New Service Launched to Support Compliance with Urgent EU Regulation 'CRA' Reporting Obligations
Veriserve Corporation, a provider of software quality improvement support services, has launched a new service, the 'CRA Reporting Obligation Outsourcing Service,' to address the EU's new cybersecurity regulation, the Cyber Resilience Act (CRA). This service provides a comprehensive package, including SBOM creation, vulnerability monitoring, and support for reporting to EU authorities, to meet the 24-hour reporting obligation for vulnerabilities and incidents that will take effect in September 2026. Against the backdrop of high fines for CRA violations, the service aims to assist companies lacking know-how and also offers hands-on support for future in-house operations.
📋 Article Processing Timeline
- 📰 Published: May 27, 2026 at 10:03
- 🔍 Collected: May 31, 2026 at 22:56 (108h 53m after Published)
- 🤖 AI Analyzed: June 2, 2026 at 09:11 (34h 14m after Collected)
Veriserve Corporation (Headquarters: Chiyoda-ku, Tokyo; President: Tadahiro Shigihara; hereinafter 'Veriserve'), a provider of software quality improvement support services, is launching a new service, the 'CRA Reporting Obligation Outsourcing Service,' to address the reporting obligations of the EU's Cyber Resilience Act (EU CRA, hereinafter 'CRA').
This service allows businesses subject to the CRA to outsource all the necessary tasks to comply with the reporting obligations that will partially come into effect on September 11, 2026. Additionally, looking ahead to the full implementation of the CRA on December 11, 2027, Veriserve will also offer a 'CRA Compliance Support Service' to provide comprehensive, hands-on assistance, enabling businesses to eventually manage CRA compliance internally.
■ Background
Compliance with the EU's Cyber Resilience Act, which mandates cybersecurity measures for products with digital elements, is becoming essential. For many years, Veriserve has provided security support for products to manufacturing clients and has assisted many customers with CRA compliance.
The CRA applies to almost all products*1 with 'digital elements' sold or provided in the EU market that can connect directly or indirectly to a device or network. These products are required to have sufficient cybersecurity measures from the design and development stages and to maintain security after shipment. The regulation affects all operators in the supply chain, including manufacturers, importers, and distributors.
Starting September 11, 2026, these operators will be obligated to report 'actively exploited vulnerabilities' or 'serious incidents affecting the security of the product' to EU authorities within 24 hours of becoming aware of them. Furthermore, the full provisions of the CRA will apply from December 11, 2027.
Violations of the CRA can result in fines of up to €15 million (approx. 2.8 billion JPY)*2 or 2.5% of the total worldwide annual turnover, whichever is higher. Products that do not comply with the CRA cannot display the CE mark*3 and thus cannot be sold in the EU market. Non-compliant products may also be subject to a forced recall from the EU market. Therefore, affected businesses must urgently establish compliance systems and take necessary measures before the regulation takes effect.
However, with the deadline approaching, many businesses face challenges such as 'not knowing where to start,' 'lacking the necessary personnel or know-how,' and 'running out of time.'
In response to this situation, Veriserve is launching the 'CRA Reporting Obligation Outsourcing Service' and the 'CRA Compliance Support Service' to provide comprehensive support for customers' CRA reporting obligations.
■ Service Overview
Customers must address a wide range of CRA compliance areas from the product development planning stage to market launch. Veriserve will initially focus on supporting the reporting obligations that begin on September 11, 2026, leveraging its extensive experience and knowledge in security-related support. Concurrently, it will provide comprehensive hands-on support for the full CRA implementation on December 11, 2027.
1. CRA Reporting Obligation Outsourcing Service
(1) Policy Formulation and System Building Support: Veriserve will assess the customer's current compliance with CRA reporting requirements and identify gaps. It will then clarify improvements needed to meet the requirements within the customer's existing processes and document operational flows and rules. It will also support the customer in building the necessary internal structure.
(2) SBOM Creation: Veriserve will create a Software Bill of Materials (SBOM) based on the source code information of the product. Using an SBOM allows for the rapid identification of affected products and components when a vulnerability is discovered, leading to efficient impact analysis.
(3) Vulnerability Monitoring: Based on the created SBOM, Veriserve will monitor daily for any publicly disclosed vulnerabilities affecting the customer's products and issue alerts when 'actively exploited vulnerabilities' are detected.
(4) SBOM Management: SBOMs must be updated when product components change after shipment. As multiple product versions coexist in the market, vulnerability monitoring requires managing SBOM information for all supported versions. Veriserve will manage SBOM versions to reduce this operational burden.
(5) Product Impact Assessment: If necessary, Veriserve will verify if an attack exploiting a vulnerability can actually succeed on the target product, assess the scope and severity of the impact, and propose countermeasures such as necessary fixes, workarounds, and customer communication plans.
