Zealience RED & CRA Cybersecurity Compliance

A lot of CRA advice circulating right now says manufacturers must have a CVD policy and SBOM-driven vulnerability monitoring in place by 11 September 2026 because of Article 14. That is worth a careful read of the actual text. Article 14(1) and 14(3) both trigger on the same condition: "any actively exploited vulnerability ... that [a manufacturer] becomes aware of" and "any severe incident ... that [a manufacturer] becomes aware of." The entire 24h / 72h / final-report cascade hangs off that awareness trigger. What Article 14 does not contain: • A duty to publish a coordinated vulnerability disclosure (CVD) policy • A duty to maintain an SBOM • A duty to actively monitor vulnerability feeds or threat intelligence • Any process obligation to seek awareness Those obligations exist — but they live in Article 13 and Annex I Part II, which apply from 11 December 2027, not September 2026. To be fair to the steelman: having some intake channel and watching feeds like CISA KEV is operationally sensible, and it helps you actually operationalise Article 14 reporting when an event occurs. We recommend it. But there's a difference between what is sensible practice and what is legally mandated by Article 14 from September 2026 — and the regulation only goes as far as making it sensible practice, not a legal requirement. So what does Article 14 actually require? It requires manufacturers to report specific information within specific deadlines when an actively exploited vulnerability or severe incident occurs. That's the obligation. Most of the content in those reports is about the event itself — you cannot pre-fill a vulnerability report for a vulnerability you haven't discovered. What manufacturers should therefore do is: 🔹Be familiar with the reporting obligations and know what to do when an event is triggered — the triggers, the 24h / 72h / final-report timelines, and the information each step requires. 🔹Identify two pieces of information in advance so they can act quickly: the EU Member States where each product has been made available, and the CSIRT designated as coordinator for their main EU establishment. This isn't mandated upfront preparation — it's the minimum groundwork that lets you meet the deadlines when the clock starts. We put together a one-page reference so manufacturers can keep the triggers, timelines, and notification flow in one place. Fill in your CSIRT and your Member States, and store it where your incident responders will find it. 📖 Full breakdown (Article 13 vs 14, definitions, SRP workflow, FAQs): https://lnkd.in/e8tPg_KX Read the text. Save your energy for Article 13 — that's where the substantial work lies. #CyberResilienceAct #CRA #ProductSecurity #IoT #Compliance

We're hiring at Zealience! 🚀 We're developing Z-CMS, novel software to automate EU product cybersecurity compliance — namely the Radio Equipment Directive Delegated Act and the Cyber Resilience Act — and we're looking for two talented people to join our team. 🔬 IoT Cybersecurity Researcher - Location: Frankfurt am Main - About the role: You'll dive deep into EN 18031 and CRA compliance, shape the technical core of our platform, work directly with IoT manufacturers, and use your expertise to solve concrete industry problems. Ideal if you have a strong background in embedded/product security, IoT pentesting, or applied security research. 💻 Senior Full Stack Developer - Location: Frankfurt am Main or Bordeaux - About the role: You'll own features end-to-end — from data model to deployed product — working closely with cybersecurity researchers to turn complex compliance requirements into intuitive interfaces. We're looking for someone with strong frontend depth, full-stack autonomy, and a high bar for quality. At Zealience, there's no bureaucracy, no endless approval chains — just a small, driven team solving hard problems that matter. You'll have a real voice on product direction from day one. 🔗 See both positions: https://lnkd.in/d29AmuwB #Hiring #WeAreHiring #IoT #Cybersecurity #FullStackDeveloper #Frankfurt #Bordeaux #Compliance #CRA #REDDA #EN18031

The Cyber Resilience Act mandates vulnerability handling for your product's entire support period. The official standard, EN 40000-1-3* tells you exactly how to meet it. Careful interpretation of the standard reveals that manufacturers will need 7 documents in place: 1. Vulnerability Handling Policy (the core of everything) 2. CVD Policy 3. SBOM in CycloneDX or SPDX format 4. Hardware Component List 5. Security Test & Review Plan 6. Vulnerability Assessment Reports 7. Security Advisories We wrote a full breakdown — and we're giving away 3 of them as free templates 🎉 🆓 CVD Policy 🆓 Hardware Component List 🆓 Vulnerability Assessment Report The most challenging one — Vulnerability Handling Policy — can be automated using Zealience software, Z-CMS 💪 Full article + free templates here: 👉 https://lnkd.in/dhafddKh *EN 40000-1-3 is currently in draft form and referred to as prEN 40000-1-3. #CyberResilienceAct #CRA #ProductSecurity #CybersecurityCompliance #VulnerabilityManagement

