability sources. Every new CVE assessed against your component inventory within one hour of disclosure.
What we deliver
CRA requires manufacturers to monitor deployed products for newly discovered vulnerabilities throughout the product lifecycle. Finite State fulfills this by running continuous, automated correlation between your product SBOM and a global stream of vulnerability intelligence — checked hourly.
- Hourly SBOM-to-CVE correlation across NVD, ENISA EUVD, OSV, vendor advisories, GitHub Security Advisories, and 250+ additional sources
- Automatic alert generated the moment a new CVE matches a component in your product
- Exploit availability, CVSS score, and reachability analysis applied to every new match
- All monitoring results documented — creating the continuous audit trail CRA requires
- Manufacturer notified immediately; 24-hour disclosure drafting process triggered automatically
- Full 12-month coverage included in the base per-product engagement
Managed Vulnerability Disclosure — We Draft It. You Approve It. We File It.
When a new CVE matches your product, Finite State auto-generates a CRA-compliant disclosure report, you review and approve it, and we upload it directly to the ENISA Single Reporting Platform — within the 24-hour window.
What we deliver
CRA Article 14 requires you to notify ENISA and your national CSIRT within 24 hours of discovering an actively exploited vulnerability. Finite State handles the entire workflow — detection through filing — so you meet every deadline without building an internal team to do it.
- Hour 0: Monitoring detects CVE match in your product SBOM
- Hour 1: Auto-generated draft disclosure created (ENISA SRP / BSI TR-03183-3 format)
- Hour 2: Alert sent to your designated responsible party with draft attached for review
- Hour 4–24: You edit and approve; Finite State uploads directly to ENISA SRP via API connector
- 72 hours: Full technical notification drafted and filed
- 14 days: Vulnerability disposition plan drafted and filed (see Bonus deliverable below)
- All filings retained with full audit trail for regulatory inspection
Draft: Early Warning · ENISA SRP (Art. 14 §1)
Declaration of Conformity — CE Mark Ready
The complete technical documentation package required to affix the CE mark and issue your EU Declaration of Conformity — including all supporting evidence artifacts from deliverables 01–04.
What we deliver
The EU Declaration of Conformity is the legal document that permits you to affix a CE mark and sell your product into the EU market. It is backed by a technical documentation dossier that must be retained and available to regulators on request. Finite State produces both.
- Product architecture description and security design decisions documented
- Risk assessment results (from Deliverable 02) packaged as Annex V artifact
- Vulnerability handling process description with evidence of operation
- SBOM (from Deliverable 01) included in technical dossier
- Update and support policies — including defined end-of-life date
- EU Declaration of Conformity document — signed, dated, and CE mark authorization confirmed
- All documentation retained in centralized, auditor-accessible repository
Manufacturer Acme · Berlin
Product Smart Gateway SG-400
Legislation (EU) 2024/2847 — CRA Art. 28
Technical refs FS-SBOM-SG400-v241 · FS-RA-v1
Signatory
Date
Bonus Deliverable — Vulnerability Disposition Plan (14-Day Filing)
Required by CRA Article 14 within 14 days of an initial vulnerability report. Finite State drafts and files this for every incident, documenting root cause, remediation actions, patch timeline, and preventive measures.
Vulnerability Disposition Plan — 14-Day Required Filing
Drafted and filed by Finite State within 14 days of any initial vulnerability report. Documents what happened, what you're doing about it, and how you're preventing recurrence.
What we deliver
The 14-day final report is the most detailed CRA reporting obligation. It closes out the disclosure loop started at T+24hr and must include root cause analysis, impact assessment, remediation status, and preventive measures. Finite State drafts this automatically from the monitoring data and vulnerability lifecycle captured in the platform.
- Full description of the vulnerability and exploited component
- Impact assessment: affected devices, EU member state exposure, data risk
- Actions taken to contain and remediate the incident
- Patch/update release date and delivery mechanism
- Preventive measures and process improvements implemented
- Filed to ENISA SRP and CSIRT via the same direct connector used at T+24hr
I'm Interested
Tell us a little about yourself — we'll follow up with pricing and next steps within one business day.
By submitting this form, you agree to our privacy policy. We'll never share your information.
Pricing
Simple. Per-Product. All-Inclusive.
No hidden consulting hours, no software license separate from services. One number covers all five deliverables plus 12 months of managed monitoring and disclosure for a single product.
per product · pricing provided by your Finite State team
Volume Discount
Managing multiple products? Pricing scales favorably with volume. Discounts available for 3+ products — contact your Finite State account team to structure a multi-product engagement that fits your portfolio and budget.
Early-Execution Incentive — April 15th
Engagements signed and initiated before April 15, 2025 qualify for preferential pricing and priority onboarding slots. Capacity is limited — we run a finite number of concurrent managed engagements. Secure your slot now.
Ready to get your first
CRA-compliant product?
Hand us your firmware binary. In 1–2 weeks you'll have a complete SBOM, a matched vulnerability list, and a compliance evidence package your legal team can use.