(6) Reporting Support to EU Authorities: Veriserve will set up a contact point for inquiries regarding serious security incidents affecting the product. When an 'actively exploited vulnerability' or a 'serious incident' is identified, Veriserve will organize the report content and necessary information to help the customer report appropriately to EU authorities within 24 hours.
2. CRA Compliance Support Service
(1) 'IEC 62443-4-1' Assessment: Veriserve will link 'IEC 62443-4-1'*4 requirements with CRA requirements, clarify the gap with the customer's current development process, and formulate a compliance plan.
(2) 'IEC 62443-4-1' Process Building Support: To address the gaps identified in (1), Veriserve will help build a secure development process by modifying related documents and provide support for full-scale implementation.
(3) PSIRT Organization and System Building Support: Veriserve will assist in establishing a Product Security Incident Response Team (PSIRT) to ensure a swift response to security incidents in products and services, helping to prevent the spread of damage and ensure an appropriate initial response.
(4) SBOM Process Creation Support: Veriserve will support customers in creating SBOMs and establishing processes for vulnerability management using the created SBOMs.
(5) Secure Development Implementation Verification: Veriserve will conduct threat analysis*5 and penetration testing*6 on the target product to identify potential vulnerabilities and attack vectors.
(6) Document Creation Support: Veriserve will assist in creating documents tailored to customer needs, such as technical documentation for obtaining the CE mark.
*1 Excludes automobiles, aircraft, and medical devices, which are already covered by equivalent international standards or regulations.
*2 Converted at a rate of 1 EUR = 184.86 JPY (as of May 14, 2026).
*3 A mark indicating that a designated product sold in the EU conforms to EU standards.
*4 The first part of the IEC 62443-4 series of international standards on cybersecurity for industrial control systems, which defines the requirements for a secure development process for organizations that develop and manufacture products.
*5 A process to systematically identify, assess, and mitigate potential vulnerabilities, attack targets, and pathways in a product from the early stages of design and development.
*6 A service where security experts use attack methods similar to those of actual hackers to verify if unauthorized access or information theft is possible.
■ About Veriserve Corporation
Established: July 24, 2001
Representative: Tadahiro Shigihara, President
Headquarters: Jinbocho-kitatokyu Bldg., 3-1-16 Kanda-Misakicho, Chiyoda-ku, Tokyo
Business: Software business (Software testing, cybersecurity, consulting, software development, etc.)
URL: https://www.veriserve.co.jp/
This service allows businesses subject to the CRA to outsource all the necessary tasks to comply with the reporting obligations that will partially come into effect on September 11, 2026. Additionally, looking ahead to the full implementation of the CRA on December 11, 2027, Veriserve will also offer a 'CRA Compliance Support Service' to provide comprehensive, hands-on assistance, enabling businesses to eventually manage CRA compliance internally.
■ Background
Compliance with the EU's Cyber Resilience Act, which mandates cybersecurity measures for products with digital elements, is becoming essential. For many years, Veriserve has provided security support for products to manufacturing clients and has assisted many customers with CRA compliance.
The CRA applies to almost all products*1 with 'digital elements' sold or provided in the EU market that can connect directly or indirectly to a device or network. These products are required to have sufficient cybersecurity measures from the design and development stages and to maintain security after shipment. The regulation affects all operators in the supply chain, including manufacturers, importers, and distributors.
Starting September 11, 2026, these operators will be obligated to report 'actively exploited vulnerabilities' or 'serious incidents affecting the security of the product' to EU authorities within 24 hours of becoming aware of them. Furthermore, the full provisions of the CRA will apply from December 11, 2027.
Violations of the CRA can result in fines of up to €15 million (approx. 2.8 billion JPY)*2 or 2.5% of the total worldwide annual turnover, whichever is higher. Products that do not comply with the CRA cannot display the CE mark*3 and thus cannot be sold in the EU market. Non-compliant products may also be subject to a forced recall from the EU market. Therefore, affected businesses must urgently establish compliance systems and take necessary measures before the regulation takes effect.
However, with the deadline approaching, many businesses face challenges such as 'not knowing where to start,' 'lacking the necessary personnel or know-how,' and 'running out of time.'
In response to this situation, Veriserve is launching the 'CRA Reporting Obligation Outsourcing Service' and the 'CRA Compliance Support Service' to provide comprehensive support for customers' CRA reporting obligations.
■ Service Overview
Customers must address a wide range of CRA compliance areas from the product development planning stage to market launch. Veriserve will initially focus on supporting the reporting obligations that begin on September 11, 2026, leveraging its extensive experience and knowledge in security-related support. Concurrently, it will provide comprehensive hands-on support for the full CRA implementation on December 11, 2027.
