Loading...
Managed CRA Compliance Service

Five Outcomes. One Compliant Product. One Cost.

Finite State delivers CRA compliance as concrete, auditable outcomes. You pay per product; you get the evidence package regulators require.

Defined deliverables

Flat

Per product, all-in

1–2 wks

Time to first deliverable

1 yr

Continuous monitoring included

I'm Interested

Tell us a little about yourself — we'll follow up with pricing and next steps within one business day.

Where are you in your CRA journey?

By submitting this form, you agree to our privacy policy. We'll never share your information.

Ready to get your first
CRA-compliant product?

Hand us your firmware binary. In 1–2 weeks you'll have a complete SBOM, a matched vulnerability list, and a compliance evidence package your legal team can use.

Talk to Finite StateTalk to Finite State
Finite StateFinite State

Finite State is the Product Security Automation Platform that functions as an autonomous Product Security OS: design → verify → prove, grounded in what you ship.

Platform

Platform Overview
Ground Truth Inventory
Exploitability-Based Prioritization
Design-Time Architecture Security
Automated Evidence-Backed Compliance

Solutions

Device Manufacturers
Automotive
Medical Devices
Energy & Utilities
Government
Industrial

Resources

Blog
Resource Library
Webinars & Videos
Events
Documentation

Company

About Us
CareersHIRING
Press & News
Contact Sales
Media Inquiries
X

© 2026 Finite State. All rights reserved.

Privacy PolicyTerms of UseCustomer Terms and Conditions
What You're Buying

Five Deliverables.
Every One Maps to a CRA Requirement.

This is an outcome-based managed service. You don't buy software licenses or consulting hours — you buy completed compliance deliverables, produced and maintained by Finite State on your behalf.

#DeliverableCRA obligation coveredTimeline
1One Living SBOMAnnex I §1(1) · BSI TR-03183-2Week 1–2
2One Cybersecurity Risk AssessmentAnnex I §1(2)Week 2–4
3Continuous Monitoring (12 months)Annex I §2(5) · Article 14Active from Week 1
4Managed Vuln Disclosure (incl. drafts)Article 14 · Annex I §2(1–4) · ENISA SRPOngoing, <24hr response
5One Declaration of ConformityArticle 28 & 31 · Annex VWeek 4–6
1

Living SBOM — Complete Software Transparency for Your Product

A machine-readable, continuously maintained inventory of every software component in your product. Updated on every firmware release, forever.

CRA Annex I §1(1)
BSI TR-03183-2

What we deliver

A complete, enriched SBOM for every firmware or software release of your product — produced from binary analysis alone. You don't need to provide source code. You hand us the binary; we return a CRA-compliant SBOM in SPDX and CycloneDX formats within 1–2 weeks.

  • All components identified — OS, open-source libraries, third-party SDKs, modem firmware, embedded stacks
  • Version numbers, license classifications, and supplier information for every component
  • Known vulnerabilities (CVEs) pre-mapped to each component at delivery
  • Delivered in SPDX 3.x and CycloneDX 1.6 — both formats ENISA and BSI TR-03183-2 accept
  • Machine-readable and stored in a centralized, auditor-accessible repository
  • Updated automatically on each new firmware release throughout your 12-month engagement
Why binary analysis matters: Most IoT manufacturers can't get SBOMs from their ODM suppliers. Finite State extracts components directly from compiled firmware — no source, no supplier cooperation needed.
Example Output
LIVE MOCKUP
SBOM · Smart-Gateway-FW-v2.4.1 · CycloneDX 1.6
ComponentVersionLicenseCVEs
OpenSSL1.1.1tOpenSSL3 CVEs
BusyBox1.36.1GPL-2.0Clean
Linux Kernel5.15.78GPL-2.01 CVE
libcurl7.88.0MITClean
Quectel EC25 FWEC25…Proprietary1 Advisory
zlib1.2.11zlibClean
Components: 247Critical CVEs: 4License flags: 3Format: SPDX 3.0 + CycloneDX 1.6
2

Cybersecurity Risk Assessment — Documented Threats & Controls

A structured, auditable risk assessment aligned to CRA Annex I and IEC 62443 — covering your product's attack surface, identified threats, and the security controls that address them.