This month, a supply chain attack on LiteLLM — one of the most downloaded AI libraries in the Python ecosystem — compromised tens of thousands of systems within hours. Cloud keys. API credentials. SSH passwords. Kubernetes configs. All stolen. Backdoors installed at the system level. Build pipelines infected. Developer machines compromised. Entire cloud infrastructures — not just one machine — opened up. And LiteLLM had all the right certifications. We build compliance software for manufacturers of connected products. Our customers store information about their products — the competitive blueprint. Every time we talk to a prospect, someone asks: "But is our data safe with you?" It's the right question. And if we can't answer it honestly, we have no business calling ourselves a cybersecurity company. So here's our answer — and it's not a policy document or a certification badge. It's architecture. Z-CMS runs entirely on your infrastructure. Air-gapped on-prem, or self-hosted in your own private cloud. We have no access to your instance. No analytics pipeline calling home. No AI service processing your data externally. Nothing. You can verify this. Observe network traffic. Run security tests. Your own security team can audit Z-CMS end to end. Your data never leaves your environment. Your security controls — firewalls, identity management, monitoring — remain fully in force. You stay in control of your own compliance certifications. Instead of chasing the slickest AI-powered UX, we put our expertise into building our own algorithm from scratch. No AI. No shortcuts. Our Q&A procedure can capture more than 1 million combinations of data to precisely map your product information — and deliver compliance results in real time. No data leaving your infrastructure. Just a purpose-built engine running entirely on your side and deliver results. This is our commitment to our customers — built on a genuine passion for cybersecurity. 👉 How Z-CMS is deployed: https://lnkd.in/dbC5f_Vs Next week, we will post about our CRA features. You can have a sneak peek here. 👉 Z-CMS CRA features: https://lnkd.in/ezFYv8fe #Cybersecurity #IoT #CRA #REDDA #Compliance

🚨 CRA deadline approaching — are you ready to handle vulnerabilities based on EN 40000-1-3? Most companies aren’t. And writing a compliant vulnerability handling policy from scratch or trying to build on top of your existing policy is harder than it sounds. That’s exactly what we just solved in Z-CMS v2.13.0. 👇 We’re excited to launch a brand-new feature: 🔹 CRA Vulnerability Handling Policy Generator This release also includes: • 12 new features • 3 improvements & fixes 🔍 Why this matters CRA requires manufacturers to handle vulnerabilities — but compliance isn’t just operational. It requires a formal vulnerability handling policy aligned with EN 40000-1-3, and the industry still lacks clarity on what that policy should look like. 💡 At Zealience, we’ve done the heavy lifting — translating the standard into a ready-to-use, compliant policy generator. And yes — you can modify the policy to fully adapt it to fit your organization’s workflow. ⚠️ The challenge This isn’t just a security task. It impacts your entire organization: CISO • PSIRT • Developers • Support • Legal • Compliance And the clock is ticking: 11 December 2027 ✨ How Z-CMS helps • Intuitive, Word-like policy creation with built-in guidance • Pre-configured templates aligned with EN 40000-1-3 • Embedded intelligence and compliance tracking — so you’re never starting from a blank page 📈 From policy to action Once your policy is ready, plug it into your workflows via ticketing or CRM systems of your choice — and make compliance operational. 👉 Interested? Book a live demo: https://zealience.com #CyberSecurity #CRA #Compliance #ProductSecurity #ZCMS #Zealience #RiskManagement #EN40000 #Vulnerability

CRA product security requirements: CEN/CENELEC and Vulnir will provide a deep dive session covering the current state of prEN 40000-1-4, the CRA horizontal standard (product requirements) This session will explain in details how the requirements of #EN18031 are being reused in prEN 40000-1-4. This is a great opportunity for anyone preparing for the #CRA to understand: 1) How the requirements of EN 18031 support the CRA essential requirements. 2) The delta that will need to be addressed later on. 🗓️ Date: 5 March 2026 ⏰ Time: 13:00 - 17:00 CET 🔗Link: https://lnkd.in/dMxBFTfP

How to prepare your products for the CRA today: Apply EN 18031. Since the publication of EN 18031 series of standards, we have been strong advocate and kept on highlighting their relevance for the CRA. The European Commission was clear from the beginning: These standards must be developed for the RED DA in a way that they can be reused for the CRA. Yet, many were skeptical about EN 18031. Today, the relevance of EN 18031 cannot be better underlined than by Ben Kokx, the central figure of the standardization group writing the horizontal standards of the CRA (Convenor of JTC13 / WG9): "We are also progressing on the security controls catalog document (prEN 40000-1-4) for which we want [...] to have a first mature draft ready for ballot by June, so that the manufacturers can have a useful document early 2027. This work relies on the EN 18031 series of standards for the Radio Equipment Directive which needs to be reworked and augmented for the CRA, but this is also where we have a lot of experience as many WG9 members have been part of the working group that developed the EN 18031 series since 2022." If you are a manufacturer of connected products trying to cut through the noise and prepare pragmatically and efficently for the CRA, you can use our software Z-CMS and its CRA gap analysis feature to clearly understand where you stand in terms of: - Product requirements - Vulnerability handling requirements - Information and Instruction to the users requirements. Contact us for a demo! https://zealience.com #CRA #EN18031 #prEN40000 #Compliance

