Cybersecurity, CRA and NIS2 compliance
Fixed price. Fixed duration. A report signed by the engineer who did the work, not a template generated by a tool.
Most companies discover they have a security problem on the day it is already too late. Not because they do not care, but because security is invisible until it is not. COXSWAIN looks before that day.
And from 2026, this stops being a matter of prudence. There are deadlines in law, with fines behind them.
Cyber Resilience Act: 11 September 2026
If you place a product with digital elements on the EU market, this applies to you. A mobile app, downloadable software, firmware, a connected device. Regulation (EU) 2024/2847 was not postponed, although the industry asked for it.
From 11 September 2026, every actively exploited vulnerability and every severe incident must be reported: early warning within 24 hours, notification within 72 hours, final report within 14 days. The duty applies retroactively, including to products already on the market, even ones you no longer actively develop. From 11 December 2027 the rest arrives: CE marking, conformity assessment, technical documentation, SBOM, a support period of at least 5 years.
Fines reach 15 million euro or 2.5% of worldwide turnover.
The part few people mention. No harmonised CRA standard has been published in the Official Journal yet, and no notified body has been designated. The presumption of conformity does not exist for any product category. Which means there is no box to tick: conformity has to be argued directly against the essential requirements in Annex I, and documented as such. That is not an automated tool, it is engineering work. That is exactly what we do.
What we deliver for CRA
- Conformity gap analysis against the essential requirements (Annex I), plus product classification
- Coordinated vulnerability disclosure policy and a working vulnerability management process
- The 24h / 72h / 14-day reporting procedure, operational rather than on paper
- Machine-readable SBOM, generated in the pipeline, not once a year
- Technical documentation (Annex VII) and the EU Declaration of Conformity
- Support period and end-of-life policy
Are you a supplier to a NIS2-regulated entity?
Then the obligation reaches you, even if your own company is not directly in NIS2 scope.
Romania's OUG 155/2024 requires essential and important entities to secure their supply chain, including the relationship with direct suppliers (art. 13). Their due diligence explicitly extends to the security of your development processes (art. 11). And Romania goes further than the directive: the entity must hand the national authority the list of its suppliers on request.
The practical consequence: your enterprise customer will ask you for evidence. Security questionnaires, contract clauses, audit rights, exit plans. And under OUG 155/2024, a cyber incident can no longer be pleaded as force majeure by an entity that failed to comply. Non-compliance becomes direct contractual liability. That is why it ends up in contracts.
We prepare the answer: a real security assessment, evidence you can actually show, and processes that survive the questions.
Security assessment and penetration testing
We go through the application, the infrastructure and the configuration: authorisation, secrets management, dependencies, public exposure, backup and restore, logging and monitoring. You get a report with what we found, how serious each item is, and the order in which to fix it. No list of 300 scanner warnings. Only what matters, explained plainly.
On request, we attack the application the way someone trying to get in would. We find the path, document it, and close it. The report shows exactly what we managed to do and how, so nothing is left to interpretation.
Code built with AI
A special case, and an increasingly common one. AI now writes a working application in a few hours, and the gap between "it works" and "it is ready for production" does not show up in a demo. Secrets in code, missing authorisation, stale dependencies, errors swallowed in silence. We see these often and we know where to look. What we usually find →
A clarification others do not make. The services above are commercial technical assessments. They are not an "audit de securitate cibernetică" within the meaning of Romania's OUG 155/2024, and COXSWAIN is not a DNSC-attested auditor. The regulated audit, mandatory for essential and important entities, may only be performed by auditors on the DNSC register. If that is what you need, we will tell you so directly and point you to an attested auditor. If you need to be ready for it, that we can do.
Why us
Over 10 years of software engineering, not of writing reports. We have built the systems others test: backend, infrastructure, DevOps, applications running in production for real clients. Which means that when we find something, we also know how to fix it, not just what it is called.
The standard we sell is applied in public, on this site: strict CSP, HSTS, security.txt, self-hosted fonts, zero trackers, zero cookies. Verifiable in ten seconds: curl -I coxswain.ro. A security supplier who does not secure their own site tells you everything about what you are about to buy.
How we work
- A 20-minute call. What you have, what worries you, what obligations you carry. Free, no commitment.
- A fixed-price, fixed-duration offer. In writing, with the deliverables listed. No "it depends".
- Execution. Without stopping your production.
- Report and handover session. We walk you through every finding and the remediation plan. You keep a document you can show clients, partners or an evaluator.
- Re-check. Once you have fixed it, we confirm it is fixed.