Don't let legacy software lock you out of Europe.

First CRA deadline: 11 September 2026

Don’t let legacy software lock you out of Europe.

From December 2027, every life science instrument shipped into the EU must meet the Cyber Resilience Act’s cybersecurity requirements. TotalLab modernizes your existing software so you stay compliant, stay competitive, and keep selling.

Book your free CRA readiness audit Talk to our CRA team

Trusted by global life science OEMs 24+ years in life science software 21 CFR Part 11 / EU Annex 11 / GMP

The scope

If you build life science instruments, the CRA applies to you

The Cyber Resilience Act covers any “product with digital elements” placed on the EU market: hardware that runs software, software that runs alongside hardware, and most things in between. For life science OEMs, that means almost every product in the catalogue.

Most of this software was written long before “secure by design” was a regulatory requirement. Often it runs on outdated frameworks, lacks a Software Bill of Materials, has no documented vulnerability handling process, and was never built with secure update mechanisms or modern authentication.

That worked under 21 CFR Part 11 and EU Annex 11. It will not work under the CRA.

Gel imaging and electrophoresis systems
Plate readers and ELISA analyzers
Mass spectrometers and chromatography systems
Microarray and sequencing platforms
Colony counters, blot analyzers, image analysis stations
Any instrument shipping with bundled analysis software, drivers or connectivity

The pragmatic path

Keep your hardware. Modernize the software around it.

Your instruments are mechanically sound and commercially valuable. The CRA doesn’t require you to scrap them. It requires the digital elements that ship with them to meet modern cybersecurity standards. We’ve been doing exactly this work for global life science OEMs for years.

Book your free CRA readiness audit

What we deliver

A complete CRA compliance pathway, end to end

CRA Gap Analysis & Readiness Audit

We assess your portfolio against the CRA’s essential requirements, classify each product against the regulation’s risk categories, and give you a clear remediation roadmap. Free of charge.

SBOM Generation

Machine-readable Software Bills of Materials covering all top-level dependencies in your products, giving you the visibility to meet the September 2026 reporting obligation.

Legacy Software Modernization

Where code can be remediated, we remediate. Where it can’t, we redevelop on a modern, secure stack while preserving the workflows your customers know. Always white-labelled under your brand.

Compliance Documentation

Technical documentation, secure-by-design evidence, and EU Declaration of Conformity packs ready for CE marking under the CRA, alongside existing 21 CFR Part 11 and Annex 11 documentation.

Ongoing Vulnerability Management

Security support throughout each product’s lifetime. Signed updates, vulnerability monitoring, and 24/72-hour incident reporting workflows, delivered as a managed service.

Start with a free readiness audit

Why TotalLab

Specialists, not generalists

CRA compliance is a regulated software problem in a domain most software houses don’t understand. We’ve spent 24 years on exactly this intersection.

Life science specialists

Our team includes PhD-educated life scientists alongside software engineers and AI experts. We already speak your customers’ language: 1D and 2D gels, host cell protein analysis, LC-MS, microarrays. You won’t pay us to learn your domain.

24 years of compliance work

We’ve been building compliant software for the life science industry since the 21 CFR Part 11 era. Several of the world’s largest life science OEMs already trust us with their software provision.

AuditSafe head start

Our AuditSafe platform already delivers many of the controls the CRA requires: audit trails, electronic signatures, user management, data integrity. It maps directly onto CRA essentials, shortening time to market.

White-label, always

Everything we build for OEM partners ships under your brand. Your customers see your product, your support journey, your brand. We stay invisible.

How an engagement works

Six steps from audit to compliant product

Free CRA Readiness Audit

We assess your portfolio, identify in-scope products, and produce a gap analysis against the CRA’s essential requirements. You leave the call with a clear picture of your exposure.

Roadmap & Scoping

We sequence your products by commercial priority and regulatory risk, agree on a remediation-versus-redevelopment approach, and lock in a delivery timeline that hits the December 2027 deadline.

SBOM & Reporting Readiness

We get you operationally ready for the September 2026 reporting obligations first, regardless of the longer redevelopment timeline. This protects your fielded fleet immediately.

Secure Development & Validation

We rebuild or refactor under secure-by-design principles with documented vulnerability handling, signed updates, modern authentication, and full validation evidence.

Documentation & Conformity Assessment

We produce the technical file, declaration of conformity, and supporting evidence you need for CE marking under the CRA.

Ongoing Support & Maintenance

We continue to monitor, patch, and report on your behalf, or hand the work back to your internal team with full documentation. Your call.

Frequently asked

Common questions, straight answers

Does the Cyber Resilience Act apply to laboratory and life science equipment?

Yes, in almost every case. The CRA covers any “product with digital elements” placed on the EU market: hardware running software, standalone software, or both. Research-use and non-medical lab equipment is firmly inside scope. Medical devices regulated under MDR or IVDR have their own cybersecurity provisions, but the principles increasingly align.

What happens if our products aren’t compliant by December 2027?

From 11 December 2027, non-compliant products with digital elements cannot be placed on the EU market. Existing units in the field aren’t recalled, but you cannot ship new ones. Reporting obligations for actively exploited vulnerabilities apply to your fielded fleet from 11 September 2026 regardless. Maximum penalties reach €15 million or 2.5% of global annual turnover.

Can we patch our existing software, or do we need to redevelop from scratch?

It depends on the codebase. Some products can be remediated through significant refactoring, secure update infrastructure, and a robust SBOM. Others, particularly those built on unsupported frameworks or end-of-life operating systems, are more economically rebuilt. Our gap analysis gives you a clear, product-by-product answer.

How long does a typical CRA engagement take?

Single-product engagements typically run 9 to 18 months. Multi-product portfolios can be sequenced in parallel. The earlier you start, the more flexibility you have on scope and approach.

Will the new software be white-labelled?

Yes. Almost all our OEM software ships under our partners’ brands. Your customers see your product. We work behind the scenes.

How does this relate to 21 CFR Part 11 and EU Annex 11?

Significantly. Many of the controls required by 21 CFR Part 11 and Annex 11 (audit trails, user management, data integrity, electronic signatures) overlap with the CRA’s essential cybersecurity requirements. If you already work with TotalLab on 21 CFR / Annex 11 compliance, much of the foundation is already in place.

Do you work with non-EU OEMs?

Yes. Our clients are global. The CRA applies to any manufacturer placing products on the EU market, regardless of where the company is headquartered. We work with US, European, and Asia-Pacific OEMs alike.

Ready to find out where you stand?

A free audit. No commitment. Just clarity.

The CRA Readiness Audit takes a single discovery call plus a structured review of your in-scope products. You’ll leave with:

A clear classification of each product against the CRA’s risk categories
A gap analysis against the essential cybersecurity requirements
A prioritized roadmap to December 2027
An honest view of whether remediation or redevelopment is right for each product
An indicative timeline and investment range

Book your free CRA readiness audit Email our CRA team