Where regulation stops being paperwork.
Setu Innovation joins what most firms split — the advisory that interprets EU cyber regulation and the engineering that satisfies it — in one accountable team, so regulated industries keep innovating instead of stalling at the audit.
Three disciplines, one continuous engagement.
Most firms write the requirements; engineering vendors build the systems; the client is left bridging the gap. Setu keeps interpretation, engineering, and audit assurance under one roof — so nothing is lost in translation between the regulation and the systems that satisfy it.
Regulatory Compliance
Scope analysis, classification, gap assessment, and roadmap. We translate legal text into operational requirements your engineering teams can execute against.
Cybersecurity Engineering
Hands-on implementation: the management systems (CSMS / SUMS), threat models (TARA), software inventories (SBOM), secure-update infrastructure, and vulnerability management — built by our in-house engineers, not subcontracted.
Audit & Assurance
Conformity assessment preparation, type-approval support, pre-audit readiness reviews. We stay on the engagement until the certificate is in your hands.
Regulatory Compliance
The European regulatory landscape for cybersecurity has consolidated into a small set of interlocking frameworks. Setu Innovation's regulatory practice covers the full stack — from product-level obligations under the CRA to organisational duties under NIS 2 and DORA.
We translate regulatory text into concrete deliverables: scope decisions, classification memos, conformity routes, and timelines that engineering teams can act on without further legal interpretation.
Cyber Resilience Act (CRA)
Scope and classification (default · Important class I / II · Critical), Annex I conformity, SBOM, vulnerability handling, support periods, CE marking strategy.
Full CRA guide →NIS 2
Sector identification, essential vs. important entity, risk-management measures (Art. 21), incident reporting (Art. 23), supply-chain due diligence, governance accountability.
Full NIS 2 guide →DORA
ICT risk-management framework, incident classification, threat-led penetration testing (TLPT), and the Register of Information (RoI) for the supervisory authority.
Full DORA guide →UN R155 / R156
CSMS and SUMS implementation for vehicle type approval, Component out of Context (CooC) declarations for Tier-N suppliers, evidence packaging for the technical service.
R155 guide →R156 guide →ISO/SAE 21434
Product cybersecurity engineering for road vehicles: TARA, cybersecurity goals, work products across concept, development, production, operations and decommissioning.
Full 21434 guide →IEC 62443
Industrial automation and control systems security: zones and conduits, security levels, secure development lifecycle (62443-4-1), product requirements (62443-4-2).
Full 62443 guide →Cybersecurity Engineering
Compliance is only as strong as the technical systems behind it. Setu Innovation designs and implements the engineering artefacts auditors actually inspect: management systems, threat models, software inventories, update pipelines, and incident-response runbooks.
All engineering work is delivered by our in-house engineers. We do not subcontract the work that makes your evidence stand up under scrutiny.
CSMS & SUMS Build
Process design, document set, RACI, tooling integration, and operational handover for cybersecurity and software-update management systems certified under R155 / R156.
TARA
Threat Analysis and Risk Assessment per ISO/SAE 21434 — asset identification, damage scenarios, attack feasibility, risk treatment, traceable to cybersecurity goals.
SBOM & VEX
SBOM generation pipelines (CycloneDX, SPDX), VEX exploitability assertions, automated build-time integration, third-party component governance.
Secure Software Update
End-to-end OTA architecture: signing, integrity, rollback protection, fleet management, fail-safe rollout. Designed to satisfy R156 and the CRA secure-update requirements (Annex I).
Penetration Testing
Black-, grey-, and white-box testing on connected products, ECUs, gateways, and cloud back-ends. Reports formatted for regulatory submission, not generic vulnerability dumps.
Vulnerability Management
Vulnerability disclosure programme (VDP) design, triage workflow, CVE monitoring, coordinated disclosure, and incident-reporting integration with ENISA and national CSIRTs.
Audit & Assurance
The final mile of any compliance programme is the audit itself. Setu Innovation prepares clients to walk into conformity assessments, type-approval reviews, and supervisory inspections with documentation that holds up.
We work alongside your team during the audit, address findings live, and stay engaged through certification — not just up to the door.
Gap Analysis
Independent baseline against the applicable regulation. Outputs: prioritised findings register, remediation roadmap, effort estimate, audit-readiness score.
Conformity Assessment Preparation
Technical documentation file (CRA Annex VII), declaration of conformity, conformity route selection, notified body interaction.
Type-Approval Support
R155 / R156 evidence packs for the technical service: CSMS / SUMS audit preparation, vehicle-type CSMS validation, full traceability matrices.
Pre-Audit Reviews
Mock audits run by senior practitioners. Realistic interview rehearsals, evidence walk-throughs, finding simulation, and a pass / fail verdict before the real one.
Where regulatory pressure is concentrated.
Setu Innovation focuses on sectors where cybersecurity regulation is mandatory, technically demanding, and rapidly evolving. We do not generalise.
Automotive & Mobility
OEMs, Tier-1 and Tier-N suppliers facing R155 / R156 type approval, ISO/SAE 21434 compliance, and CRA scope decisions for connected aftermarket products.
Semiconductors & Components
Component suppliers shipping products with digital elements into EU integrators. CRA classification, Component out of Context (CooC) declarations, security claim documentation.
Industrial / IoT / OT
Industrial automation, IIoT vendors, and operators of essential services under NIS 2. IEC 62443 secure development lifecycle and operational technology cybersecurity.
Financial Services
Banks, insurers, investment firms, and ICT third-party providers in scope of DORA. Risk-management framework, register of information, threat-led penetration testing.
Specialist depth, delivered hands-on.
Setu Innovation is a Vienna-based specialist firm focused exclusively on regulatory cybersecurity for connected products and regulated entities. Our founders bring hands-on experience delivering CSMS programmes for vehicle OEMs under UNECE R155, preparing component suppliers for CRA conformity, and building ISO/SAE 21434-compliant engineering frameworks in production environments.
We do not run a generalist cyber practice with regulatory as a side offering. The regulations and the engineering behind them are the practice.
A specialist firm, by design.
Setu Innovation was founded in Vienna to close a structural gap in the European market: the shortage of firms that both interpret cyber regulation and build the engineering behind it. Most companies are still left bridging that gap themselves.
We work exclusively in regulated, connected-product industries, across the frameworks that govern them — and we keep advisory and engineering in one accountable team, so nothing is lost in the handoff between the rule and the system that satisfies it.
Vienna, Austria
European Union
Automotive · Semiconductors · IoT · Financial services
Have a question? Ask it.
Tell us what you're working on — a regulation you're scoping, a deadline that's looming, or just where to start. We'll reply within one business day; if it's easier to talk, ask for a call and we'll set one up.
Vienna, Austria
One business day