How to choose a CRA compliance partner before you sign
Most CRA offerings produce paperwork, not fixed devices. Here is what to ask before hiring a consultant, auditor, or compliance platform.
Search "CRA compliance partner" and you will find law firms, big-four consultancies, boutique cybersecurity auditors, and software platforms, all using nearly identical language. Most of that language describes the same deliverable: a document confirming your product meets the requirements on the day it was reviewed. Very little of it addresses what happens on day two, when a new vulnerability is disclosed against a component you shipped six months ago.
TL;DR: The most useful question when evaluating a CRA compliance partner is not "can you produce a compliant document" but "can you tell me, today, whether any device I have already shipped is affected by an actively exploited vulnerability, and can you get a fix to it." Most audit-focused offerings answer the first question well and the second not at all.
How do I choose a CRA compliance consultant or partner?
Start from the operational reality of the regulation rather than the sales pitch. The CRA requires an SBOM, ongoing vulnerability monitoring, security updates through the support period, and a 24-hour reporting obligation once a product is actively exploited, all of which continue after launch, not just at the point of assessment. A useful partner needs to do more than confirm your product met the bar once; they need to help you stay compliant as your fleet ages and new vulnerabilities surface, the same capabilities our CRA readiness checklist walks through. Ask concretely: do they map real CVEs to your actual shipped inventory, can they get a fix built and deployed to devices already in customers' hands, and do they operationally handle the 24-hour reporting clock rather than just explaining it exists.
Do I need a notified body, a compliance platform, or both?
This depends on your product's risk classification. Default-class products, the majority of consumer and light commercial IoT, can be self-assessed, which means no notified body is legally required, but you still need the operational capability, SBOM, monitoring, patching, to actually meet the requirements you are self-attesting to. Important and critical class products require third-party assessment through a notified body for the formal conformity step, and in practice still benefit from ongoing tooling to manage the SBOM and reporting workload that the assessment itself does not perform. See our self-assessment versus notified body guide for how that classification boundary is drawn.
What is the real difference between a one-time audit and continuous compliance?
A one-time audit is a snapshot: on the date of review, your product met the essential requirements. That snapshot has real value for the conformity assessment itself. But the CRA's obligations, monitoring for new vulnerabilities, shipping updates, meeting the 24-hour reporting window when something is actively exploited, are ongoing by design and do not stop the day the audit report is signed. A partner whose engagement ends at the audit report leaves you to build the continuous monitoring and patching capability yourself, which is a substantial undertaking most teams underestimate the first time.
What should I specifically ask about legacy and fielded devices?
Ask directly whether the partner's process covers devices you have already shipped, not only new products still in development. This is the single biggest gap in many audit- and certification-focused offerings: they are built around helping a new product pass its initial assessment, and have little to say about a fleet of devices already in the field, some without an update mechanism, some running firmware nobody on the current team fully remembers. If your company has meaningful install base from prior product generations, this question alone will eliminate a large share of the market.
What questions separate a real answer from a sales answer?
Ask for specifics, not assurances. "Can you show me, concretely, how a new CVE disclosure turns into a patched device in our fleet" is a better question than "do you handle vulnerability management." "What does your 24-hour reporting workflow actually look like, who is notified and how" is better than "we help with CRA reporting." Vague answers to specific operational questions are the clearest signal that an offering is built around the assessment paperwork rather than the ongoing obligation.
When is hiring a compliance partner not worth it?
If you have a single, low-risk product with no significant fielded install base and you need a one-time paperwork exercise to support a conformity assessment, a notified body or a compliance-focused law firm engagement alone may genuinely be simpler and cheaper than an ongoing platform. Ongoing tooling earns its cost specifically when you have multiple product generations, a real fielded install base to maintain, or the 24-hour reporting obligation to operationalise, which is most companies with an established connected product line, but not every one.
How does supply chain due diligence factor into partner selection?
A capable partner should also help you extend visibility into components you did not build yourself, chips, licensed modules, open-source packages, since your compliance exposure includes all of it. See our supply chain and vendor requirements guide for the specific questions worth asking any vendor, including a compliance partner evaluating your own supply chain.
Where Scadable fits
Scadable is built specifically for the continuous side of this problem: it maps every device, deployment, and component you have shipped, past and present, to the vulnerabilities that affect them, flags what is actively exploited, writes and backports the fix to fielded devices, opens the pull request, and files the 24-hour report inside the window. It is not a one-time audit product. If you are evaluating options and want to compare against what an operational, ongoing approach actually looks like, book a walkthrough.
Last reviewed: July 1, 2026.
Frequently asked questions
How do I choose a CRA compliance consultant or partner? Evaluate whether they map real vulnerabilities to your actual fleet, whether they can get a fix onto devices already in the field, and whether they operationally handle the 24-hour reporting clock, not just whether they can produce a compliance document.
Do I need a notified body or a compliance platform, or both? It depends on your product class. Default-class products can self-assess and typically need ongoing tooling rather than a notified body. Important and critical class products need a notified body for the formal assessment, and usually still benefit from tooling to manage the operational side, SBOM, monitoring, and reporting, that the assessment alone does not cover.
What is the difference between a one-time audit and continuous compliance? A one-time audit produces a snapshot: your product met the requirements on the day it was assessed. Continuous compliance means an active SBOM, live vulnerability monitoring, and a working patch pipeline that keeps the product compliant as new vulnerabilities are disclosed after launch.
What should I ask a CRA compliance partner about legacy or fielded devices? Ask specifically whether their process covers devices already shipped and in customers' hands, not just new products in development. Many audit-focused offerings are scoped to new product certification and have no answer for a fleet of devices already in the field.
When is a compliance partner not worth it? If you only need a one-time paperwork audit for a single low-risk product with no fielded install base to maintain, a notified body or a compliance-focused law firm engagement alone may be simpler and cheaper than an ongoing platform. Ongoing tooling earns its cost when you have multiple product generations, fielded devices, or the reporting obligation to operationalise.
