Getting Started with CRA Compliance
Use these five tools to understand your CRA obligations, estimate costs, assign responsibilities, and track progress.
Check if CRA Applies
The Cyber Resilience Act is only about a specific subset of products. It's often confusing to determine if your product is in scope. Answer a few questions about your product and we'll help you assess whether it's in scope, and if so, which category it falls into (Default, Important Class I/II, or Critical).
Determine Your Support Period
One of the main cost drivers for CRA is the after launch actions you have to do in order to provide security updates. This period is called the "support period" and should cover the expected product lifetime or 5 years, whichever is shorter. Note: the clock starts when the last unit is placed on the EU market.
Estimate Compliance Costs during the Support Period
As mentioned in step 2: the support period is a driver of compliance cost. To help estimate this cost, we've developed a calculator which gives insight in the cost breakdown based on your product's characteristics.
Assign Responsibilities
As with each new process, it is often difficult who should own which task. In the case of CRA, compliance spans engineering, security, legal, product, and operations teams. Use the RACI matrix to get started on who is Responsible, Accountable, Consulted, and Informed for each obligation.
Run Your CRA Project
Use the compliance checklist to track your organization's progress across all CRA obligations. It covers everything from vulnerability handling and SBOM maintenance to conformity assessment and documentation requirements.