Path to compliance · Guidance

CRA guide for manufacturers

The obligations the Cyber Resilience Act places on producers of products with digital elements; from risk assessment to CE marking and post-market duties.

Applies to

Products with digital elements

Classes

Default · Important · Critical

Conformity

Per product class

Marking

CE before market placement

Confirm scope and classification

Art. 2 · 6 · 7

Determine that the product is in scope and establish its class; this drives every later step.

✓Confirm the product has digital elements and an EU market presence
✓Classify as default, important or critical
✓Check the Annex III / IV category lists

Tool for this step

Run a cybersecurity risk assessment

Art. 13(2)

Base the product's design on a documented assessment of the cybersecurity risks.

✓Identify threats and applicable risks
✓Determine which essential requirements apply
✓Keep the assessment with your documentation

Why it matters

The risk assessment is the foundation auditors and market surveillance will ask to see first.

Meet the essential requirements

Annex I · I

Design and produce the product to satisfy the Annex I security properties.

✓Secure-by-default configuration
✓Protection of confidentiality and integrity
✓Resilience and availability of essential functions
✓Minimised attack surface

Tool for this step

Operate vulnerability handling

Annex I · II

Run a vulnerability-handling process for the full support period.

✓Maintain an SBOM
✓Remediate and disclose vulnerabilities
✓Provide free security updates

Tool for this step

Compile technical documentation

Annex VII

Assemble and maintain the full technical file before placing the product on the market.

✓Product description and risk assessment
✓Design and manufacturing information
✓EU declaration of conformity

Choose the conformity assessment route

Art. 32

Select the assessment procedure that matches your product class.

✓Module A self-assessment for default products
✓Standards-based or third-party for important products
✓European certification for critical products

Declare conformity and affix CE

Art. 28 · 30

Complete the declaration and apply the marking that signals compliance.

✓Draw up and sign the EU declaration of conformity
✓Affix the CE marking visibly
✓Provide user information and instructions

Tool for this step

Fulfil post-market obligations

Art. 13(8) · 14

Monitor the product, report as required and keep it secure for its whole support period.

✓Report actively exploited vulnerabilities and severe incidents
✓Take corrective action for non-conforming products
✓Cooperate with market surveillance authorities

Your ongoing obligation

The support period must be at least five years (or the product's expected lifetime, if longer), counted from when it is placed on the EU market. Throughout it you must handle vulnerabilities and provide free security updates; each update must then stay available for 10 years, and the technical file and EU declaration must be kept for 10 years.

Free tools for this role

Every tool below is free to use and opens here in a side panel, so you don't lose your place.

FreeCRA Fast Check

Confirm whether the Act applies and your likely class.

Open here →FreeCompliance matrix

Map every Annex I & VII obligation and track it to done.

Open here →FreeCost calculator

Estimate the one-off and annual cost of compliance.

Open here →FreeVulnerability Analyzer

Cross-reference your SBOM against the NVD & EUVD, and track End-of-Life components.

Open here →FreeDoC generator

Generate an EU Declaration of Conformity (Annex V) for your product.