← Services Compliance

CRA Concierge — Sept 2026 Readiness

Article 14 reporting workflows for EU manufacturers. 24h/72h/14d playbooks, CSIRT coordination, ENISA submission prep — built for your product portfolio in 1–4 weeks.

Regulatory Deadline

CRA Article 14 reporting obligations take effect September 2026. Your incident notification workflows must be operational — not planned, not drafted, but tested and running.

Sept 2026 CRA enforcement begins
The gap

Most EU manufacturers can't report in 24 hours

CRA Article 14 demands incident notification within 24 hours, substantial incident reporting within 72 hours, and significant incident reporting within 14 days. Most organizations don't have the procedures, tools, or team training to meet these windows.

24h

Initial Notification

Report to your national CSIRT within 24 hours of becoming aware of an actively exploited vulnerability or incident.

72h

Substantial Incident

Detailed report including impact assessment, affected products, and remediation status within 72 hours.

14d

Significant Incident

Final comprehensive report to CSIRT and ENISA within 14 days. Includes root cause analysis and preventive measures.

Service tiers

Three tiers. Fixed pricing. No ambiguity.

Start with an Audit to baseline your readiness, move to Setup for a complete reporting playbook, or engage Managed for ongoing compliance.

Tier 1

Audit

CRA readiness assessment against Article 14 requirements. We identify gaps in your incident reporting capability and deliver a prioritized remediation plan.

  • resiliently.ai risk framework assessment
  • Article 14 gap analysis
  • Prioritized remediation roadmap
  • Executive summary for leadership

Timeline: 1 week

€2,500 one-time
Tier 2

Setup

Full 24h/72h/14d reporting playbook tailored to your product portfolio. We configure workflows in your tooling and run a tabletop exercise with your team.

  • Custom 24h/72h/14d incident playbook
  • Workflow configuration in Jira, PagerDuty, or your tooling
  • EUVD vulnerability data integration
  • CSIRT contact matrix and escalation paths
  • Tabletop exercise with your incident response team
  • ENISA submission template pre-configured

Timeline: 2–4 weeks · Audit fee credited toward Setup

€15,000 one-time
Tier 3

Managed

Ongoing compliance monitoring, quarterly playbook reviews, and CSIRT liaison support. Your CRA reporting stays current as regulations evolve.

  • reconX vulnerability monitoring feed
  • Policy decoder for new CRA regulations
  • Quarterly playbook review and update
  • CSIRT liaison support
  • Monthly compliance digest

Timeline: Ongoing · 3-month minimum · Requires completed Setup

€3,000 /mo

Recommended path

Start with Audit (1 week) → review findings with leadership → proceed to Setup (2–4 weeks) → optionally engage Managed for ongoing compliance. Audit fee is credited toward Setup when you upgrade.

Free resources

Download before you decide

No email required. Download our CRA reporting templates and use them regardless of whether you engage our services.

Template

CRA Reporting Playbook Template

Complete 24h/72h/14d incident notification procedures covering Article 14.1, 14.2, and 14.3. Includes CSIRT contact matrix and ENISA submission checklist.

View Playbook
Diagram

24h Escalation Decision Diagram

Visual flowchart for severity triage and escalation paths: internal team → CSIRT → ENISA. Decision points for 24h vs 72h vs 14d reporting windows.

View Diagram
How it works

From discovery call to operational playbook

01

Discovery call

30-minute call to understand your product portfolio, current incident response maturity, and CRA exposure. Free — no obligation.

02

Audit (if starting here)

We run the resiliently.ai risk assessment against your current processes. One week later you receive a gap analysis and remediation roadmap.

03

Playbook build

We build your tailored 24h/72h/14d reporting playbook, configure workflows in your tooling, and prepare CSIRT escalation paths.

04

Tabletop exercise

We run a simulated incident with your team to test the playbook end-to-end. Identify weak points before a real incident forces you to find them.

05

Operational handoff

Your team takes ownership of the playbook and workflows. Optionally engage Managed tier for ongoing monitoring, policy updates, and CSIRT liaison.

Cost comparison

CRA Concierge vs. building internally

Approach Cost Timeline
Internal build CISO + legal + engineering allocating time over months €40,000+ opportunity cost 3–6 months
Big-4 consultancy Retainer with billable hours, scope creep, multi-quarter engagement €50,000–100,000 + ongoing retainer 4–8 months
CRA Concierge Setup Fixed price. Tested playbook. Operational in weeks. €15,000 fixed — no scope creep 2–4 weeks
FAQ

Frequently Asked Questions

What is the EU Cyber Resilience Act (CRA) Article 14?

Article 14 of the Cyber Resilience Act requires manufacturers of products with digital elements to report actively exploited vulnerabilities and incidents to their national CSIRT and ENISA within defined timeframes: 24 hours for initial notification, 72 hours for substantial incidents, and 14 days for significant incidents. It takes effect September 2026.

Who does the CRA apply to?

The CRA applies to any manufacturer placing products with digital elements on the EU market. This includes hardware with firmware, IoT devices, industrial control systems, connected consumer products, and software sold in the EU. If your product has a software component or network connectivity, it likely falls under CRA obligations.

What does the Audit tier deliver?

The Audit tier delivers a CRA readiness assessment using the resiliently.ai risk framework. We evaluate your current incident reporting capability against Article 14 requirements, identify gaps in your 24h/72h/14d notification procedures, and produce a prioritized remediation plan. Timeline: one week.

What does the Setup tier include?

The Setup tier builds a tailored 24h/72h/14d reporting playbook for your product portfolio, configures workflows in your existing tooling (Jira, PagerDuty, Opsgenie, or similar), integrates EUVD vulnerability data, and runs a tabletop exercise with your team. Timeline: two to four weeks.

Is the Managed tier required?

No. The Managed tier is optional ongoing support for organizations that want continuous compliance monitoring, quarterly playbook reviews, CSIRT liaison support, and policy updates as CRA regulations evolve. It requires a completed Setup engagement and a three-month minimum commitment.

Can we start with Audit and upgrade to Setup later?

Yes. The Audit tier is designed as a natural entry point. If the gap analysis reveals significant work needed, the Audit fee is credited toward the Setup engagement. Most clients start with Audit, review the findings with their leadership, then proceed to Setup within 30 days.

What tools do you integrate with?

We integrate with your existing incident management and project tooling — Jira, PagerDuty, Opsgenie, ServiceNow, GitLab, and similar platforms. We also connect reconX vulnerability monitoring and resiliently.ai risk assessment. We don't force a tool change; we build workflows in what your team already uses.

Free Deployment Audit

Let's find the deploy.

30 minutes. No pitch. We'll scope one workflow and show you where AI runs inside your business.

© 2026 dbrd. All rights reserved.