If your organisation builds software, manufactures connected hardware, or supplies products with digital components into the EU market, you need to be paying attention to the Cyber Resilience Act. Not from next year. Now.

The EU Cyber Resilience Act (CRA) is moving through its final legislative stages and is expected to enter into force before the end of 2024. When it does, it will introduce binding cybersecurity requirements for products with digital elements — covering everything from consumer IoT devices to enterprise software, from firmware to cloud-connected systems. The fines for non-compliance are substantial: up to €15 million or 2.5% of global annual turnover, whichever is higher.

The question most of our clients are asking right now is a smart one: “We already have ISO 27001. Does that cover us for the CRA?”

The answer is more nuanced than yes or no — and understanding the distinction is the difference between building on what you have and discovering you have a significant gap.

What the CRA Actually Requires

The CRA introduces a fundamentally different type of obligation from what most compliance frameworks address. Where ISO 27001 certifies that an organisation manages information security systematically, the CRA requires that individual products meet specific cybersecurity requirements before they can be placed on the EU market.

Key CRA requirements include:

These are product-level obligations. They apply to your product, not just your organisation. ISO 27001, which governs your organisation’s information security management system, is a necessary but not sufficient foundation for CRA compliance.

Where ISO 27001:2022 Supports CRA Readiness

The relationship between ISO 27001:2022 and the CRA is not one of overlap — it is one of complementarity. Your ISMS provides the organisational infrastructure that makes CRA compliance achievable. Specifically:

Secure development (A.8.25, A.8.28, A.8.29). ISO 27001:2022 introduced controls for secure development lifecycle, secure coding principles, and security testing in development and acceptance. These controls directly address the CRA’s security-by-design requirements. If your ISMS includes these controls with genuine implementation evidence, you have a substantial head start on the development security requirements the CRA imposes.

Vulnerability management (A.8.8). ISO 27001:2022’s control for management of technical vulnerabilities aligns closely with the CRA’s requirements for vulnerability handling and disclosure. A mature, evidenced vulnerability management process under your ISMS is directly transferable as CRA evidence.

Supplier and supply chain security (A.5.19–A.5.22). The CRA requires organisations to manage the security of software components sourced from third parties, including open-source. ISO 27001’s supplier relationship controls provide a framework for documenting and managing those relationships.

Incident response (A.5.24–A.5.28). The CRA’s 24-hour reporting obligation for actively exploited vulnerabilities requires a functioning incident response process that can identify and escalate security events quickly. Your ISMS’s incident management controls are the foundation for this.

Risk management. The CRA requires product-level risk assessments. ISO 27001’s risk assessment methodology — though focused on organisational information assets — provides a documented, systematic approach to risk identification and treatment that can be adapted to product-level assessment.

Where ISO 27001 Does Not Cover You

Being clear about this is important. ISO 27001 certification does not:

To achieve CRA compliance, you will need to work through the conformity assessment pathway appropriate to your product’s risk class, produce the required technical documentation, and establish the product-level processes the CRA mandates — even if your organisational ISMS is already mature.

The Strategic Play: Build the Foundation Now

The organisations that will navigate CRA compliance most efficiently are the ones that have already invested in a current, maintained ISO 27001:2022 ISMS. They are not starting from zero on risk management methodology, secure development practice, vulnerability handling, or incident response. They are extending an existing framework, not building one from scratch under regulatory deadline pressure.

If your ISO 27001 ISMS is not current — still referencing the 2013 standard, with controls that have not been updated to cover the new Annex A requirements — the CRA deadline is additional motivation to close that gap now.

The transition deadline for ISO 27001 (October 2025) and the CRA compliance timeline are converging. Companies that address both together will be in a significantly stronger position than those that treat them as separate workstreams.

At Bitsecura, we are helping clients understand the relationship between their ISO 27001 ISMS and their CRA obligations — what transfers, what needs to be built, and what the most efficient path looks like for their specific product and organisational context. It starts with a conversation, not a proposal.

If you want to understand exactly where ISO 27001 takes you — and where CRA requires something more — get in touch here. No strings attached.


Bitsecura provides ISO 27001 implementation, internal audit, and ISMS maintenance services. Learn more about our ISO 27001 services.