CRA Concierge — Sept 2026 Readiness
Article 14 reporting workflows for EU manufacturers. 24h/72h/14d playbooks, CSIRT coordination, ENISA submission prep — built for your product portfolio in 1–4 weeks.
CRA Article 14 reporting obligations take effect September 2026. Your incident notification workflows must be operational — not planned, not drafted, but tested and running.
Most EU manufacturers can't report in 24 hours
CRA Article 14 demands incident notification within 24 hours, substantial incident reporting within 72 hours, and significant incident reporting within 14 days. Most organizations don't have the procedures, tools, or team training to meet these windows.
Initial Notification
Report to your national CSIRT within 24 hours of becoming aware of an actively exploited vulnerability or incident.
Substantial Incident
Detailed report including impact assessment, affected products, and remediation status within 72 hours.
Significant Incident
Final comprehensive report to CSIRT and ENISA within 14 days. Includes root cause analysis and preventive measures.
Three tiers. Fixed pricing. No ambiguity.
Start with an Audit to baseline your readiness, move to Setup for a complete reporting playbook, or engage Managed for ongoing compliance.
Audit
CRA readiness assessment against Article 14 requirements. We identify gaps in your incident reporting capability and deliver a prioritized remediation plan.
- ✓ resiliently.ai risk framework assessment
- ✓ Article 14 gap analysis
- ✓ Prioritized remediation roadmap
- ✓ Executive summary for leadership
Timeline: 1 week
Setup
Full 24h/72h/14d reporting playbook tailored to your product portfolio. We configure workflows in your tooling and run a tabletop exercise with your team.
- ✓ Custom 24h/72h/14d incident playbook
- ✓ Workflow configuration in Jira, PagerDuty, or your tooling
- ✓ EUVD vulnerability data integration
- ✓ CSIRT contact matrix and escalation paths
- ✓ Tabletop exercise with your incident response team
- ✓ ENISA submission template pre-configured
Timeline: 2–4 weeks · Audit fee credited toward Setup
Managed
Ongoing compliance monitoring, quarterly playbook reviews, and CSIRT liaison support. Your CRA reporting stays current as regulations evolve.
- ✓ reconX vulnerability monitoring feed
- ✓ Policy decoder for new CRA regulations
- ✓ Quarterly playbook review and update
- ✓ CSIRT liaison support
- ✓ Monthly compliance digest
Timeline: Ongoing · 3-month minimum · Requires completed Setup
Recommended path
Start with Audit (1 week) → review findings with leadership → proceed to Setup (2–4 weeks) → optionally engage Managed for ongoing compliance. Audit fee is credited toward Setup when you upgrade.
Download before you decide
No email required. Download our CRA reporting templates and use them regardless of whether you engage our services.
CRA Reporting Playbook Template
Complete 24h/72h/14d incident notification procedures covering Article 14.1, 14.2, and 14.3. Includes CSIRT contact matrix and ENISA submission checklist.
View Playbook24h Escalation Decision Diagram
Visual flowchart for severity triage and escalation paths: internal team → CSIRT → ENISA. Decision points for 24h vs 72h vs 14d reporting windows.
View DiagramFrom discovery call to operational playbook
Discovery call
30-minute call to understand your product portfolio, current incident response maturity, and CRA exposure. Free — no obligation.
Audit (if starting here)
We run the resiliently.ai risk assessment against your current processes. One week later you receive a gap analysis and remediation roadmap.
Playbook build
We build your tailored 24h/72h/14d reporting playbook, configure workflows in your tooling, and prepare CSIRT escalation paths.
Tabletop exercise
We run a simulated incident with your team to test the playbook end-to-end. Identify weak points before a real incident forces you to find them.
Operational handoff
Your team takes ownership of the playbook and workflows. Optionally engage Managed tier for ongoing monitoring, policy updates, and CSIRT liaison.
CRA Concierge vs. building internally
| Approach | Cost | Timeline |
|---|---|---|
| Internal build CISO + legal + engineering allocating time over months | €40,000+ opportunity cost | 3–6 months |
| Big-4 consultancy Retainer with billable hours, scope creep, multi-quarter engagement | €50,000–100,000 + ongoing retainer | 4–8 months |
| CRA Concierge Setup Fixed price. Tested playbook. Operational in weeks. | €15,000 fixed — no scope creep | 2–4 weeks |
Frequently Asked Questions
What is the EU Cyber Resilience Act (CRA) Article 14?
Article 14 of the Cyber Resilience Act requires manufacturers of products with digital elements to report actively exploited vulnerabilities and incidents to their national CSIRT and ENISA within defined timeframes: 24 hours for initial notification, 72 hours for substantial incidents, and 14 days for significant incidents. It takes effect September 2026.
Who does the CRA apply to?
The CRA applies to any manufacturer placing products with digital elements on the EU market. This includes hardware with firmware, IoT devices, industrial control systems, connected consumer products, and software sold in the EU. If your product has a software component or network connectivity, it likely falls under CRA obligations.
What does the Audit tier deliver?
The Audit tier delivers a CRA readiness assessment using the resiliently.ai risk framework. We evaluate your current incident reporting capability against Article 14 requirements, identify gaps in your 24h/72h/14d notification procedures, and produce a prioritized remediation plan. Timeline: one week.
What does the Setup tier include?
The Setup tier builds a tailored 24h/72h/14d reporting playbook for your product portfolio, configures workflows in your existing tooling (Jira, PagerDuty, Opsgenie, or similar), integrates EUVD vulnerability data, and runs a tabletop exercise with your team. Timeline: two to four weeks.
Is the Managed tier required?
No. The Managed tier is optional ongoing support for organizations that want continuous compliance monitoring, quarterly playbook reviews, CSIRT liaison support, and policy updates as CRA regulations evolve. It requires a completed Setup engagement and a three-month minimum commitment.
Can we start with Audit and upgrade to Setup later?
Yes. The Audit tier is designed as a natural entry point. If the gap analysis reveals significant work needed, the Audit fee is credited toward the Setup engagement. Most clients start with Audit, review the findings with their leadership, then proceed to Setup within 30 days.
What tools do you integrate with?
We integrate with your existing incident management and project tooling — Jira, PagerDuty, Opsgenie, ServiceNow, GitLab, and similar platforms. We also connect reconX vulnerability monitoring and resiliently.ai risk assessment. We don't force a tool change; we build workflows in what your team already uses.
Let's find the deploy.
30 minutes. No pitch. We'll scope one workflow and show you where AI runs inside your business.