IEC 62443-4-1 · EU CRA Reg. 2024/2847 · Full enforcement Dec 2027

Enterprise compliance.
Inside your
Microsoft 365.

Manufacturers and importers placing connected products on the EU market — industrial equipment, medical devices, energy systems, connected software — are now legally required to demonstrate cybersecurity by design, structured vulnerability handling, and documented conformity before any product reaches a customer.

ProdComply deploys a structured compliance programme directly inside your Microsoft 365 — giving every function a single governed view of every product, every obligation, every owner, and every deadline. Built around IEC 62443-4-1. Aligned to EU CRA, NIS2, and the Data Act.

WhatsApp
Book a Free Call See the Platform →
608d
to Dec 2027
SBOM + Art.14 SRP mandatory
€15M
maximum fine
or 2.5% global turnover
8
IEC 62443-4-1 security
practices tracked
€0
annual licence
runs on M365 you already pay for
608
11 Dec 2027 SBOM + Art.14 vulnerability reporting — mandatory for all connected products on EU market
608
11 Dec 2027 Full CRA — CE marking · Technical File · EU DoC · CVD policy · 10yr security updates
⚠️
Fines up to €15,000,000 or 2.5% of global annual turnover — CRA Art. 64
The Foundation
The regulatory stack
your products are subject to.
IEC 62443-4-1 establishes the secure development lifecycle framework your Notified Body will assess and your regulated customers contractually require. EU CRA and NIS2 translate that framework into legal obligation. Most organisations are managing the intersection of all three across disconnected spreadsheets, shared drives, and email threads. That structural gap is what ProdComply closes.
IEC 62443-4-1 · 2018 · INTERNATIONAL STANDARD

Secure Product Development Lifecycle

The international foundation for cybersecurity in connected products. Defines 8 Security Practices and 4 Maturity Levels (ML1–ML4) for the secure development lifecycle of any IACS product. Already contractually required by NIS2-regulated operators from their suppliers — and the structured framework Notified Bodies audit for CRA Class I and II assessment.

SP1 Security Management SP2 Security Requirements SP3 Secure by Design SP4 Secure Implementation SP5 Verification & Validation SP6 Issue Management SP7 Update Management SP8 Security Documentation ML1 → ML2 → ML3 → ML4 TÜV SÜD · UL Solutions · Bureau Veritas SDLA cert
REGULATION (EU) 2024/2847 · IN FORCE DEC 2024

EU Cyber Resilience Act ⚡

Mandatory cybersecurity requirements for all products with digital elements on the EU market. References IEC 62443-4-1 as the harmonised route to conformity. Notified Body assessment for Class I and II mandatory — they audit your 62443-4-1 compliance documentation.

SBOM · Dec 2027 Art.14 SRP · Dec 2027 CE marking · Dec 2027 Fines up to €15M
DIRECTIVE (EU) 2022/2555 · SUPPLY CHAIN ART. 21(2)(d)

NIS2 — Supply Chain Flow-Down

NIS2-regulated operators (energy grids, hospitals, transport) are legally required to verify their suppliers' cybersecurity practices. They are already contractually requiring IEC 62443-4-1 ML2 compliance documentation from product suppliers. Your customers are asking for this now.

ML2 supplier requirement Supply chain audit readiness Fines €10M or 2% turnover
REGULATION (EU) 2023/2854 · APPLICABLE SEP 2025

EU Data Act — Connected Products

Manufacturers of connected products must design data access into the product from the start — users must be able to access generated data in real-time, free of charge. Tracked per product at the design gate.

