Score
0 / 80 pts
CRA-04 — EU Cyber Resilience Act

Under Scrutiny

The market surveillance authority is here. Five days to prove everything you’ve built actually works.

THREAT LEVEL: GREEN

You are the CEO of Kastos IoT. Eight months ago, a vulnerability in the K400 triggered your first CRA incident response. Since then, your team has rebuilt the SBOM, produced a CRA-compliant technical file, managed a researcher disclosure, defined a 7-year support period, and built a supply chain compliance programme. Today, the Dutch market surveillance authority — the Rijksinspectie Digitale Infrastructuur (RDI) — is here to verify all of it. This is not punitive. It’s the first wave of CRA market surveillance inspections across the EU. The inspectors are professional and thorough. They have 5 days. You have everything to prove.

  • Kastos IoT — 340 employees, €62M revenue, HQ Rotterdam
  • K400: Important Class I product. Conformity assessment by BSI Netherlands
  • Module 1: Zero Day vulnerability — ENISA reported, patched, resolved
  • Module 2: Technical file rebuilt for CRA. v4.0 shipped with conformity certificate
  • Module 3: Supply chain audit completed. BLE stack forked internally
  • RDI inspection: 5 days. Lead inspector: Dr. Elise Bakker
Mission Briefing

How This Works

This is a decision-driven scenario. You’ll make the real decisions a CEO faces during a market surveillance inspection — and your choices determine whether RDI’s report is exemplary or critical.

Three Decisions

Each decision is scored. How you frame the management body question, the classification correction, and the SBOM finding determines your final assessment.

Document Assembly

Pick the right documents to present from your repository. Some are current. Some are outdated traps.

Hot Seat Interview

Four management questions from the lead inspector. Answer each one yourself or defer — both can be right or wrong.

Findings Ranking

Rank the inspector’s 4 findings by severity. Your ranking shows whether management can prioritise compliance risks correctly.

--:--:-- GREEN CRA-04: Under Scrutiny
Personnel Briefing

In the Room

You play as Hendrik van Dijk, CEO of Kastos. These are the people you’ll need to read and manage over five inspection days. One of them is trying to catch you out. The rest are trying to keep you standing.

Dr. Elise Bakker
Dr. Elise Bakker
Lead Inspector, RDI Netherlands
Has seen every compliance failure there is. Professional. Unimpressed by theatre.
Sophie Laurent
Sophie Laurent
Head of Legal & Regulatory Affairs
Prepared for this inspection for 3 months. Knows exactly what she can and can’t say.
Leah Voss
Leah Voss
Product Security Lead
Owns the PSIRT process and the SBOM. The technical backbone of this inspection.
Jan Mulder
Jan Mulder
VP of Engineering
Under pressure. Technically brilliant. Not known for patience in formal settings.
--:--:-- AMBER CRA-04: Under Scrutiny
Situation Feed
Situation Update

Day 1 — Opening Meeting

Tuesday, 09:00 CET

Dr. Bakker and her team arrive. Two RDI inspectors, one technical assessor. She opens: “Mr. van Dijk, we’re here under Articles 52-58 of the Cyber Resilience Act. Routine market surveillance, first wave across the EU. We’re assessing the K400’s compliance with essential requirements, your conformity assessment, and your ongoing manufacturer obligations.”

She outlines the 5 days: management overview and documentation, technical deep-dive (SBOM, vulnerability handling, security testing), supply chain, personnel interviews, then findings.

Her first question is for you: “Describe, in your own words, what the CRA requires of Kastos as the K400’s manufacturer.”

Dr. Elise Bakker
DR. ELISE BAKKER — Lead Inspector, RDI
I’m not asking for a legal recitation. I want to understand whether the management body — you personally — understands the regulatory framework your company operates under. What does the CRA require of Kastos?
OF
OPS FEED — Situation Feed
[09:05] INSPECTION — Day 1 initiated. Lead: Dr. Elise Bakker, RDI. Scope: CRA compliance, K400 product line. Duration: 5 days.
--:--:-- AMBER CRA-04: Under Scrutiny
Situation Feed
Decision Required

The Management Body Question

Dr. Bakker wants YOUR understanding of the CRA — not Sophie’s, not Leah’s. She’s testing whether the CEO genuinely understands the framework. How do you respond?