Cyber Resilience Act: September 2026 deadline is approaching — but it’s not as scary as it sounds. From 𝗦𝗲𝗽𝘁𝗲𝗺𝗯𝗲𝗿 𝟮𝟬𝟮𝟲, the reporting obligations under Article 14 will be applicable, and we keep hearing the same concern from manufacturers: “𝘋𝘰 𝘸𝘦 𝘳𝘦𝘢𝘭𝘭𝘺 𝘯𝘦𝘦𝘥 𝘧𝘶𝘭𝘭 𝘷𝘶𝘭𝘯𝘦𝘳𝘢𝘣𝘪𝘭𝘪𝘵𝘺 𝘩𝘢𝘯𝘥𝘭𝘪𝘯𝘨 𝘱𝘳𝘰𝘤𝘦𝘴𝘴𝘦𝘴 𝘪𝘯 𝘱𝘭𝘢𝘤𝘦 𝘣𝘺 𝘵𝘩𝘦𝘯?” Short answer: 𝗡𝗼. There’s a widespread misunderstanding around the Cyber Resilience Act (CRA) — especially around when and what obligations actually apply. 🔍 𝗧𝗵𝗲 𝗰𝗼𝗻𝗳𝘂𝘀𝗶𝗼𝗻 Many assume that all vulnerability handling obligations kick in from September 2026. In reality, this mixes up two different obligations under the CRA: 🔹Article 14 → Reporting obligations (apply from 11 Sept 2026) 🔹Article 13 → Vulnerability handling & product requirements (apply from 11 Dec 2027) 🧠 𝗪𝗵𝗮𝘁 𝗿𝗲𝗮𝗹𝗹𝘆 𝗮𝗽𝗽𝗹𝗶𝗲𝘀 𝗶𝗻 𝗦𝗲𝗽𝘁𝗲𝗺𝗯𝗲𝗿 𝟮𝟬𝟮𝟲? Only 𝗔𝗿𝘁𝗶𝗰𝗹𝗲 𝟭𝟰 — and it’s 𝗲𝘃𝗲𝗻𝘁-𝗱𝗿𝗶𝘃𝗲𝗻, not a blanket obligation. Manufacturers must report only if they become aware of: 🔹an 𝗮𝗰𝘁𝗶𝘃𝗲𝗹𝘆 𝗲𝘅𝗽𝗹𝗼𝗶𝘁𝗲𝗱 𝘃𝘂𝗹𝗻𝗲𝗿𝗮𝗯𝗶𝗹𝗶𝘁𝘆, or 🔹a 𝘀𝗲𝘃𝗲𝗿𝗲 𝗶𝗻𝗰𝗶𝗱𝗲𝗻𝘁 𝗶𝗺𝗽𝗮𝗰𝘁𝗶𝗻𝗴 𝗽𝗿𝗼𝗱𝘂𝗰𝘁 𝘀𝗲𝗰𝘂𝗿𝗶𝘁𝘆 That’s it. No requirement to have full vulnerability management processes running by then. ✅ 𝗪𝗵𝗮𝘁 𝘆𝗼𝘂 𝗮𝗰𝘁𝘂𝗮𝗹𝗹𝘆 𝗻𝗲𝗲𝗱 𝘁𝗼 𝗱𝗼 (𝗮𝗻𝗱 𝗶𝘁’𝘀 𝗼𝗻𝗹𝘆 𝗮𝗱𝗺𝗶𝗻𝗶𝘀𝘁𝗿𝗮𝘁𝗶𝘃𝗲): 🔹Know which EU Member States your products are made available in 🔹Identify your CSIRT designated as coordinator 🔹Be ready to report if a qualifying event occurs Most of the required information can only be generated after an incident happens — so there’s very little to “build” upfront for September 2026. 👉 We’ve written a detailed article breaking all of this down: 🔹what must be reported 🔹when reporting is triggered 🔹who must be notified 🔹and how manufacturers can prepare without over-engineering it 🔗Link to article: https://lnkd.in/eQADZJQY 🔗Infographics: https://lnkd.in/e2bsNxZK 📅 𝗪𝗵𝗲𝗿𝗲 𝘁𝗵𝗲 𝗿𝗲𝗮𝗹 𝘄𝗼𝗿𝗸 𝗹𝗶𝗲𝘀 The heavy lifting comes later, with 𝗔𝗿𝘁𝗶𝗰𝗹𝗲 𝟭𝟯 𝗶𝗻 𝗗𝗲𝗰𝗲𝗺𝗯𝗲𝗿 𝟮𝟬𝟮𝟳. That’s where comprehensive vulnerability handling and product requirements apply. To help you prepare, we developed a CRA Gap Analysis feature in Z-CMS. Check it out on our website https://lnkd.in/ezFYv8fe 𝗧𝗟;𝗗𝗥: If September 2026 feels surprisingly manageable — that’s because it is 😊 Understanding the CRA timeline helps avoid unnecessary panic and focus effort where it actually matters. #CyberResilienceAct #CRA #Cybersecurity #Compliance #EURegulation #Manufacturers