Data access by design Active now
How they connect — and why you need to track both simultaneously
IEC 62443-4-1How you build securely — the process standard
CRA Technical FileAnnex VII technical package for conformity assessment
Notified BodyClass I/II assessment — they audit your 62443-4-1 evidence
CE Marking + EU DoCMarket access — legally compliant on EU market
Inside the Platform
Structured compliance governance.
Across your entire product portfolio.
🗺️
Portfolio Governance
Gate-level obligation tracking across every product in your portfolio — from concept through end of life. At every development milestone: obligations defined, ownership assigned, completion status tracked, escalations surfaced automatically. Leadership gains real-time portfolio visibility without dependency on manual status reporting.
👥
Cross-Functional Accountability
Obligation ownership assigned per function — product management, security engineering, legal, quality, and regulatory affairs — resolved live from your Microsoft organisational directory. Every stakeholder operates within a single governed framework. Accountability is structural and traceable, not dependent on individual discipline or manual coordination.
📁
Governed Artifact Management
Every artifact — risk assessments, SBOMs, declarations, certificates, technical files — linked to the precise product, obligation, and development gate within your SharePoint Document Library. Regulatory authority inspections, customer audits, and internal reviews are addressed from a single governed source. Audit readiness is an operational state, not a periodic exercise.
ProdComply · Portfolio Dashboard · Medical Device Portfolio
SharePoint · Live
PRODUCTS
14
8 Mfr · 6 Dist
⚡ SEP 2026
3/14
11 not ready
OVERALL
12%
Dec 2027 readiness
OVERDUE
8
Escalation triggered
NB REQUIRED
4
Class II · Notified Body
Product Development Gate Pipeline
Microsoft Graph · Owners live
Gate 1 · Concept
Wearable ECG Patch
Mfr
5%
Gate 2 · Development
Patient Monitor Pro X
MfrClass II
22% · NB req.
Smart Infusion Pump v4
Mfr
14%
Gate 3 · Release
Surgical Robot Module
MfrClass II
38% · NB not started
Lab Analyser Unit
Dist
24%
Gate 4 · Operations
Vital Signs Monitor v2
Dist
45% · SRP missing
Cardiac Rhythm Device
Dist
22%
Gate 5 · End of Life
Glucose Sensor Gen.2
100% ✓
Product compliance journey — every gate, every obligation, every owner, every attachment.
Obligations mapped to IEC 62443-4-1 & EU CRA · Attach files or named links · Assign owners from Microsoft Graph · All artifacts stored in your SharePoint
Product Journey · Industrial Gateway Controller X200 · Manufacturer · CRA Class II
SharePoint Live
Industrial Gateway Controller X200
Manufacturer CRA Class II · Notified Body Required IEC 62443-4-1 ML2 NIS2 Supply Chain
31%
Overall
3
Overdue
2
Complete
Gate 1 — Concept & Risk Foundation
IEC 62443-4-1 SP1 · Art.13(2-3)
2 / 4 complete · ▼
✓ COMPLETE
Risk & Threat Analysis
Art.13(2-3) · Annex VII · IEC 62443-3-2
Identify assets, attack surface, threat actors, and risk levels. Determines which Annex I Part I controls apply.
📄
X200_Threat_Risk_Analysis_v2.pdf
PDF · 2.4 MB · SharePoint
📊
X200_Attack_Surface_Map.xlsx
Excel · 890 KB · SharePoint
AK
Anna König
LM
Lars Müller
◑ IN PROGRESS
Security Requirements Specification
IEC 62443-4-1 SP1 · Annex I Part I(2)
Document security requirements derived from risk assessment. Map each requirement to Annex I Part I(2)(a)-(m) controls.
📄
X200_SecReqs_Draft_v1.docx
Word · 1.1 MB · SharePoint
🔗
Jira Security Epics Board
jira.company.com/X200-SEC
AK
Anna König
Due 15 May
○ NOT STARTED
Secure Architecture & Design Review
IEC 62443-4-1 SP4 · Art.13(1)
Document security-relevant design decisions. Include network segmentation, trust zones, authentication mechanisms, and cryptographic controls.
Attach: Architecture diagram + Security Design Review document — maps to IEC 62443-4-1 SR 1.1–1.3
No owner assigned · No attachments
✓ COMPLETE
Product Lifecycle Statement
Art.13(8) · Annex II · Support period declaration
Declare the product support period end date. Must be visible to customers at purchase. Minimum support period must be justified relative to product use.
📄
X200_Lifecycle_Statement_Signed.pdf
PDF · 340 KB · SharePoint
TF
Thomas Finke
Gate 2 — Secure Development & Implementation
IEC 62443-4-1 SP2-SP5 · Annex I Part I(2)
0 / 5 complete · ▶
Gate 3 — Verification, Testing & Conformity
IEC 62443-4-1 SP6-SP7 · Art.28-32
0 / 4 complete · ▶
Gate 4 — Market Placement & Technical File
Art.13 · Art.28-31 · Annex VII · EU DoC
0 / 4 complete · ▶
Gate 5 — Post-Market Vulnerability Handling & Updates
Annex I Part II · Art.14 · CVD · SRP
0 / 4 complete · ▶
Every artifact stays in your SharePoint Document Library. Risk assessments, SBOMs, CVD policies, conformity records, declarations of conformity — uploaded directly, organised per product and per gate. Your data never leaves your environment. Your IT already governs SharePoint. No new security review. No DPA negotiation.
Beyond Compliance
One platform engine.
Configurable to any regulated process.
The governance architecture that structures your EU CRA programme is configurable to any process your organisation operates that requires structured obligation management, multi-stakeholder accountability, and executive reporting.
🗂️

Eliminate unstructured tracking

A SharePoint-native governance framework replacing fragmented spreadsheets, shared drives, and unstructured communication. Process stages, obligations, ownership, and milestone tracking — structured, versioned, and accessible across every relevant function simultaneously.

🔗

Establish cross-functional alignment

Every function — product management, security engineering, legal, quality assurance, and executive leadership — operates from a single governed source of truth. Role-appropriate access. Ownership resolved live from your organisational directory. Accountability is embedded in the platform architecture.

🔒

Maintain continuous audit readiness

Every artifact linked to the precise process item, gate, and obligation — permanently and traceably. Regulatory authority inspections, customer qualification audits, and internal governance reviews are addressed from a consolidated, governed source without manual retrieval effort.