--:--:-- GREEN CRA-04: Under Scrutiny
Situation Feed
Situation Update
Outcome: Positive

CEO Understands the Framework

You speak for 3 minutes. You describe the essential requirements in your own words — not quoting articles but explaining what they mean for Kastos. You mention the Zero Day, the technical file rebuild, the support period commitment, the supply chain programme. You’re honest about the gaps that were found.

Dr. Bakker takes notes. “Thank you. That’s a clear articulation of your obligations. I appreciate the candour about the classification correction — we’ll discuss that in more detail. For now, I’m satisfied that the management body has an appropriate understanding of the CRA framework.”

Sophie gives you a small nod.

Regulatory Reference
CRA and Management Body Responsibility
The CRA places obligations on the manufacturer. Market surveillance authorities assess whether the management body understands and oversees these obligations. A CEO who can articulate the framework in practical terms shows compliance is embedded in leadership, not outsourced.
Dr. Elise Bakker
Dr. Elise Bakker — Lead Inspector, RDI
“Thank you. That’s a clear articulation of your obligations. I appreciate the candour about the classification correction. For now, I’m satisfied that the management body has an appropriate understanding of the CRA framework.”
--:--:-- AMBER CRA-04: Under Scrutiny
Situation Feed
Situation Update
Outcome: Neutral

Deferred to Legal

Sophie gives a precise 2-minute summary of the CRA’s requirements. You follow with operational context: “From my perspective, the biggest shift has been moving from a hardware certification mindset to an ongoing software security obligation.”

Dr. Bakker notes: “Thank you, Ms. Laurent. Mr. van Dijk, I appreciate your operational perspective. I should clarify — when I ask the management body to describe the regulatory framework, I’m specifically interested in your personal understanding. The inspectors will speak with your legal team separately. For the management body assessment, I need to hear from you directly.”

She’s polite but the message is clear: the CEO shouldn’t need the lawyer to explain the company’s regulatory obligations.

Dr. Elise Bakker
Dr. Elise Bakker — Lead Inspector, RDI
“When I ask the management body to describe the regulatory framework, I’m specifically interested in your personal understanding. The inspectors will speak with your legal team separately.”
--:--:-- RED CRA-04: Under Scrutiny
Situation Feed
Situation Update
Outcome: Negative

Achievements Without Framework

You spend 4 minutes walking through Kastos’s compliance achievements. Dr. Bakker listens, then: “Mr. van Dijk, those are impressive operational responses. But I asked what the CRA requires of Kastos — the framework, not the actions. Actions are evidence of compliance. I need to understand whether the management body knows what it’s complying with. Can you describe the essential requirements?”

The question lands. You realise you’ve been talking about what Kastos did, not why. Sophie leans in with a note: “Annex I — essential cybersecurity requirements. Article 13 — manufacturer obligations. Article 14 — reporting.” You recover, but the inspectors have noted that the CEO’s understanding is operational rather than regulatory.

Dr. Bakker: “Let’s proceed. We can revisit this during the management interview on Day 4.”

Sophie Laurent
Sophie Laurent — Head of Legal & Regulatory Affairs
“Annex I — essential cybersecurity requirements. Article 13 — manufacturer obligations. Article 14 — reporting.” [passed as a note]
--:--:-- AMBER CRA-04: Under Scrutiny
Situation Feed
Situation Update

Day 1 — The Classification Question

Tuesday, 14:00 CET

Dr. Bakker turns to the K400’s product classification. Her team has reviewed the public records: Kastos originally self-assessed the K400 as default category and CE-marked it accordingly. The product is now classified as Important Class I with a notified body conformity certificate from BSI Netherlands.

She asks: “The K400 was originally classified as a default-category product. It is now classified as Important Class I. Can you walk me through what happened and when the reclassification occurred?”

This is the Module 1 legacy — the classification question Sophie raised during the Zero Day response. How you handle it now determines whether the inspectors see a company that corrected a good-faith error or a company that shipped non-compliant and got caught.