1. CRA Reporting Obligation Outsourcing Service
(1) Policy Formulation and System Building Support: Veriserve will assess the customer's current compliance with CRA reporting requirements and identify gaps. It will then clarify improvements needed to meet the requirements within the customer's existing processes and document operational flows and rules. It will also support the customer in building the necessary internal structure.
(2) SBOM Creation: Veriserve will create a Software Bill of Materials (SBOM) based on the source code information of the product. Using an SBOM allows for the rapid identification of affected products and components when a vulnerability is discovered, leading to efficient impact analysis.
(3) Vulnerability Monitoring: Based on the created SBOM, Veriserve will monitor daily for any publicly disclosed vulnerabilities affecting the customer's products and issue alerts when 'actively exploited vulnerabilities' are detected.
(4) SBOM Management: SBOMs must be updated when product components change after shipment. As multiple product versions coexist in the market, vulnerability monitoring requires managing SBOM information for all supported versions. Veriserve will manage SBOM versions to reduce this operational burden.
(5) Product Impact Assessment: If necessary, Veriserve will verify if an attack exploiting a vulnerability can actually succeed on the target product, assess the scope and severity of the impact, and propose countermeasures such as necessary fixes, workarounds, and customer communication plans.
(6) Reporting Support to EU Authorities: Veriserve will set up a contact point for inquiries regarding serious security incidents affecting the product. When an 'actively exploited vulnerability' or a 'serious incident' is identified, Veriserve will organize the report content and necessary information to help the customer report appropriately to EU authorities within 24 hours.
2. CRA Compliance Support Service
(1) 'IEC 62443-4-1' Assessment: Veriserve will link 'IEC 62443-4-1'*4 requirements with CRA requirements, clarify the gap with the customer's current development process, and formulate a compliance plan.
(2) 'IEC 62443-4-1' Process Building Support: To address the gaps identified in (1), Veriserve will help build a secure development process by modifying related documents and provide support for full-scale implementation.
(3) PSIRT Organization and System Building Support: Veriserve will assist in establishing a Product Security Incident Response Team (PSIRT) to ensure a swift response to security incidents in products and services, helping to prevent the spread of damage and ensure an appropriate initial response.
(4) SBOM Process Creation Support: Veriserve will support customers in creating SBOMs and establishing processes for vulnerability management using the created SBOMs.
(5) Secure Development Implementation Verification: Veriserve will conduct threat analysis*5 and penetration testing*6 on the target product to identify potential vulnerabilities and attack vectors.
(6) Document Creation Support: Veriserve will assist in creating documents tailored to customer needs, such as technical documentation for obtaining the CE mark.
*1 Excludes automobiles, aircraft, and medical devices, which are already covered by equivalent international standards or regulations.
*2 Converted at a rate of 1 EUR = 184.86 JPY (as of May 14, 2026).
*3 A mark indicating that a designated product sold in the EU conforms to EU standards.
*4 The first part of the IEC 62443-4 series of international standards on cybersecurity for industrial control systems, which defines the requirements for a secure development process for organizations that develop and manufacture products.
*5 A process to systematically identify, assess, and mitigate potential vulnerabilities, attack targets, and pathways in a product from the early stages of design and development.
*6 A service where security experts use attack methods similar to those of actual hackers to verify if unauthorized access or information theft is possible.
■ About Veriserve Corporation
Established: July 24, 2001
Representative: Tadahiro Shigihara, President
Headquarters: Jinbocho-kitatokyu Bldg., 3-1-16 Kanda-Misakicho, Chiyoda-ku, Tokyo
Business: Software business (Software testing, cybersecurity, consulting, software development, etc.)
URL: https://www.veriserve.co.jp/
FAQ
What does EU CRA stand for?
It stands for the EU Cyber Resilience Act. It is a regulation to strengthen the cybersecurity of digital products sold in the EU.
What problem does Veriserve's new service solve?
It handles the tasks required to comply with the CRA's mandate for '24-hour reporting of vulnerabilities and incidents,' solving challenges for companies such as a lack of specialized personnel and know-how.
What are the penalties for violating the CRA?
Violators may face fines of up to €15 million (approx. 2.8 billion JPY) or 2.5% of their total worldwide annual turnover, whichever is higher. They may also be ordered to recall products from the EU market.
What is specifically included in the service?
It includes the creation and management of a Software Bill of Materials (SBOM), vulnerability monitoring, product impact assessment, and support for reporting to EU authorities.
When do the CRA reporting obligations begin?
Partial application of the reporting obligations will begin on September 11, 2026, with full application starting on December 11, 2027.