Example processes we configure
🛡️

IEC 62443-4-1 SDL Maturity

8 security practices · ML1–ML4 per product team · SDLA certification dossier auto-assembled for TÜV SÜD or UL Solutions

ISO 9001 / QMS

Non-conformance register · CAPA lifecycle · Internal audit findings · Management review records — all structured and tracked

🏭

Supplier Qualification

Per-supplier assessment · Automatic re-evaluation every 2 years · Risk scoring · NIS2 Art.21(2)(d) supply chain audit export

🏗️

Capital Project Gate Reviews

Stage-gate approvals · Multi-stakeholder sign-off · Budget and milestone tracking · Portfolio view across all active projects

🏥

MDR / IVDR Technical File

Per-device lifecycle tracking · Clinical evaluation · Post-market surveillance · Technical file completeness per gate

🔄

IT Change Management

RFC workflow · Approval chains · Impact assessment · Rollback planning · Artifacts per change · Audit trail automatic

Any process requiring structured obligation management, cross-functional accountability, and executive reporting can be governed within the same platform. Configured to your specific process architecture. Deployed within infrastructure your organisation already operates. Full ownership of the application and all data retained from day one.
Why Microsoft 365
Zero incremental infrastructure.
Your Microsoft 365 is already the platform.
ProdComply is deployed as a native SharePoint application inside your existing Microsoft 365 tenant. Every component — workflow automation, directory integration, access control, file storage, audit logging — runs on infrastructure your IT organisation already governs, your legal team already has agreements for, and your users already operate daily.
💸 Why pay a SaaS vendor €30,000–150,000/year for infrastructure you already own?
TYPICAL SAAS COMPLIANCE TOOL
€30,000–150,000 annual licence — every year, forever
Your TARAs, SBOMs, NB certificates on their servers
6-month IT security review before you can start
New DPA negotiation with legal review
Separate login · separate training · separate support
Price increases every renewal — locked in
5 years = €200,000+. You own nothing.
PRODCOMPLY ON YOUR MICROSOFT 365
One-time deployment fee — zero annual licence, ever
Every file stays in your SharePoint — we hold nothing
IT already approved SharePoint — no review needed
You already have a DPA with Microsoft — nothing new
Same M365 login your team uses for everything else
Microsoft sets the M365 price — not us
5 years = deployment fee only. You own everything.
🏗️ Every component ProdComply uses is already included in your Microsoft 365.

SharePoint Online

Data storage, lists, document library, file versioning, page hosting — the entire app runs here.

Already included ✓

Power Automate

Automated reminders, overdue escalation, approval workflows, deadline countdowns — fully configurable.

Already included ✓

Microsoft Graph

Live owner search from your company directory — real names, roles, departments, always current.

Already included ✓

Entra ID + MFA

SSO, multi-factor auth, conditional access, role-based permissions — all inherited automatically.

Already included ✓
The bottom line: Your organisation already pays Microsoft for every piece of infrastructure ProdComply runs on. We configure it and turn it into an enterprise process platform. You pay once for the expertise — not annually for infrastructure you already own.
How it works
Operational in 8 weeks.
Owned permanently.
A structured 8-week engagement — from regulatory applicability assessment and process architecture through to a fully operational compliance platform running inside your Microsoft 365 tenant. Full capability transfer at handover. No ongoing consultant dependency.
01 · WEEKS 1-2

Process & Regulatory Assessment

We map your process and determine regulatory applicability — CRA risk class per product, Data Act scope, NIS2 supply chain exposure, IEC 62443-4-1 maturity baseline. Written gap analysis and remediation roadmap.

02 · WEEKS 3-5

Platform Deployment

ProdComply deployed on your SharePoint tenant. Process configured to your exact workflow. Microsoft Graph owner integration live. Power Automate reminders activated. Management dashboard operational.

03 · WEEKS 6-7

Obligation Activation

Priority obligations activated first — EU CRA Dec 2027 enforcement readiness and IEC 62443-4-1 ML2 gaps. Existing artifacts migrated and structured within the platform. Supplier assessment frameworks configured to your qualification criteria.

04 · WEEK 8

Training & Handover

Team training tailored to each role. Management dashboard walkthrough. Power Automate configuration handed to your team. Full documentation. Zero consultant dependency after handover.

Deployed on your infrastructure. Owned by you permanently.
No annual licence. No subscription. No data hosted externally. Your platform. Your tenant. Your control.
WhatsApp
Start the Conversation →
IEC 62443-4-1 SDL
EU CRA Reg. 2024/2847
NIS2 Supply Chain
EU Data Act
ISO 9001 QMS
Supplier Qualification
MDR Technical File
Capital Project Gates
IT Change Management
GDPR Data Register
Internal Audit Management
IEC 62443-4-1 SDL
EU CRA Reg. 2024/2847
NIS2 Supply Chain
EU Data Act
ISO 9001 QMS
Supplier Qualification
MDR Technical File
Capital Project Gates
IT Change Management
GDPR Data Register
Internal Audit Management
Get Started
Dec 2027 is
608 days away.
Request a 30-minute assessment. We will map your product portfolio against EU CRA and IEC 62443-4-1 obligations and demonstrate the platform running inside your own Microsoft 365 tenant — your products, your development gates, your teams. No generic demonstration. A working instance in your environment.
WhatsApp
raed.kakish@prodcomply.com
IEC 62443-4-1 · EU CRA · NIS2 · EU Data Act · ISO 9001 · Any structured process