CRA Annex I §1(2)

What we deliver

A complete cybersecurity risk assessment document — structured for both technical reviewers and EU notified bodies. Built using Assurance Studio, which maps every identified threat to a specific security control, generating the traceability regulators require.

  • Attack surface analysis for your specific product architecture and intended use
  • Threat register using STRIDE/TARA methodology aligned to CRA and IEC 62443-4-1
  • Each threat rated by likelihood, impact, and inherent risk score
  • Security controls mapped to each threat — with implementation status and evidence references
  • Requirements traceability matrix: CRA requirement → threat → control → evidence
  • Exportable as a CRA technical documentation artifact — auditor-ready
Example Output
LIVE MOCKUP
Risk Assessment · Smart Gateway v2.4Assurance Studio · Mar 14, 2025
ThreatLikelihoodRiskControl
Unauthenticated firmware update via OTAHighCriticalCTRL-FW-003
Memory corruption via malformed MQTTMedHighCTRL-NET-007
Cleartext credentials in /etc/configHighHighCTRL-DAT-001
Exposed JTAG on productionMedMediumCTRL-HW-004
DoS via malformed DNS queriesLowLowCTRL-NET-012
14 threats · 9 controls mapped · 3 remediation · CRA Annex I §1(2)
3

Continuous Monitoring — 12 Months of Post-Market Security Oversight

Hourly checks of your product SBOM against 250+ global vulnerability sources. Every new CVE assessed against your component inventory within one hour of disclosure.

CRA Annex I §2(5)
Article 14

What we deliver

CRA requires manufacturers to monitor deployed products for newly discovered vulnerabilities throughout the product lifecycle. Finite State fulfills this by running continuous, automated correlation between your product SBOM and a global stream of vulnerability intelligence — checked hourly.

  • Hourly SBOM-to-CVE correlation across NVD, ENISA EUVD, OSV, vendor advisories, GitHub Security Advisories, and 250+ additional sources
  • Automatic alert generated the moment a new CVE matches a component in your product
  • Exploit availability, CVSS score, and reachability analysis applied to every new match
  • All monitoring results documented — creating the continuous audit trail CRA requires
  • Manufacturer notified immediately; 24-hour disclosure drafting process triggered automatically
  • Full 12-month coverage included in the base per-product engagement
Example Output
LIVE FEED
Vuln Monitor · Smart-Gateway-FW-v2.4.1Live · Checks every hour
2
New matches today
5
Exploitable CVEs
241
Clean components
250+
Sources monitored
09:00 UTC[NVD]HITCVE-2025-1234 (CVSS 9.1) matched → OpenSSL 1.1.1t · Disclosure draft triggered
08:00 UTC[ENISA EUVD]CLEAR847 new disclosures checked · No component match
07:00 UTC[GitHub SA]HITGHSA-xxxx-yyyy (CVSS 7.5) matched → libcurl 7.88.0 · Reachability: Not reachable · Low priority
06:00 UTC[OSV]CLEAR1,203 records scanned · No new matches
05:00 UTC[Vendor Advisory]CLEARQuectel bulletin checked · No impact to EC25EFAR06A08M4G
4

Managed Vulnerability Disclosure — We Draft It. You Approve It. We File It.

When a new CVE matches your product, Finite State auto-generates a CRA-compliant disclosure report, you review and approve it, and we upload it directly to the ENISA Single Reporting Platform — within the 24-hour window.

CRA Article 14
ENISA SRP
BSI TR-03183-3
Managed Service

What we deliver

CRA Article 14 requires you to notify ENISA and your national CSIRT within 24 hours of discovering an actively exploited vulnerability. Finite State handles the entire workflow — detection through filing — so you meet every deadline without building an internal team to do it.

