CRA Readiness Suite
Cyber Resilience Act Compliance Tools
Everything manufacturers of products with digital elements need to prepare for CRA enforcement — June 2026 for Class I/II notification obligations, December 2026 for Class I products, December 2027 for Standard products and full Class II.
What is the Cyber Resilience Act?
Regulation EU 2024/2847, published 20 November 2024, imposes mandatory cybersecurity requirements on all manufacturers, importers, and distributors of products with digital elements (hardware or software) placed on the EU market. It covers vulnerability handling, secure-by-design obligations, SBOM requirements (Annex II), and mandatory incident reporting to ENISA.
Scope
Applies to any product with digital elements — from connected devices to standalone software — placed on the EU market, regardless of where the manufacturer is based.
Three Product Classes
Standard products can self-certify. Class I important products (e.g. browsers, password managers, firewalls) have stricter requirements. Class II critical products require a notified body.
Key Obligations
Annex I Part I: security requirements at design/development. Annex I Part II: vulnerability handling. Annex II: technical documentation including SBOM. Art. 14: mandatory ENISA incident reporting within 24h/72h.
CRA Readiness Tools
Free Tools
CRA Checker
Classify your product (Standard / Class I / Class II) and see your exact conformity assessment path and obligations under Art. 32.
FreeSBOM & Dependency Audit Checker
Step-by-step SBOM and dependency audit checklist. Maps to Annex II, Art. 13 technical documentation requirements.
FreeCRA Readiness Flow
6-stage guided workflow: product scope → security requirements → vulnerability handling → SBOM → CVD → documentation & reporting.
FreeFree vs Pro Features
| Feature | Free | Pro |
|---|---|---|
| CRA product classification (CRA Checker) | ||
| SBOM & dependency audit checklist | ||
| CRA Readiness Flow (6 stages) | ||
| Annex I requirements reference | ||
| ENISA incident reporting guidance | ||
| CVD Policy document generator | ||
| ENISA notification SOP template | ||
| Researcher contact page template |
About Conformity Assessment Under the CRA
The CRA defines three conformity paths based on your product classification. These tools are designed to support preparation — but some paths require official oversight.
Standard Products — Annex VIII Self-Assessment
Manufacturers of standard products with digital elements can use the internal control procedure under Annex VIII. Our tools help you prepare the required technical documentation (Annex II) and EU Declaration of Conformity. These tools are fully appropriate for this path.
Class I Products — Harmonised Standards or Notified Body
Class I products may self-certify where harmonised European standards cover the relevant security requirements (Art. 32(2)). Where no applicable standard exists, or the manufacturer chooses not to apply one, a notified body assessment (Annex IX) may be required. These tools help prepare documentation.
Class II Products — Notified Body Mandatory
Class II critical products (Annex III Part II: e.g. HSMs, smart meters, industrial control systems) must use a notified body under Annex IX (Art. 32(2)(d)). These tools cannot replace a notified body assessment.
Class II critical products: You must engage an accredited notified body. These tools cannot replace that mandatory assessment. Engage a notified body from the NANDO database.
Important — CRA Compliance Disclaimer (Regulation EU 2024/2847)
This tool is a self-assessment aid only and does not constitute legal advice, a formally certified conformity assessment, or an independently audited report.
Standard products with digital elements: Manufacturers may use the internal control procedure (Annex VIII) to self-certify conformity. These tools help you prepare the documentation required under Annex VIII — including the technical documentation (Annex II) and EU Declaration of Conformity.
Class I important products (Annex III, Part I): Manufacturers may use the internal control procedure (Annex VIII) OR demonstrate compliance with harmonised European standards (Art. 32(2)). Where no applicable harmonised standard exists or the manufacturer does not apply one, use of a notified body (Annex IX) may be required. These tools support documentation preparation but cannot substitute a harmonised standard conformity assessment.
Class II important products (Annex III, Part II): Conformity MUST be assessed by a notified body under Annex IX (Art. 32(2)(d)). These tools cannot replace a notified body assessment and do not constitute evidence of Class II conformity. You must engage an accredited notified body for mandatory third-party assessment.
All assessment risk lies with the user. AIAuditRef, its developers, and staff accept no liability for losses arising from use of or reliance on these outputs. Always verify against official sources: the Cyber Resilience Act (Regulation EU 2024/2847), CRA Art. 32, Annex VIII, Annex IX, and your national market surveillance authority.
Ready to start your CRA readiness journey?
Use the free CRA Readiness Flow to build a structured compliance programme. Upgrade to Pro for document generation (CVD Policy, SBOM templates, ENISA SOP).