This page provides a comprehensive Cyber Resilience Act (CRA) compliance checklist designed to help individuals and organizations verify and demonstrate product compliance with the requirements established by the CRA.
The compliance requirements listed on this page are sourced directly from the European Union Cyber Resilience Act (CRA) (28.04.2025).
All compliance assessment data you enter, including the "Compliance description" texts and the "Compliant" checkboxes, are stored locally in your browser. After completing the assessment, the results can be saved as a PDF through your browser and the data can be exported to be saved externally or re-imported in another browser.
Products with digital elements shall be designed, developed and produced in such a way that they ensure an appropriate level of cybersecurity based on the risks.
On the basis of the cybersecurity risk assessment referred to in Article 13 (2) and where applicable, products with digital elements shall be made available on the market without known exploitable vulnerabilities.
On the basis of the cybersecurity risk assessment referred to in Article 13 (2) and where applicable, products with digital elements shall be made available on the market with a secure by default configuration, unless otherwise agreed between manufacturer and business user in relation to a tailor-made product with digital elements, including the possibility to reset the product to its original state.
On the basis of the cybersecurity risk assessment referred to in Article 13 (2) and where applicable, products with digital elements shall ensure that vulnerabilities can be addressed through security updates, including, where applicable, through automatic security updates that are installed within an appropriate timeframe enabled as a default setting, with a clear and easy-to-use opt-out mechanism, through the notification of available updates to users, and the option to temporarily postpone them.
On the basis of the cybersecurity risk assessment referred to in Article 13 (2) and where applicable, products with digital elements shall ensure protection from unauthorised access by appropriate control mechanisms, including but not limited to authentication, identity or access management systems, and report on possible unauthorised access.
On the basis of the cybersecurity risk assessment referred to in Article 13 (2) and where applicable, products with digital elements shall protect the confidentiality of stored, transmitted or otherwise processed data, personal or other, such as by encrypting relevant data at rest or in transit by state of the art mechanisms, and by using other technical means.
On the basis of the cybersecurity risk assessment referred to in Article 13 (2) and where applicable, products with digital elements shall protect the integrity of stored, transmitted or otherwise processed data, personal or other, commands, programs and configuration against any manipulation or modification not authorised by the user, and report on corruptions.
On the basis of the cybersecurity risk assessment referred to in Article 13 (2) and where applicable, products with digital elements shall process only data, personal or other, that are adequate, relevant and limited to what is necessary in relation to the intended purpose of the product with digital elements (data minimisation).
On the basis of the cybersecurity risk assessment referred to in Article 13 (2) and where applicable, products with digital elements shall protect the availability of essential and basic functions, also after an incident, including through resilience and mitigation measures against denial-of-service attacks.
On the basis of the cybersecurity risk assessment referred to in Article 13 (2) and where applicable, products with digital elements shall minimise the negative impact by the products themselves or connected devices on the availability of services provided by other devices or networks.
On the basis of the cybersecurity risk assessment referred to in Article 13 (2) and where applicable, products with digital elements shall be designed, developed and produced to limit attack surfaces, including external interfaces.
On the basis of the cybersecurity risk assessment referred to in Article 13 (2) and where applicable, products with digital elements shall be designed, developed and produced to reduce the impact of an incident using appropriate exploitation mitigation mechanisms and techniques.
On the basis of the cybersecurity risk assessment referred to in Article 13 (2) and where applicable, products with digital elements shall provide security related information by recording and monitoring relevant internal activity, including the access to or modification of data, services or functions, with an opt-out mechanism for the user.
On the basis of the cybersecurity risk assessment referred to in Article 13 (2) and where applicable, products with digital elements shall provide the possibility for users to securely and easily remove on a permanent basis all data and settings and, where such data can be transferred to other products or systems, ensure that this is done in a secure manner.
Manufacturers of products with digital elements shall identify and document vulnerabilities and components contained in products with digital elements, including by drawing up a software bill of materials in a commonly used and machine-readable format covering at the very least the top-level dependencies of the products.
Manufacturers of products with digital elements shall in relation to the risks posed to products with digital elements, address and remediate vulnerabilities without delay, including by providing security updates; where technically feasible, new security updates shall be provided separately from functionality updates.
Manufacturers of products with digital elements shall apply effective and regular tests and reviews of the security of the product with digital elements.
Manufacturers of products with digital elements shall once a security update has been made available, share and publicly disclose information about fixed vulnerabilities, including a description of the vulnerabilities, information allowing users to identify the product with digital elements affected, the impacts of the vulnerabilities, their severity and clear and accessible information helping users to remediate the vulnerabilities; in duly justified cases, where manufacturers consider the security risks of publication to outweigh the security benefits, they may delay making public information regarding a fixed vulnerability until after users have been given the possibility to apply the relevant patch.
