Frequently Asked Questions

The Cyber Resilience Act is a landmark EU regulation that for the first time establishes EU-wide cybersecurity requirements for products with digital elements. This means that almost all connected devices and software products must meet basic security standards to be authorized for the European market. The focus is on the entire lifecycle – from development to regular security updates.

ProductShield was specifically developed for manufacturers who develop and distribute hardware and software products (including embedded systems). Our focus is on medium-sized companies, particularly in sectors such as mechanical engineering, industrial automation, medical technology, and IoT solutions. We help translate often complex regulatory requirements into a structured, manageable process.

Although the text has been adopted, various transition periods apply. Full application is expected for the year 2027. But beware: since the CRA requires documentation over the entire product lifecycle, processes for products that will still be on the market in 2027 often have to be adapted today. Anyone who only starts in 2027 will have a massive documentation deficit for existing versions.

Both are essential inventory lists for compliance:

SBOM (Software Bill of Materials): An inventory list of all software components. It makes visible which third-party libraries (open source or proprietary) you are using.

CBOM (Cryptography Bill of Materials): A specialized list of all cryptographic assets (algorithms, protocols, keys). The CRA requires transparency about how you protect data and what encryption is used.

Yes. Unlike simple scanners, ProductShield allows for the linking of assets. You can define: "This product consists of hardware board A, on which firmware B runs, which in turn communicates with cloud backend C." This holistic view is crucial for a CRA-compliant risk analysis that goes beyond pure software vulnerabilities.

Yes, this is a core function for hardware manufacturers. You can store lifecycle data for components. ProductShield compares these and warns you proactively when a component reaches "End-of-Life" (EOL) status or the support period ends. This way, you avoid compliance gaps for long-term available industrial products.

Hundreds of new vulnerabilities (CVEs) are discovered every day. Our AI engine helps filter this flood. It checks: "Is this vulnerability even exploitable in your specific hardware context?" The AI makes suggestions for prioritization and helps to efficiently create the necessary written justification for the risk assessment (a CRA mandatory point).

Yes. ProductShield is the tool, but we know that the path to compliance also requires process consulting. We offer onboarding packages and workshops in which we carry out the first inventory together with your developers and product owners and clarify the distribution of roles in the company.

Yes, API access is included in the Professional and Enterprise packages. This allows you to integrate the generation or upload of SBOMs directly into your build process, so that ProductShield always knows the latest status of your software versions.

Absolutely. Product security and confidentiality are extremely important to us. We host ProductShield exclusively on certified servers in Germany. All data is stored encrypted and we do not grant access to third parties. For companies with particularly high security requirements, we also offer on-premise options or dedicated cloud instances.