Paid · CRA

Is your product CRA-ready?

Answer 20 questions across 5 Cyber Resilience Act compliance areas. Get an instant AI-powered gap analysis with your top priorities — delivered to your inbox.

20 questions
~5 minutes
AI gap analysis
Free report by email

Based on: Regulation (EU) 2024/2847 — CRA ↗

🔧
Paid Assessment

CRA Product Compliance Checker

Get a full AI-powered gap analysis across 5 Cyber Resilience Act areas — with CE marking guidance, vulnerability handling obligations, and priority actions for your product team.

Get access →

Questions? Contact us

Product profile Step 1 of 6
Step 1 of 6 — Product Profile

Tell us about your product

The CRA applies to all products with digital elements placed on the EU market — hardware and software. Your obligations depend on product category and your role in the supply chain.

Step 2 of 6 — Product Classification

Product classification & scope

The CRA distinguishes between default products, important products (Class I and II), and critical products. Your classification determines whether self-assessment suffices or a third-party audit is required.

Have you determined whether your product falls into the CRA's "important" (Class I or II) or "critical" product categories?
CRA Annex III–IV: Important products include browsers, password managers, VPNs, routers, firewalls, and microprocessors. Critical includes smartcards, HSMs, and certified products.
Do you have a process to identify whether your product contains components already covered by other EU legislation (MDR, RED, Machinery Regulation)?
CRA Art. 2(2): Products already regulated under other sectoral EU law may be partially or fully exempt from CRA obligations.
Have you assessed which conformity assessment route applies to your product — self-assessment, EU-type examination, or full quality assurance?
CRA Art. 32: Default products can self-assess. Class I important products may need a notified body. Class II and critical products require third-party conformity assessment.
Step 3 of 6 — Security by Design

Security requirements

CRA Annex I sets out essential cybersecurity requirements. Products must be designed, developed, and produced with security built in from the start — not bolted on after.

Is your product designed with a minimal attack surface — disabling unused functions and interfaces by default?
CRA Annex I, Part I(1): Products must be delivered with a secure default configuration, including disabling unnecessary features and services.
Does your product protect data at rest and in transit using appropriate encryption, and prevent unauthorised access through authentication mechanisms?
CRA Annex I, Part I(3–4): Products must protect the confidentiality and integrity of data. Weak or default passwords must not be permitted.
Does your product collect only the minimum data necessary for its intended function, and can data be securely deleted by the user?
CRA Annex I, Part I(7–8): Data minimisation and user control over personal and other data are mandatory security requirements.
Have you conducted a security risk assessment covering your product's intended use, foreseeable misuse, and the threats most likely to affect it?
CRA Art. 13(2): Manufacturers must undertake a cybersecurity risk assessment before placing the product on the market and keep it updated throughout the product lifecycle.
Step 4 of 6 — Vulnerability Handling

Vulnerability management & incident reporting

CRA Annex I Part II requires manufacturers to handle vulnerabilities throughout the product lifecycle and report actively exploited vulnerabilities to ENISA within 24 hours.

Do you have a published vulnerability disclosure policy (VDP) and a dedicated channel for security researchers to report vulnerabilities?
CRA Annex I, Part II(1): Manufacturers must identify and document vulnerabilities in their products and provide a contact point for vulnerability reporting.
Are you able to notify ENISA within 24 hours of becoming aware of an actively exploited vulnerability in your product?
CRA Art. 14: Early warning to ENISA within 24 hours, notification within 72 hours, final report within 14 days. Non-EU manufacturers must appoint an EU representative.
Do you provide free security updates for at least 5 years (or the product's expected lifetime if shorter) after the product is placed on the market?
CRA Art. 13(8): Security updates must be provided promptly, separately from functionality updates, and clearly communicated to users. The default support period is 5 years.
Do you maintain a Software Bill of Materials (SBOM) listing all third-party components and dependencies in your product?
CRA Annex I, Part II(1): Manufacturers must identify and document third-party components. An SBOM is the standard mechanism for meeting this requirement.
Step 5 of 6 — Documentation & Conformity

Technical documentation & CE marking

Placing a product with digital elements on the EU market requires a technical file, an EU Declaration of Conformity, and CE marking. These must be ready before the product ships.

Have you begun preparing the technical documentation required under the CRA, including the cybersecurity risk assessment, design decisions, and test results?
CRA Art. 31 + Annex V: The technical file must include the product description, risk assessment, design specifications, test protocols, and the EU Declaration of Conformity.
Do your product instructions clearly communicate security features, the support period, how to install updates, and how to report vulnerabilities?
CRA Art. 13(18) + Annex II: User-facing documentation must include security capabilities, the end of support date, a contact point for vulnerability reports, and guidance on secure use.
Do you have a process to monitor for known exploited vulnerabilities in your product's components (e.g. via CVE databases or ENISA advisories)?
CRA Annex I, Part II(2): Manufacturers must monitor for vulnerabilities in their products and components on an ongoing basis throughout the support period.
If your company is based outside the EU, have you appointed an EU-authorised representative responsible for CRA compliance obligations?
CRA Art. 17: Non-EU manufacturers must designate an EU-based authorised representative before placing their product on the EU market. This representative is legally responsible for compliance.
Step 6 of 6 — Your Report

Where should we send your results?

Analysing your CRA readiness…

Our AI is reviewing your answers across 5 CRA compliance areas.

Checking product classification
Reviewing security by design requirements
Assessing vulnerability handling processes
Evaluating documentation readiness
Preparing your prioritised report
CRA Readiness Score
out of 100
AI-generated — not legal advice. This assessment is generated using AI (Claude by Anthropic) and is indicative only. It does not constitute a formal compliance determination. For regulatory compliance, consult a qualified legal or compliance professional. See our Privacy Policy for details on data handling.

Informational use only. This tool is provided for awareness purposes to help businesses understand their current situation regarding EU regulations. It does not constitute legal, regulatory, or professional advice. Results are indicative only and should not be relied upon as a substitute for qualified legal counsel. Verdaio accepts no liability for decisions made based on this tool’s output. Your inputs are processed ephemerally and are not stored or used for model training.