Cyber Resilience Act Compliance: 6 Companies compared
Companies that help manufacturers comply with the EU Cyber Resilience Act (Regulation 2024/2847), the mandatory cybersecurity rules for products with digital elements sold in the EU. From hands-on embedded engineering consultancies to…
Quick comparison
All cyber resilience act compliance companies side by side, alphabetical. Featured listings are shown first.
| Company | Founded | Engagement | Specialism | Standards / accreditations |
|---|---|---|---|---|
| pi3gFeatured | 2012 | Consulting + engineering engagements | SME manufacturers of embedded-Linux and IoT products that need hands-on engineering help… | EU Cyber Resilience ActCE marking |
| Bureau Veritas | 1828 | Consulting + testing + certification | Manufacturers wanting one TIC partner spanning hands-on pen testing, RED/IEC 62443 testin… | EU Cyber Resilience ActREDEN 18031 |
| DEKRA | 1925 | Training + evaluation + certification | Manufacturers planning ahead for CRA conformity assessment who want an EUCC-accredited ev… | EU Cyber Resilience ActEUCCCommon Criteria |
| ONEKEY | 2020 | Platform subscription + advisory | Device manufacturers wanting automated SBOM, vulnerability management, and CRA evidence g… | EU Cyber Resilience ActIEC 62443ETSI EN 303 645 |
| SGS | 1878 | Testing + certification + advisory | Manufacturers of higher-assurance digital products (chips, secure elements, payment, embe… | EU Cyber Resilience ActREDEN 18031 |
| TUV SUD | 1866 | Assessment + certification + training | Manufacturers needing accredited third-party assessment, RED/EN 18031 testing, and CE-mar… | EU Cyber Resilience ActREDEN 18031 |
Bureau Veritas
Cyber Resilience Act ComplianceManufacturers wanting one TIC partner spanning hands-on pen testing, RED/IEC 62443 testing, and CRA conformity advisory
Bureau Veritas is an 1828-founded testing, inspection, and certification group. Its Bureau Veritas Cybersecurity division (built around the acquired specialist Secura) maps CRA requirements to existing standards and delivers end-to-end compliance, from gap assessment to penetration testing and conformity advisory. Its consumer-products and certification arms run accredited RED cybersecurity testing and CE-marking support across labs in Germany, France, China, and Taiwan.
What people say works
- ✓Combines a 300+ specialist cybersecurity team (ex-Secura) with large TIC certification infrastructure
- ✓Accredited for RED certification with multi-region radio and cybersecurity testing labs
- ✓Recognized certification routes: IECEE for IEC 62443, Common Criteria under NSCIB/EU CC
Common considerations
- ✕Large global TIC group — engagements skew enterprise and formal
- ✕No public pricing
- ✕Offering split across multiple Bureau Veritas entities, which can complicate scoping
DEKRA
Cyber Resilience Act ComplianceManufacturers planning ahead for CRA conformity assessment who want an EUCC-accredited evaluator and future notified body
DEKRA is the world's largest non-listed testing, inspection, and certification body, with a product-cybersecurity practice covering the full product lifecycle. It provides CRA readiness strategy, training, and turnkey projects, plus evaluation services mapped to harmonized and draft standards. DEKRA is an accredited ITSEF and Certification Body for the EUCC scheme and is set to become a CRA Notified Conformity Assessment Body, with notification beginning June 2026.
What people say works
- ✓Accredited EUCC ITSEF and Certification Body, directly relevant to CRA higher-assurance routes
- ✓Prior Notified Body experience under the RED Delegated Act
- ✓Broad scheme coverage: EUCC, Common Criteria, FIPS 140-3, SESIP, IEC 62443, EN 18031, MDSCERT
Common considerations
- ✕CRA Notified-Body notification only begins June 2026 — formal CRA conformity certificates not issuable before then
- ✕Large enterprise TIC firm with formal, certification-led engagements
- ✕No public pricing
ONEKEY
Cyber Resilience Act ComplianceDevice manufacturers wanting automated SBOM, vulnerability management, and CRA evidence generation across the product lifecycle
ONEKEY operates the ONEKEY Product Cybersecurity & Compliance Platform, which performs automated firmware analysis, SBOM generation, vulnerability detection, and zero-day discovery. Its Compliance Wizard maps product evidence against the CRA and other frameworks, and its CRA Fast Start program structures readiness assessment, SBOM creation, vulnerability management, and continuous monitoring. ONEKEY (formerly IoT Inspector) is part of PwC Germany's investment portfolio.
What people say works
- ✓Automated, platform-driven firmware/binary analysis rather than purely manual consulting
- ✓Purpose-built CRA Compliance Wizard covering multiple product-security regulations in one tool
- ✓Strong European product-security positioning, backed by PwC Germany investment
Common considerations
- ✕Software/platform-led: provides tooling and evidence, not formal conformity assessment or CE certification (not a notified body)
- ✕No public pricing
- ✕Technical product analysis focus; legal/organizational process consulting lighter than at full TIC firms
SGS
Cyber Resilience Act ComplianceManufacturers of higher-assurance digital products (chips, secure elements, payment, embedded) needing lab evaluation and EU type certification
SGS is the world's largest testing, inspection, and certification company. Its cybersecurity arm, SGS Brightsight, runs accredited security-evaluation laboratories (including a facility in Graz, Austria) that assess digital products against CRA requirements and RED cybersecurity standards. SGS develops tailored CRA service packages and operates a Notified Body that can issue EU type certificates for RED Article 3(3) using EN 18031.
What people say works
- ✓Massive global scale (~99,500 employees; ~2,500 labs/offices in 115 countries)
- ✓Brightsight is a top-tier security-evaluation lab with deep Common Criteria and high-assurance expertise
- ✓Notified Body able to issue EU type certificates for RED cybersecurity (EN 18031)
Common considerations
- ✕Large enterprise TIC firm — formal certification-led engagements, less suited to small or early-stage manufacturers
- ✕No public pricing
- ✕Evaluation/certification focus rather than ongoing in-house remediation engineering
TUV SUD
Cyber Resilience Act ComplianceManufacturers needing accredited third-party assessment, RED/EN 18031 testing, and CE-marking support from an established certification body
TUV SUD is a global testing, inspection, and certification organization with a dedicated CRA practice in its product-testing and cybersecurity divisions. It helps manufacturers interpret CRA obligations, run gap assessments, set up vulnerability management and incident reporting, and obtain third-party assessment for higher-risk products. It also runs RED cybersecurity testing against the EN 18031 series.
What people say works
- ✓Long-established, globally accredited certification body (25,000+ employees, 1,000+ locations)
- ✓Established Notified Body for RED cybersecurity under EN 18031 (a strong precedent for CRA conformity work)
- ✓Combines testing labs, certification, and structured training under one roof
Common considerations
- ✕Large enterprise TIC firm — engagements tend to be formal and process-heavy
- ✕No public pricing
- ✕Certification/assessment-led rather than hands-on engineering remediation
Related guides
Other categories you might be evaluating alongside cyber resilience act compliance.
About this listing
Cyber Resilience Act Compliance companies, listed alphabetically and compared on public information. How we work →