CRA market surveillance: the ANFR perspective Featured
ANFR Article 14 CRA Conformité CE Contrôle de marché Due diligence

CRA market surveillance: the ANFR perspective

For manufacturers of connected radio products, the authority that matters for both the RED directive and the CRA is ANFR, not DGCCRF. Both regulations are enforced by the same small team of inspectors, operating with a resource constraint that shapes enforcement into a model of exemplary cases. Article 14 creates an investigation channel that did not exist before: a manufacturer who notifies a vulnerability becomes visible to ANFR; one who does not, becomes exposed when the flaw becomes public. What ANFR looks for in a CRA technical file, what triggers a control, and why the CRA sanction regime changes the risk calculus for investors.

 30 April 2026  12 min
SBOM: what the CRA actually requires and how to prepare
Article 14 CRA Cybersécurité Firmware Gestion des vulnérabilités SBOM

SBOM: what the CRA actually requires and how to prepare

The SBOM (Software Bill of Materials) is required by Annex VII of the CRA, but its regulatory value exceeds the documentary checkbox: without an up-to-date SBOM that can be correlated against vulnerability databases, the 24-hour Article 14 deadline is unmanageable. Formats, minimum content, challenges specific to embedded firmware, and what a viable SBOM looks like for an industrial SME without a full CI/CD pipeline.

 1 May 2026  12 min
CRA Article 14: the September 2026 milestone most manufacturers are not ready for
Article 14 CRA CVD Cybersécurité Gestion des vulnérabilités PSIRT

CRA Article 14: the September 2026 milestone most manufacturers are not ready for

On 11 September 2026, the obligations to notify actively exploited vulnerabilities under Article 14 of the CRA enter into application. They apply to all products already on the market: no grandfather clause. For a manufacturer without an up-to-date SBOM and no PSIRT function, the 24-hour deadline cannot be met. What must be in place, in what order, and what a market surveillance authority looks for in a notification file.

 1 May 2026  11 min
All ANFR Annexe III Article 14 CRA CVD Conformité Conformité CE Contrôle de marché Cybersécurité DDADUE DGCCRF Directive Machines Directive RED Dossier technique Due diligence EN 18031 EN 304 632 Firmware Gestion des vulnérabilités Marquage CE PSIRT SBOM Surveillance du marché