Sophie Laurent
SOPHIE LAURENT — Head of Legal & Regulatory Affairs [whispered]
Lead with the correction. Explain what happened, when we identified the error, and what we did about it. Don’t downplay the original mistake — own it. The correction is the story, not the error.
OF
OPS FEED — Situation Feed
[14:00] INSPECTION — Classification review. Original: default (self-assessment). Current: Important Class I (BSI Netherlands).
--:--:-- AMBER CRA-04: Under Scrutiny
Situation Feed
Decision Required

Explaining the Reclassification

The inspector asks about the K400’s classification change — from default (self-assessment) to Important Class I (notified body). How do you present this?

--:--:-- GREEN CRA-04: Under Scrutiny
Situation Feed
Situation Update
Outcome: Positive

Full Transparency

You walk through the timeline: self-assessment September 2027, Sophie’s review in October during the vulnerability response, BSI engagement in November, certificate issued January 2028. You include the suspension and the cost (€62K, 6 weeks of suspended sales).

Dr. Bakker: “Thank you for the candour. Self-correcting before enforcement action is exactly what we’d want to see. Identifying it during an incident response — rather than waiting for us — shows your internal review process works. I’ll note this as a positive finding.”

She adds: “We’d have found it today regardless. But finding it already documented and corrected significantly changes the nature of the finding.”

Dr. Elise Bakker
Dr. Elise Bakker — Lead Inspector, RDI
“Self-correcting a classification error before enforcement action is exactly what we’d want to see. The fact that you identified it during an incident response demonstrates that your internal review process works. I’ll note this as a positive finding.”
--:--:-- AMBER CRA-04: Under Scrutiny
Situation Feed
Situation Update
Outcome: Neutral

Current State Focus

You present the BSI certificate and current Important Class I classification. Dr. Bakker reviews it, then asks: “When was the K400 first placed on the EU market, and under what classification?”

The follow-up was inevitable. You explain the original default classification. She asks: “Was there a period when the K400 was on the market under an incorrect classification?” You confirm there was — about 6 weeks.

Dr. Bakker notes it: “The correction was timely and the current state is compliant. But I need to document that the product was placed on the market under an incorrect conformity assessment for 6 weeks. Historic finding, not current non-compliance — but it will be in the report.”

Sophie notes privately: “If we’d led with the full story, she’d have seen self-correction. Now she sees an error she had to discover.”

Sophie Laurent
Sophie Laurent — Head of Legal & Regulatory Affairs
“If we’d led with the full story, she would have seen the self-correction. Now she sees an error she had to discover.”
--:--:-- RED CRA-04: Under Scrutiny
Situation Feed
Situation Update
Outcome: Negative

Defensiveness Backfires

You argue the original classification was defensible. Dr. Bakker’s expression doesn’t change. “If it was defensible, why did you reclassify? Why engage a notified body?”

The logic collapses. If the original was correct, no reclassification needed. If you reclassified, the original was wrong. Sophie intervenes: “To be clear, Dr. Bakker, we identified the error during an internal review in October 2027 and took corrective action. Mr. van Dijk is noting the regulatory guidance was not as clear as it could have been.”

Dr. Bakker: “For the record: the K400 manages physical access via network-connected systems. It falls clearly under Important Class I. The self-assessment was non-compliant. I note the correction, but I also note the management body initially characterised it as defensible. This goes into management oversight in the report.”

Regulatory Reference
CRA Articles 52-58 — Market Surveillance
Authorities assess the manufacturer’s track record — how errors were identified and corrected. Self-correction before enforcement is viewed favourably. Retroactive justification undermines credibility. Inspectors distinguish honest errors (corrected proactively) from defensive posturing.
Sophie Laurent
Sophie Laurent — Head of Legal & Regulatory Affairs
“To be clear, Dr. Bakker, we identified the classification error during an internal review in October 2027 and took corrective action. Mr. van Dijk is noting that the regulatory guidance was not as clear as it could have been at the time.”
--:--:-- AMBER CRA-04: Under Scrutiny
Situation Feed
Situation Update

Day 2 — Technical Deep-Dive

Wednesday, 10:00 CET

The technical assessor reviews the K400’s SBOM, vulnerability handling, and test results. Leah presents the PSIRT process, ENISA notifications, and patch history.

