The CRA Deadline Is Fixed. Assessment Capacity Isn’t

Why lab scarcity may become one of the biggest CRA compliance challenges for manufacturers

Many manufacturers are currently focused on understanding what the Cyber Resilience Act (CRA) means for their products.
That is understandable. With most CRA requirements becoming fully applicable in December 2027, organisations are assessing scope, reviewing obligations and beginning to plan their compliance activities.
What receives far less attention is whether the necessary laboratory, testing and conformity assessment capacity will still be available when it is needed.

Cybersecurity testing, conformity assessment, technical reviews and certification activities all depend on specialised laboratories, accredited assessment bodies and qualified experts. As the December 2027 deadline approaches, demand for these resources is expected to increase significantly.
For organisations with planned product launches and CE marking activities in 2027 and beyond, the challenge may not simply be understanding the CRA requirements.
It may be securing access to the assessment capacity required to demonstrate compliance.

Compliance Capacity: A Challenge Seen Before

The introduction of major European regulations often follows a familiar pattern. Organisations spend the early years understanding requirements and assessing impact. As deadlines approach, demand for testing, certification and conformity assessment services increases rapidly.

The RED cybersecurity requirements provide a recent example. Since the delegated regulation became applicable in August 2025, products that do not fully apply the harmonised EN 18031 standards, or are affected by Official Journal restrictions, require Notified Body involvement. The limited number of RED Notified Bodies has already resulted in longer lead times for many manufacturers.

The CRA has the potential to repeat this pattern on a much larger scale. Unlike RED cybersecurity requirements, the CRA applies across a broad range of products with digital elements, creating significantly greater demand for assessment capacity.

Lab Scarcity: Why Capacity Will Be the Bottleneck

Lab scarcity in Europe is not a theoretical risk. It is a structural feature of the conformity assessment market, for four reasons.

First, the CRA Notified Body framework has only just opened. Member States have been able to notify conformity assessment bodies under the CRA since 11 June 2026. Accreditation and designation of new bodies typically takes 12 to 18 months, which means the pool of CRA Notified Bodies will remain small well into 2027.

Second, specialised cybersecurity test capacity is scarce. Only a small number of European laboratories hold accreditations for evaluations such as IEC 62443, and Common Criteria evaluations under the EUCC scheme depend on a limited group of licensed evaluation facilities and certification bodies. This capacity cannot be scaled quickly: accreditation, qualified evaluators and scheme licensing all take time to build.

Third, harmonised standards under the CRA are still in development. Where harmonised standards are not available or not fully applied, products in the Important categories cannot rely on self-assessment and must follow third-party conformity assessment routes. That pushes additional demand into the same limited pool of Notified Bodies.

Fourth, every manufacturer faces the same deadline. With full application on 11 December 2027, demand will concentrate in the final 12 to 18 months before that date, while the supply of accredited capacity in that window is largely fixed.

In short: demand is set to peak at exactly the moment when supply is hardest to expand.
Unlike internal engineering resources, assessment capacity cannot be expanded overnight. Accreditation, designation of Notified Bodies, evaluator training and laboratory expansion all require considerable time and investment. As a result, additional capacity may not become available quickly when demand increases.

Not Every Product Follows the Same Route

Another common misconception is that there is a single CRA assessment pathway.
In reality, the applicable route depends on the product and the technologies involved.
Depending on the product category, manufacturers may need to consider:

• EN 18031 assessments
• RED Article 3.3 cybersecurity requirements
• IEC 62443-related evaluations
• CRA conformity assessment activities
• Additional testing and technical documentation reviews

Each route can require different expertise, timelines and resources. Each route also depends on different, and in some cases very scarce, laboratory and assessment capacity.
This makes early planning particularly important for organisations managing multiple product lines. Understanding which products require attention first can help avoid resource conflicts and last-minute decision-making.

CRA Is Also a Business Planning Issue

The CRA is often discussed as a compliance challenge. In practice, it is increasingly becoming a resource-planning challenge as well.
For organisations with product roadmaps extending beyond 2026, assessment activities must compete for the same specialised laboratory, evaluation and certification resources that many other manufacturers will also require.
Delays in cybersecurity assessments or conformity assessment activities can have wider consequences, including:

• Delayed product launches
• Delayed CE marking activities
• Reduced flexibility in development roadmaps
• Pressure on engineering and compliance teams
• Potential impacts on market access strategies

For many organisations, the key question is no longer simply:
“Does the CRA apply to my product?”
It is increasingly becoming:
“Will we have access to the assessment capacity needed when we need it?”

Why Early Planning Matters

Manufacturers that start planning assessment activities early generally have more flexibility than those that wait until the final stages of implementation.
This does not necessarily mean initiating full conformity assessment activities today. It means understanding:

• Which products are likely to require assessment
• Which standards and requirements may apply
• What internal resources will be needed
• When external assessment capacity may be required
• How compliance activities align with product development schedules

Early visibility allows organisations to prioritise products, allocate resources effectively and reduce the risk of deadline-driven bottlenecks.

Reserving Capacity Before You Need It

This is why NMi Group has incorporated capacity planning into its CRA service offering. Manufacturers can reserve future laboratory and assessment capacity in advance, providing greater certainty around planned evaluation, testing and certification activities as demand increases.

These reservation options span the full chain within NMi Group: advisory and readiness support through NMi Certin, accredited cybersecurity testing through NMi Testlab, a Notified Body for the RED cybersecurity requirements, and certification through TrustCB, including Common Criteria certification under the EUCC scheme. Reserved slots can be combined with subscription-based in-life device management, so that both initial conformity activities and ongoing obligations are planned against capacity that is already secured.

Understanding Your Assessment Requirements Early

Early visibility into assessment requirements can help manufacturers make more informed decisions about planning, resources and future conformity assessment activities.

The CRA Scorecard provides a practical starting point. In just a few minutes, manufacturers can gain an indication of:

• Whether the CRA is likely to apply to their products
• Which conformity assessment routes may become relevant
• Which areas may require additional preparation
• Where future testing, evaluation or certification activities may be needed

Understanding these factors early can help organisations prioritise resources, align compliance activities with development schedules and reduce the risk of capacity-related delays as demand increases.

Take the CRA Scorecard and gain a clearer view of your CRA readiness, potential assessment requirements and future planning priorities.