  • Hour 0: Monitoring detects CVE match in your product SBOM
  • Hour 1: Auto-generated draft disclosure created (ENISA SRP / BSI TR-03183-3 format)
  • Hour 2: Alert sent to your designated responsible party with draft attached for review
  • Hour 4–24: You edit and approve; Finite State uploads directly to ENISA SRP via API connector
  • 72 hours: Full technical notification drafted and filed
  • 14 days: Vulnerability disposition plan drafted and filed (see Bonus deliverable below)
  • All filings retained with full audit trail for regulatory inspection
Connector: Once approved, Finite State submits directly to the ENISA Single Reporting Platform API — no manual copy-paste, no missed deadlines. All filings timestamped and stored for audit.
Example Alert + Draft Disclosure
DRAFT
ACTIVE EXPLOIT MATCH — Immediate Action Required

CVE-2025-1234 matched to OpenSSL 1.1.1t in Smart-Gateway-FW-v2.4.1. Exploit confirmed in wild · CRA 24hr window active

T+0Match detected→T+1hrDraft generated→T+24hrFile to ENISA SRP→T+72hrFull notification→T+14dDisposition plan

DRAFT: EARLY WARNING NOTIFICATION · ENISA SRP FORMAT (CRA ARTICLE 14 §1)

Manufacturer Name
Acme Connected Systems GmbH
Manufacturer Contact (PSIRT)
psirt@acmecs.com
Affected Product Name
Smart Gateway
Affected Firmware Version(s)
v2.4.1, v2.4.0, v2.3.x
Vulnerability Identifier
CVE-2025-1234 (CVSS 9.1 Critical) · CWE-787 Out-of-bounds Write · OpenSSL 1.1.1t
Nature of Vulnerability & Type of Exploitation (CRA ART. 14 §1(B))
Heap buffer overflow in OpenSSL's TLS handshake processing. An attacker within network range can trigger remote code execution without authentication. Active exploitation confirmed in the wild (CISA KEV as of 2025-03-17). The affected component is used for all TLS communications in the Smart Gateway management interface.
Member States where product is used (CRA ART. 14 §1(C))
DE, NL, FR, SE, PL — approx. 12,400 units deployed
Suspected Cause (Malicious Action?)
Yes — remotely exploitable, active threat actor activity confirmed
Immediate Mitigation (If Available)
Restrict management interface access to trusted IP ranges via firewall rule. Full patch (OpenSSL upgrade to 3.x) in preparation — estimated 14 days.
Connector: Once approved, Finite State submits directly to the ENISA Single Reporting Platform API — no manual copy-paste, no missed deadlines. All filings timestamped and stored for audit.
5

Declaration of Conformity — CE Mark Ready

The complete technical documentation package required to affix the CE mark and issue your EU Declaration of Conformity — including all supporting evidence artifacts from deliverables 01–04.

CRA Article 28 & 31
CRA Annex V

What we deliver

The EU Declaration of Conformity is the legal document that permits you to affix a CE mark and sell your product into the EU market. It is backed by a technical documentation dossier that must be retained and available to regulators on request. Finite State produces both.

  • Product architecture description and security design decisions documented
  • Risk assessment results (from Deliverable 02) packaged as Annex V artifact
  • Vulnerability handling process description with evidence of operation
  • SBOM (from Deliverable 01) included in technical dossier
  • Update and support policies — including defined end-of-life date
  • EU Declaration of Conformity document — signed, dated, and CE mark authorization confirmed
  • All documentation retained in centralized, auditor-accessible repository
Example Document
SAMPLE
EU Declaration of Conformity · CRA Annex IVCE ✓ Conformity Confirmed
1.

Manufacturer

Acme Connected Systems GmbH · Musterstraße 12, 10115 Berlin, Germany

2.

Product name & model

Smart Gateway · Model SG-400 Series

3.

Firmware version(s)

v2.4.1 (and all minor releases under v2.4.x)

4.

Legislation

Regulation (EU) 2024/2847 — Cyber Resilience Act, Article 28

5.