The assessor is impressed with the SBOM rebuild and the response timeline. Then she finds something: “Your SBOM shows 312 dependencies. Your latest build has 318. Six libraries were added in last month’s v4.1 maintenance release. In the build, not in the SBOM.”

Component classv4.0v4.1
Top-level dependencies4747
Transitive dependencies265271
Security-critical (BLE, TLS, crypto)33
Diagnostic utilities (added v4.1)+6
Total in production build312318
Total documented in SBOM312312
Undocumented delta06

Six diagnostic utilities added in v4.1. No known CVEs. But the CRA SBOM isn’t risk-based — full documentation is required regardless of vulnerability status.

A process gap — the SBOM update wasn’t in the v4.1 release checklist. Minor discrepancy, no known CVEs, but the same kind of gap that caused Module 1’s problems.

Leah Voss
LEAH VOSS — Product Security Lead
She’s right. The v4.1 release added 6 libraries for a new diagnostic feature. The build pipeline flagged them but the SBOM update was deferred to the next major release cycle. It should have been updated before shipping.
Jan Mulder
JAN MULDER — VP of Engineering [muttering]
Six utility libraries. No security impact. This is exactly the kind of thing that makes engineers hate compliance.
OF
OPS FEED — Situation Feed
[10:32] INSPECTION — SBOM discrepancy: 318 dependencies in build vs. 312 in documented SBOM. 6 undocumented libraries in v4.1.
--:--:-- AMBER CRA-04: Under Scrutiny
Situation Feed
Activity

Inspection Evidence Assembly

Practice round — not scored. Your score comes from the three decisions.

Wednesday, 14:00 CET

Dr. Bakker has requested the K400 compliance evidence package. Select the documents you intend to present. Some are current, some are outdated versions that will undermine your case, and some are missing entirely. Present the wrong version and the inspector will notice.

Selected: 0
--:--:-- AMBER CRA-04: Under Scrutiny
Situation Feed
Decision Required

Day 4 — The SBOM Finding

Dr. Bakker formally notes the finding: “6 undocumented dependencies in the current production build.” She asks: “How will you address this, and what will you change to prevent recurrence?”

--:--:-- GREEN CRA-04: Under Scrutiny
Situation Feed
Situation Update
Outcome: Positive

Systematic Fix

You commit to the 48-hour SBOM update and the CI/CD integration. Leah confirms: “We can integrate SBOM generation into the build pipeline by next sprint. Every release will automatically regenerate and verify the SBOM against the build artifacts. No manual step, no deferral possible.”

Dr. Bakker notes: “Good. This is the kind of systemic response I look for. The finding itself is minor — 6 utility libraries. But the pattern — SBOM drift between releases — is the same pattern that caused issues in your October incident. The fact that you’re addressing the root cause, not just the symptom, is positive.”

She adds: “I’ll note this as a minor finding with a satisfactory corrective action. No follow-up inspection required for this item.”

Leah Voss
Leah Voss — Product Security Lead
“We can integrate SBOM generation into the build pipeline by next sprint. Every release will automatically regenerate and verify the SBOM against the build artifacts. No manual step, no deferral possible.”
--:--:-- AMBER CRA-04: Under Scrutiny
Situation Feed
Situation Update
Outcome: Neutral

Quick Fix During Inspection

Your team updates the SBOM overnight. By Day 5, the document reflects 318 dependencies, all verified. You add ‘SBOM verification’ to the release checklist.

Dr. Bakker: “Thank you for the prompt update. The checklist addition is a reasonable first step. I would encourage you to consider automated verification in your build pipeline — manual checklists work until someone’s in a hurry. I’ll note this as a minor finding with corrective action in progress.”

The finding stays in the report as ‘minor non-conformity, corrected during inspection.’ Not ideal, but not damaging.