Manufacturers of products with digital elements shall put in place and enforce a policy on coordinated vulnerability disclosure.
Manufacturers of products with digital elements shall take measures to facilitate the sharing of information about potential vulnerabilities in their product with digital elements as well as in third party components contained in that product, including by providing a contact address for the reporting of the vulnerabilities discovered in the product with digital elements.
Manufacturers of products with digital elements shall provide for mechanisms to securely distribute updates for products with digital elements to ensure that vulnerabilities are fixed or mitigated in a timely manner and, where applicable for security updates, in an automatic manner.
Manufacturers of products with digital elements shall ensure that, where security updates are available to address identified security issues, they are disseminated without delay and, unless otherwise agreed between a manufacturer and a business user in relation to a tailor-made product with digital elements, free of charge, accompanied by advisory messages providing users with the relevant information, including on potential action to be taken.
At minimum, the product with digital elements shall be accompanied by: the name, registered trade name or registered trademark of the manufacturer, and the postal address, the email address or other digital contact as well as, where available, the website at which the manufacturer can be contacted;
At minimum, the product with digital elements shall be accompanied by: the single point of contact where information about vulnerabilities of the product with digital elements can be reported and received, and where the manufacturer’s policy on coordinated vulnerability disclosure can be found;
At minimum, the product with digital elements shall be accompanied by: name and type and any additional information enabling the unique identification of the product with digital elements;
At minimum, the product with digital elements shall be accompanied by: the intended purpose of the product with digital elements, including the security environment provided by the manufacturer, as well as the product’s essential functionalities and information about the security properties;
At minimum, the product with digital elements shall be accompanied by: any known or foreseeable circumstance, related to the use of the product with digital elements in accordance with its intended purpose or under conditions of reasonably foreseeable misuse, which may lead to significant cybersecurity risks;
At minimum, the product with digital elements shall be accompanied by: where applicable, the internet address at which the EU declaration of conformity can be accessed;
At minimum, the product with digital elements shall be accompanied by: the type of technical security support offered by the manufacturer and the end-date of the support period during which users can expect vulnerabilities to be handled and to receive security updates;
At minimum, the product with digital elements shall be accompanied by: detailed instructions or an internet address referring to such detailed instructions and information on:
At minimum, the product with digital elements shall be accompanied by: If the manufacturer decides to make available the software bill of materials to the user, information on where the software bill of materials can be accessed.
The technical documentation referred to in Article 31 shall contain at least the following information, as applicable to the relevant product with digital elements: a general description of the product with digital elements, including:
The technical documentation referred to in Article 31 shall contain at least the following information, as applicable to the relevant product with digital elements: a description of the design, development and production of the product with digital elements and vulnerability handling processes, including:
The technical documentation referred to in Article 31 shall contain at least the following information, as applicable to the relevant product with digital elements: an assessment of the cybersecurity risks against which the product with digital elements is designed, developed, produced, delivered and maintained pursuant to Article 13, including how the essential cybersecurity requirements set out in Part I of Annex I are applicable.
The technical documentation referred to in Article 31 shall contain at least the following information, as applicable to the relevant product with digital elements: relevant information that was taken into account to determine the support period pursuant to Article 13(8) of the product with digital elements.
The technical documentation referred to in Article 31 shall contain at least the following information, as applicable to the relevant product with digital elements: a list of the harmonised standards applied in full or in part the references of which have been published in the Official Journal of the European Union, common specifications as set out in Article 27 of this Regulation or European cybersecurity certification schemes adopted pursuant to Regulation (EU) 2019/881 pursuant to Article 27(8) of this Regulation, and, where those harmonised standards, common specifications or European cybersecurity certification schemes have not been applied, descriptions of the solutions adopted to meet the essential cybersecurity requirements set out in Parts I and II of Annex I, including a list of other relevant technical specifications applied. In the event of partly applied harmonised standards, common specifications or European cybersecurity certification schemes, the technical documentation shall specify the parts which have been applied.
The technical documentation referred to in Article 31 shall contain at least the following information, as applicable to the relevant product with digital elements: reports of the tests carried out to verify the conformity of the product with digital elements and of the vulnerability handling processes with the applicable essential cybersecurity requirements as set out in Parts I and II of Annex I.
The technical documentation referred to in Article 31 shall contain at least the following information, as applicable to the relevant product with digital elements: a copy of the EU declaration of conformity.
The technical documentation referred to in Article 31 shall contain at least the following information, as applicable to the relevant product with digital elements: where applicable, the software bill of materials, further to a reasoned request from a market surveillance authority provided that it is necessary in order for that authority to be able to check compliance with the essential cybersecurity requirements set out in ANNEX I.