CRA Compliance Checklist

Track your progress across CRA obligations

Use this checklist to track your organization's progress toward CRA compliance. Print it out or use it as a reference while working through the requirements.

Note: This checklist is a starting point based on CRA requirements, not legal advice. Consult with legal and compliance professionals for your specific situation. Requirements may vary based on your product category and applicable conformity assessment procedures.

1. Scoping & Classification

Determine if and how the CRA applies to your product

  • Determined if product is in scope (Use Scope Assessment)
  • Identified product category (Default / Important Class I / Important Class II / Critical)
  • Identified applicable conformity assessment procedure (Art. 24-27)

2. Security Requirements (Annex I, Part I)

Essential cybersecurity requirements for products with digital elements

  • Secure-by-default configuration implemented
  • No known exploitable vulnerabilities at time of release
  • Authentication and access control implemented where applicable
  • Data protection measures (encryption at rest and in transit)
  • Attack surface minimized
  • Secure update mechanism available
  • Security-relevant events are logged

3. Vulnerability Handling (Annex I, Part II)

Processes for identifying, managing, and disclosing vulnerabilities

  • SBOM (Software Bill of Materials) created and maintained
  • Vulnerability monitoring process in place
  • Coordinated vulnerability disclosure (CVD) policy published
  • Contact address for vulnerability reports publicly available
  • Process for timely security updates defined
  • Security advisory format/template defined

4. Documentation (Annex II)

Technical documentation required for conformity assessment

  • Technical documentation prepared
  • Risk assessment documented
  • Design and development documentation complete
  • User instructions for secure installation, operation, and maintenance
  • Support period clearly communicated to users

5. Conformity Assessment (Art. 24-27)

Demonstrating compliance with CRA requirements

  • Selected appropriate conformity assessment procedure for product category
  • Internal controls or third-party assessment arranged (as required)
  • EU Declaration of Conformity drafted
  • CE marking prepared

6. Reporting & Notification (Art. 14)

Mandatory reporting of vulnerabilities and incidents to authorities

  • ENISA/national CSIRT communication channel established
  • 24-hour early warning process defined (for actively exploited vulnerabilities)
  • 72-hour vulnerability notification process defined
  • 14-day final report process defined

7. Ongoing Obligations (Art. 13)

Continuing requirements throughout the product lifecycle

  • Support period defined (Use Support Period Calculator)
  • Post-market monitoring process established
  • 10-year record keeping system in place
  • Security update mechanism operational and tested

Related Tools

Scope Assessment

Check if CRA applies to your product

Support Period Calculator

Calculate your support obligations

Cost Calculator

Estimate compliance costs