Dr. Elise Bakker
Dr. Elise Bakker — Lead Inspector, RDI
“Thank you for the prompt update. The checklist addition is a reasonable first step. I would encourage you to consider automated verification in your build pipeline — manual checklists work until someone’s in a hurry.”
--:--:-- RED CRA-04: Under Scrutiny
Situation Feed
Situation Update
Outcome: Negative

Downplaying the Finding

You explain the prioritisation rationale. Dr. Bakker listens. “Mr. van Dijk, I understand these libraries aren’t individually high-risk. But the CRA’s SBOM requirement isn’t risk-based — it requires documentation of all components. If 6 are missing, you can’t monitor them for CVEs, can’t include them in risk assessments, can’t inform ENISA accurately.”

She continues: “This is the same documentation drift that affected your SBOM during the October 2027 incident — 7 then, 6 now. The pattern suggests the Module 1 process fix wasn’t fully implemented. I’ll note this as a recurring finding.”

Jan stares at the table. ‘Recurring finding’ is significantly worse than a first-time discrepancy.

Regulatory Reference
CRA Annex VII — SBOM as Living Document
The CRA requires the SBOM to be accurate and current — a living document updated each release, not a snapshot. An SBOM that doesn’t reflect the current build is non-compliant regardless of whether missing components have known CVEs. The SBOM proves the manufacturer knows what’s in the product.
Dr. Elise Bakker
Dr. Elise Bakker — Lead Inspector, RDI
“The pattern suggests the process fix from Module 1 was not fully implemented. I’ll note this as a recurring finding.”
--:--:-- RED CRA-04: Under Scrutiny
Situation Feed
Situation Update

Day 3 — Unscheduled Discovery

Thursday, 11:20 CET

The assessor finds something unexpected in your deployment registry: a single K400 panel at the Lessing-Gymnasium in Düsseldorf is running firmware v3.2 — the version with the October 2027 vulnerability. Never updated.

Your records show the school accepted the OTA patch. The panel never installed it. The school’s IT contractor disabled outbound updates on the controller subnet six months ago — a network change Kastos was never told about. The panel sits at the back of a service corridor.

Before you can respond, Jan loses his composure.

Jan Mulder
JAN MULDER — VP of Engineering [loudly, to Bakker]
Are you serious? One panel. In a service corridor. In a school. Nobody is going to attack it. This is exactly the kind of paperwork-driven nonsense that makes engineers leave compliance teams.

Bakker’s expression doesn’t change. She makes a note. The room is quiet.

Sophie Laurent
SOPHIE LAURENT — Head of Legal [whispered, urgently]
Hendrik, two things at once. The Düsseldorf panel is a fresh notification trigger under Article 14 — actively exploitable v3.2 firmware, deployed, unpatched. And Jan just escalated in front of an inspector. You need to handle both, in this order.
OF
OPS FEED — Situation Feed
[11:23] DISCOVERY — K400 SN-K4-08812, Lessing-Gymnasium Düsseldorf. Firmware v3.2 (PRE-PATCH). Last contact 184 days. Patch never installed.
--:--:-- RED CRA-04: Under Scrutiny
Situation Feed
Decision Required

Two Fires at Once

An unpatched v3.2 panel just surfaced in front of the inspector. Your VP of Engineering just snapped at her. How do you respond to both, right now?

--:--:-- GREEN CRA-04: Under Scrutiny
Situation Feed
Situation Update
Outcome: Positive

Both Fires Handled

You turn to Jan first. “Jan — deployment context is real. A school corridor is not a bank lobby. You’re right about that. It doesn’t change our Article 14 obligation. We have an unpatched v3.2 in the field. We file. We recall. We learn how the customer disabled our update path.” Jan exhales. Nods.

You turn to Bakker. “We’ll file a new ENISA early-warning notification today. Remediation plan for the Düsseldorf panel within 48 hours, fleet-wide audit for update-path issues within two weeks. I understand this likely extends your inspection.”

Bakker writes for a long moment. “Thank you. Two things for the report. The Düsseldorf finding is significant, but the response is exemplary. And the management moment: a VP expressing frustration is human; a CEO who corrects course without diminishing his team is leadership. That goes in management oversight, positively.”

