ei3 and OMAC release guide on EU CRA Act compliance best practices

Cyber attacks pose a significant threat to businesses, with projected damages reaching $10.5 trillion USD annually by 2025. The European Commission has responded with the Cyber Resilience Act (CRA), requiring compliance for all digital products sold in EU markets. Non-compliance penalties are severe, with fines up to 15,000,000 EUR or 2.5% of total annual turnover. To assist business leaders in navigating CRA compliance and mitigating associated risks, Adam Griffen, ei3’s Product Manager, led OMAC’s EU-CRA task force in collaboration with 18 industry experts to deliver an insightful executive report 

Through conducting thorough discussions and surveys, they offer practical insights and up-to-date information on various aspects of the CRA. Their collective expertise delves into critical areas such as the legislative progress and potential enactment timeline of the CRA, industries and entities affected by the CRA, guidelines on designing products for cybersecurity, establishing best practices, etc – ensuring organizations safeguard their products and customers.

EU CRA Compliance Report

About the CRA Act Guide Document & Task Force


Essential Message

Sheds light on the rising threat of cyber attacks globally, which has resulted in the EU establishing the CRA with significant penalties for non-compliance.

CRA Executive Summary 

Outlines the CRA Act, highlighting how it applies to all products with digital elements, with set minimum security requirements and vulnerability handling procedures.

Current Status of the Legislation

Provides the latest information on the progress and potential enactment timeline of the CRA, ensuring businesses stay informed and prepared for compliance.

Businesses Impacted by the CRA

Highlights how compliance responsibilities extend throughout the product lifecycle, involving various economic operators in the supply chain, including the Manufacturer, Importer, Authorized Representative, and Distributor.

Security Properties of Products with Digital Elements

Provides insights into the design requirements for products to achieve an appropriate level of cybersecurity and emphasizes the importance of manufacturers in consistently updating documentation and delivering security updates.

Security Vulnerability Handling Procedures

Breaks down how manufacturers must promptly report security vulnerabilities to ENISA and provide necessary documentation, including a Software Bill of Materials (SWBOM).

Compliance Evidence and Certification Procedures

Describes the process of proving EU-CRA compliance and outlines what it entails, including providing evidence of adherence to product lifecycle and vulnerability handling processes.

Good Practices and Practical Guidance

Offers information on practical best practices for businesses as a whole, as well as product-specific insights for effective compliance and cyber resilience.


This task force draws upon a diverse range of industry expertise, offering insights from machine builders, technology providers, system integrators, and end users. Participating organizations include:

  • Global OEM’s such as ID Technology, ProMach, Markem-Imaje, Rychiger Group, Mettler-Toledo
  • Leading Manufacturing Companies such as Corning, P&G, and Arla Foods
  • System Integrators like MartinCSI
  • Technology Companies like ei3 Corporation, Mitsubishi Electric, Cisco, Domino Printing Sciences, Siemens, and Rockwell Automation, and
  • Industry Associations like PMMI

Member Experiences

ei3 actively works with industry groups to encourage the use of the Industrial Internet of Things (IIoT) and Artificial Intelligence (AI) to meet the growth and sustainability challenges of the 21st century.