Who is this for?
This service is for manufacturers, importers, distributors, and technology providers placing products with digital elements on the EU market. It is especially relevant for hardware manufacturers, software vendors, IoT device makers, industrial equipment providers, and SaaS companies whose products fall within CRA scope.

What does this enable?
This service enables organizations to understand their CRA obligations, determine which products are in scope, assess their current cybersecurity posture, identify compliance gaps, and build a structured readiness roadmap aligned with CRA essential requirements.

How does FORTEIA support?
FORTEIA supports CRA readiness by reviewing product portfolios, classifying products by CRA risk category, assessing cybersecurity controls against CRA essential requirements, identifying documentation gaps, and producing a prioritized compliance roadmap with practical implementation guidance.

What will customers receive?
CRA product scoping analysis, CRA readiness gap assessment, product risk classification, compliance gap register, prioritized remediation roadmap, executive readiness summary, and practical implementation recommendations.

Example scenarios
A hardware manufacturer needs to understand which products require CRA conformity assessment. A software vendor wants to know if their products fall under CRA scope. A technology company needs a structured gap assessment before CRA enforcement. Leadership wants to understand CRA exposure across a product portfolio. A product team needs a compliance roadmap before a planned EU market launch.

Who is this for?
This service is for product engineering teams, development organizations, and security architects responsible for embedding cybersecurity into product design, development, and release processes. It is relevant for hardware manufacturers, embedded systems teams, software product companies, and IoT device developers.

What does this enable?
This service enables organizations to embed security into product design and development from the earliest stages, reducing vulnerability exposure, supporting CRA essential requirements, and building a defensible record of cybersecurity due diligence across the product lifecycle.

How does FORTEIA support?
FORTEIA supports secure-by-design implementation by reviewing product architecture, conducting threat modelling, assessing secure development lifecycle practices, identifying design-level security gaps, recommending security controls aligned with CRA requirements, and supporting teams in adopting security-first engineering practices.

What will customers receive?
Secure-by-design assessment, product threat model, secure development lifecycle recommendations, security control mapping to CRA requirements, design-level risk register, and practical guidance for engineering and product teams.

Example scenarios
A product team wants to embed security into a new hardware product before release. A software company needs to assess its secure development lifecycle against CRA requirements. An IoT manufacturer wants to reduce attack surface across a device family. A development organization wants a structured threat model for a connected product. Engineering leadership needs evidence of secure-by-design practices for a conformity assessment.

Who is this for?
This service is for manufacturers and technology providers that need to establish or mature their vulnerability handling processes in line with CRA obligations. It is relevant for product security teams, PSIRT functions, engineering organizations, and compliance teams responsible for vulnerability disclosure and incident reporting.

What does this enable?
This service enables organizations to build structured, repeatable, and regulation-aligned vulnerability management and incident reporting capabilities that satisfy CRA obligations for coordinated vulnerability disclosure, security update delivery, and authority notification requirements.

How does FORTEIA support?
FORTEIA supports vulnerability management and incident reporting by assessing existing processes, designing vulnerability handling workflows, defining disclosure policies, establishing security update procedures, mapping CRA notification obligations, and supporting the implementation of coordinated vulnerability disclosure programmes.

What will customers receive?
Vulnerability management process assessment, vulnerability handling policy, coordinated disclosure programme design, CRA notification obligation mapping, security update procedure, incident reporting workflow, and implementation recommendations for product security teams.

Example scenarios
A manufacturer needs to establish a PSIRT function aligned with CRA requirements. A software company needs a coordinated vulnerability disclosure programme. A product organization needs to define security update delivery obligations. A technology provider needs to map its incident reporting obligations to CRA timelines. An engineering team needs structured vulnerability handling procedures before product launch.

Who is this for?
This service is for manufacturers and product organizations that rely on third-party software components, open-source libraries, hardware sub-assemblies, or supplier-provided modules. It is relevant for product security teams, procurement functions, engineering organizations, and vendor risk management teams.

What does this enable?
This service enables organizations to assess, monitor, and manage cybersecurity risks introduced by third-party components and suppliers, supporting CRA obligations around due diligence, software bill of materials, and supply chain security.

How does FORTEIA support?
FORTEIA supports supplier assurance and third-party component risk by reviewing supply chain security practices, assessing third-party component risk, supporting software bill of materials development, defining supplier security requirements, establishing vendor assessment frameworks, and mapping CRA due diligence obligations across the supply chain.

What will customers receive?
Supply chain security assessment, software bill of materials guidance, third-party component risk register, supplier security requirements framework, vendor assessment checklist, CRA due diligence mapping, and recommendations for supply chain risk governance.

Example scenarios
A manufacturer needs to assess cybersecurity risks in third-party hardware components. A software company needs a software bill of materials process aligned with CRA expectations. A product organization wants to establish supplier security requirements. A technology provider needs to assess open-source component risk across a product line. A procurement team wants a structured vendor assessment framework for CRA compliance.

Who is this for?
This service is for manufacturers and technology providers preparing for CRA conformity assessment, CE marking obligations, and technical documentation requirements. It is relevant for regulatory affairs teams, product compliance functions, engineering leadership, and organizations approaching notified body assessments.

What does this enable?
This service enables organizations to produce the technical documentation, evidence packages, and governance records required to demonstrate CRA conformity, support CE marking, and prepare for internal or third-party conformity assessment activities.

How does FORTEIA support?
FORTEIA supports conformity readiness by reviewing CRA documentation obligations, assessing evidence gaps, structuring technical documentation packages, supporting declaration of conformity preparation, mapping controls to CRA essential requirements, and preparing organizations for notified body or market surveillance authority interactions.

What will customers receive?
CRA conformity readiness assessment, technical documentation structure, evidence gap analysis, control-to-requirement mapping, declaration of conformity preparation support, notified body readiness review, and recommendations for documentation governance.

Example scenarios
A manufacturer needs to prepare technical documentation for a CRA conformity assessment. A product company needs to understand what evidence is required to support CE marking. An organization wants to assess readiness before a notified body review. A regulatory affairs team needs a structured documentation framework aligned with CRA requirements. A compliance function needs to map existing controls to CRA essential requirements.

Who is this for?
This service is for manufacturers and technology providers with ongoing obligations to monitor, maintain, and report on the cybersecurity of products already placed on the EU market. It is relevant for product security teams, compliance functions, engineering organizations, and leadership teams responsible for post-market product governance.

What does this enable?
This service enables organizations to establish structured post-market surveillance programmes, maintain ongoing cybersecurity compliance across deployed products, fulfill CRA obligations for monitoring, security updates, vulnerability handling, and authority reporting throughout the product support lifecycle.

How does FORTEIA support?
FORTEIA supports post-market cybersecurity obligations by reviewing existing post-market practices, designing monitoring and surveillance frameworks, establishing security update and patch management processes, defining support lifecycle policies, mapping CRA post-market reporting obligations, and supporting teams in building sustainable long-term compliance programmes.

What will customers receive?
Post-market surveillance framework, security update and patch management process, product support lifecycle policy, CRA post-market obligation mapping, monitoring and reporting procedures, and recommendations for sustainable post-market cybersecurity governance.

Example scenarios
A manufacturer needs to establish post-market surveillance for products already in the EU market. A software company needs to define its security update delivery obligations under CRA. A product organization wants to build a structured support lifecycle policy. A technology provider needs to map its ongoing reporting obligations to CRA requirements. A compliance team needs a framework for monitoring deployed products against emerging vulnerabilities.