You bring the product and the deadline. We bring the security engineering: a fixed-price assessment of exactly where you stand, then hands-on implementation of secure boot, signed updates, SBOMs and vulnerability handling, in your codebase and your CI.
You ship connected products into the EU or UK, and nobody on the team owns compliance.
A customer or distributor sent a security questionnaire you can’t answer yet.
Your product has radio and sells into the EU, but EN 18031 wasn’t part of its design. Those rules have applied since August 2025.
Updates are unsigned, or a failed update in the field can brick the device.
Nobody can produce a bill of materials for what’s actually running on the device today.
Compliance lives with one overloaded engineer, and the deadline is doing the planning.
Three stages. Each has a fixed scope, each stands alone, and you can stop after any of them. The deadline becomes a plan instead of a panic.
We map your product against the CRA’s essential requirements, and PSTI and RED where they apply, then hand you the plan.
We build the mechanisms in your codebase and your CI, and write the evidence as we go, not after.
Compliance decays without attention. Firmproof watches your components, and we stay on hand as the standards and the threats evolve.
The Cyber Resilience Act’s reporting obligations begin on 11 September 2026, and its main obligations apply from 11 December 2027. No CE marking means no sale in the EU, with fines of up to €15M or 2.5% of turnover.
And two regimes already apply today: the UK’s PSTI rules have covered consumer connectable products since April 2024, and the Radio Equipment Directive’s cybersecurity requirements (EN 18031) have applied to internet-connected radio equipment since 1 August 2025.
The firmware is the hardest part of meeting all of it: secure boot, signed updates, a bill of materials from your build, a working vulnerability process. It’s also the part many teams have no one in-house to own.
Actively exploited vulnerabilities must be reported within 24 hours from this date. Full conformity follows on 11 December 2027, and legacy products already on the market are in scope.
Technical, free and straight: what you ship, which rules apply, and whether we can help.
Scope, deliverables and price in writing before any work starts. No day-rate drift.
The gap report and the prioritised plan. It stands alone, so you can take it to any team.
We implement the plan in your codebase and hand it over working, documented and evidenced.
Aceman is founder-led. The engineer you meet on the first call is the one in your codebase: eleven years of embedded systems, trained in automotive, where firmware is not allowed to fail.
That background matters here. Safety-critical engineering runs on exactly what the CRA now demands of everyone: traceability, disciplined process, and evidence generated by the work itself.
Meet the founder →A fixed-price review that maps your product against the CRA’s requirements (and PSTI/RED where they apply), identifies the gaps, and gives you a prioritised plan to close them. It stands alone, so you can take the plan to any team, and it’s the natural first step if you’d like us to implement it. It includes three months of Firmproof.
No. Notified bodies verify and certify, and they’re barred from also building the solution. We do the engineering that makes a product pass, so you’re ready when the assessor arrives.
Vulnerability and incident reporting obligations begin on 11 September 2026, and the main obligations apply from 11 December 2027. Products placed on the EU market from that date must meet the essential requirements, and the reporting obligations also cover products already on sale.
If your product has digital elements and connects to a device or network, and you place it on the EU market, it almost certainly does. The reporting obligations cover products already on sale; anything you place on the market from December 2027 must meet the essential requirements. Some classes are treated as “important” or “critical” and may need a notified body. The readiness check is a fast way to see where you stand.
Two regimes are already in force: the UK’s PSTI product-security regime has applied to consumer connectable products since April 2024, and the Radio Equipment Directive’s cybersecurity requirements (EN 18031) have applied to internet-connected radio equipment since 1 August 2025. If your product connects and sells in the UK or EU, the odds are something already applies. The readiness check covers all three regimes.
Start with a readiness assessment: a fixed-price map of exactly what your product needs to pass.
Prefer to talk first? Book a 20-minute technical fit call (booking link coming online)
Or email directly: hello@acemansolutions.co.uk
Not ready to talk? Run the two-minute readiness check and get the gap report by email.