Regulatory Reference
CRA Article 14 — Fresh Awareness Triggers Fresh Obligations
The 24-hour clock isn’t a one-time event tied to original disclosure. Each new awareness of an exploitable, deployed product creates a new Article 14 obligation — whether discovered through audit, customer report, or third-party scan.
Dr. Elise Bakker
Dr. Elise Bakker — Lead Inspector, RDI
“A VP of Engineering expressing frustration is human. A CEO who corrects course in real time without diminishing his team is leadership. That goes in the management oversight section, positively.”
--:--:-- AMBER CRA-04: Under Scrutiny
Situation Feed
Situation Update
Outcome: Neutral

Reset and Return

You ask Bakker for a 30-minute pause. She agrees without comment. You take Jan to your office. He’s apologetic before you speak. “I shouldn’t have said that in front of her. I know.” You agree, briefly, and pivot to the work: the Düsseldorf panel needs a notification, the customer-side update block needs investigation, the inspection extends.

You return at 11:55. You file the new ENISA notification by end of day. Bakker logs the morning incident in her notes — the outburst, the break, the recovery. Her debrief on Day 5 includes a phrase you didn’t expect: “The management body recognised a difficult moment and took it offline. That is appropriate. I would prefer not to need a recess to reach that outcome, but the response was sound.”

Net effect: not damaging, not exemplary. The break is on the record.

Dr. Elise Bakker
Dr. Elise Bakker — Lead Inspector, RDI
“The management body recognised a difficult moment and took it offline. That is appropriate. I would prefer not to need a recess to reach that outcome, but the response was sound.”
--:--:-- RED CRA-04: Under Scrutiny
Situation Feed
Situation Update
Outcome: Negative

Defending the Wrong Hill

You side with Jan. You explain the corridor location, the customer-side network change, the absence of any exploitation evidence. You argue it’s information for the customer, not a CRA notification event.

Bakker listens. “Mr. van Dijk, I understand the operational view. Here is the regulatory view. You have a deployed product running firmware with an exploitable, publicly disclosed vulnerability. Physical location isn’t part of the Article 14 threshold. Your customer disabling OTA updates is a finding about your update assurance process — not a defence.”

She continues: “Three things. The Düsseldorf finding is now material non-compliance, not an audit observation. Your VP’s framing went unchallenged by the CEO — I read that as the management body’s position. And the cumulative pattern — SBOM drift, classification correction, now an unpatched v3.2 — moves this from routine to enhanced. We will extend our scope.”

Jan stares at the table. Sophie has stopped writing.

Regulatory Reference
CRA Article 14 + Manufacturer Obligation Boundaries
Manufacturers can’t transfer CRA obligations to customers via customer-side network configuration. If a customer’s network blocks updates, the obligation is to know it, communicate the risk, and have a remediation path. The ‘we tried to push the update’ defence does not exist in the CRA.
Dr. Elise Bakker
Dr. Elise Bakker — Lead Inspector, RDI
“The cumulative pattern — SBOM drift, classification correction, now an unpatched v3.2 in the field — moves this inspection from routine to enhanced. We will extend our scope.”
--:--:-- AMBER CRA-04: Under Scrutiny
Situation Feed
Activity

Day 4 — Management Interview

Practice round — not scored. Your score comes from the three decisions.

Friday, 09:00 CET

Dr. Bakker’s final session is the management interview. She asks four probing questions. For each one, choose the response that demonstrates genuine management oversight — not just polished talking points.

--:--:-- GREEN CRA-04: Under Scrutiny
Situation Feed
Activity

Day 5 — Inspection Findings

Practice round — not scored. Your score comes from the three decisions.

Friday, 14:00 CET

Dr. Bakker presents 4 findings from the inspection. Rank them by severity (1 = most severe, 4 = least). Your ranking determines Kastos’s remediation priority — and shows the inspector whether management can correctly prioritise compliance risks.

Module complete. Take the knowledge check when you're ready. TAKE KNOWLEDGE CHECK →
--:--:-- GREEN CRA-04: Under Scrutiny
Situation Feed
Knowledge Check

Before seeing your results — four questions on the CRA. Select one answer per question.