We were in Maribor – with 13 partners, a common goal and a lot of concrete work on the CRA Compliance Wizard
From September 30 to October 1, 2025, we met with our partners from the CRACoWi consortium in Maribor (Slovenia) for the second plenary meeting. The focus: how to turn the Cyber Resilience Act (CRA) into a tool with which companies in Europe can work practically and efficiently instead of getting lost in regulations.
Why you should get involved with the CRA now
The Cyber Resilience Act will become mandatory from 2027. Anyone who brings networked products or digital components onto the market in the EU must then meet binding cybersecurity requirements, from development and documentation to dealing with vulnerabilities.
The problem is that small and medium-sized companies, manufacturers without their own security department and companies in complex supply chains often lack the expertise to classify and implement these requirements. The regulation is extensive, the terminology is technical and legal, and the specific steps to be taken often remain unclear.
This is exactly where CRACoWi and erminas come in: Together with 13 European partners, we are developing a digital wizard that guides companies step by step through their CRA obligations – in an understandable, practical and practicable way.
What CRACoWi is all about
CRACoWi (Cyber Resilience Act Compliance Wizard) turns complex regulation into a concrete, usable process:
Development of a digital wizard to guide companies through their CRA obligations
Focus on comprehensible, practicable assistance instead of purely legal interpretation
Funded by the Digital Europe Program, supported by the European Cybersecurity Competence Centre (ECCC)
What we achieved in Maribor
In Maribor, we worked very concretely for two days. All partners brought each other up to speed on the current status of the technical and strategic work packages – combined with workshops and direct exchanges with each other.
A central element was a use case workshop with a live run-through of the wizard. We used real scenarios to identify where there are still gaps in the documentation and what threat modeling for OT and IoT devices could look like in practice. Work then continued in smaller groups: one on critical infrastructures, one on importers and distributors and one on compliance documentation.
At the same time, there was a CRAcademy session on certification, standardization and the obligations of manufacturers, distributors and importers when dealing with vulnerabilities. The meeting was rounded off with a vote on communication and KPI tracking to ensure that the results of CRACoWi reach the right target groups.
What we contribute as erminas
As erminas, we contribute what we do every day:
Passionate software development for complex, networked systems
Industrial IoT / IIoT expertise from real projects with mechanical engineering, production and critical infrastructures
Experience in translating security and compliance requirements into workable solutions
As part of CRACoWi, we support the design and validation of the technical components from a very practical perspective: How does the wizard feel for companies that are really under time pressure? What information is reasonable, what processes need to be automated?
Our claim: A tool that is not only theoretically correct, but also works in day-to-day business.
Thanks & Outlook
Special thanks go to Tiko Pro for organizing the meeting in Maribor and to ITML for coordinating the project.
The next few months will be crucial: refining the wizard, piloting with companies, expanding CRAcademy content.
The next reunion of the consortium is already planned – at the upcoming plenary meeting in Athens.
More information about CRACoWi and us References CRACoWi – erminas GmbH
Frequently asked questions
Do you have questions about the CRA or CRACoWi? We will gladly try to provide you with some information. Maybe your question is already answered. Otherwise, you can of course contact us at any time.
