Practical tools for
product security compliance
The Cyber Resilience Act is coming. We're building free tools and resources to help you understand what it means for your products—and what it will actually cost.
What is the Cyber Resilience Act?
The Cyber Resilience Act (CRA) is EU legislation that sets cybersecurity requirements for products with digital elements. If you make, import, or distribute software or connected devices in the EU market, this will affect you.
Who's affected?
- • Manufacturers of software and IoT devices
- • Importers and distributors in the EU
- • Open source projects with commercial involvement
Key requirements
- • Vulnerability handling and disclosure processes
- • Software Bill of Materials (SBOM)
- • Security updates for the product lifetime
Timeline: The CRA entered into force in late 2024. Most requirements apply from December 2027. That sounds far away, but building the necessary processes takes time.
Tools
Free calculators and utilities to help you plan
Scope Assessment
Find out if your product falls under the CRA and which category applies. Understand your compliance obligations.
Check your product →Support Period Calculator
Calculate how long you must provide security updates. Visualize your timeline from sales start to support end.
Calculate timeline →Cost Calculator
Estimate the real cost of managing vulnerabilities—SBOM alerts, CVD reports, and periodic reviews.
Estimate costs →RACI Matrix
Clarify who is Responsible, Accountable, Consulted, and Informed for each CRA obligation in your organization.
View matrix →Compliance Checklist
Track your progress across all CRA obligations with a printable checklist covering all requirement areas.
View checklist →Not sure where to start?
Follow our 4-step guide to understand your CRA obligations, estimate costs, and assign responsibilities across your organization.
View the Getting Started GuideResources
Official documentation and further reading