Conformity assessment route

Self-assessment under Article 32(1) · No third-party notified body required (Class I product)

6.

Essential requirements met

CRA Annex I, Section 1 (Product Cybersecurity) and Section 2 (Vulnerability Handling) — evidence referenced in Technical Dossier ref. FS-TD-2025-SG400

7.

Technical documentation reference

SBOM: FS-SBOM-SG400-v241 · Risk Assessment: FS-RA-SG400-v1 · Vuln Process: FS-VHP-SG400-v1

8.

Support commitment

Security updates provided for a minimum of 5 years from date of last supply. End-of-life date: December 2030.

Authorized Signatory · CEO / CISO

Date

Place

Bonus Deliverable — Vulnerability Disposition Plan (14-Day Filing)

Required by CRA Article 14 within 14 days of an initial vulnerability report. Finite State drafts and files this for every incident, documenting root cause, remediation actions, patch timeline, and preventive measures.

Bonus

Vulnerability Disposition Plan — 14-Day Required Filing

Drafted and filed by Finite State within 14 days of any initial vulnerability report. Documents what happened, what you're doing about it, and how you're preventing recurrence.

CRA Article 14 §4
BSI TR-03183-3
Managed Service

What we deliver

The 14-day final report is the most detailed CRA reporting obligation. It closes out the disclosure loop started at T+24hr and must include root cause analysis, impact assessment, remediation status, and preventive measures. Finite State drafts this automatically from the monitoring data and vulnerability lifecycle captured in the platform.

  • Full description of the vulnerability and exploited component
  • Impact assessment: affected devices, EU member state exposure, data risk
  • Actions taken to contain and remediate the incident
  • Patch/update release date and delivery mechanism
  • Preventive measures and process improvements implemented
  • Filed to ENISA SRP and CSIRT via the same direct connector used at T+24hr
Example Plan
14-DAY REPORT
Vulnerability Disposition Plan · CVE-2025-1234 · SG-400
BSI TR-03183-3 · CRA Art. 14 §4 · FS-VDP-2025-0318
DayActionStatus
Day 0CVE detected (OpenSSL)Complete
Day 0 T+24hrEarly warning ENISA + CSIRTFiled
Day 3 T+72hrFull notificationFiled
Day 14Disposition plan filedFiled
Finite State · Product Security for the Connected World · finitestate.io CRA regulatory references: EU Regulation 2024/2847 (CRA), Article 14; Annex I, II, IV; BSI TR-03183-2 v2.1.0 and TR-03183-3 v1.0.0; ENISA Single Reporting Platform (operational Sep 2026). This document is current as of March 2025.

Pricing

Simple. Per-Product. All-Inclusive.

No hidden consulting hours, no software license separate from services. One number covers all five deliverables plus 12 months of managed monitoring and disclosure for a single product.

All Five Deliverables. One Engagement.

per product · pricing provided by your Finite State team

1–2 wks
Time to first deliverable (SBOM)
12 mo
Monitoring & managed disclosure
<24hr
Disclosure draft on any match
Living SBOM (delivered Week 1–2)
Binary analysis, no source code required, SPDX + CycloneDX
Cybersecurity Risk Assessment
Threat model, controls mapping, CRA Annex I traceability
12-Month Continuous Monitoring
Hourly checks, 250+ sources, exploit + reachability filtering
Managed Disclosure (incl. draft + ENISA SRP filing)
24hr / 72hr / 14-day filings handled end-to-end
EU Declaration of Conformity
Complete Annex V technical dossier + signed EU DoC

Volume Discount

Managing multiple products? Pricing scales favorably with volume. Discounts available for 3+ products — contact your Finite State account team to structure a multi-product engagement that fits your portfolio and budget.

Early-Execution Incentive — April 15th

Engagements signed and initiated before April 15, 2025 qualify for preferential pricing and priority onboarding slots. Capacity is limited — we run a finite number of concurrent managed engagements. Secure your slot now.

Finite StateFinite State
Finite StateFinite State