Path to compliance · Guidance

CRA guide for software developers

How the Cyber Resilience Act applies to software products; from secure development to vulnerability handling, SBOMs and the CE marking.

Applies to

Software with digital elements

Conformity

Standards or third-party

Support period

Defined, ≥ expected use

Confirm scope and class

Art. 2 · 6

Most software placed on the EU market with a data connection is in scope, and many developer tools fall in the 'important' category of Annex III.

✓Run the CRA Fast Check to confirm scope
✓Identify whether your product is default, important or critical
✓Record the reasoning in your documentation

Tool for this step

Build security in by design

Annex I · I

Design and develop the product to meet the essential security properties throughout its lifecycle.

✓Ship a secure-by-default configuration
✓Apply authentication and access controls
✓Protect data with encryption in transit and at rest
✓Minimise the attack surface and exposed interfaces

Common pitfall

Leaving debug interfaces, default credentials or verbose error output enabled in production builds.

Tool for this step

Establish vulnerability handling

Annex I · II

Operate a documented process to find, fix and disclose vulnerabilities across the support period.

✓Publish a coordinated vulnerability-disclosure policy
✓Provide a contact point for reporting issues
✓Remediate vulnerabilities without undue delay
✓Disclose fixed vulnerabilities once an update is available

Maintain a software bill of materials

Annex I · II(1)

Keep a current SBOM covering at least the top-level dependencies of your product.

✓Generate an SBOM in a machine-readable format
✓Track components and their known vulnerabilities
✓Keep it updated with each release

Tool for this step

Ship free, timely security updates

Annex I · I(2)

Provide security updates separately from feature updates, free of charge, for the declared support period.

✓Define and publish the support period
✓Deliver security updates promptly
✓Distribute patches through a secure mechanism

Assemble technical documentation

Annex VII

Compile the documentation that demonstrates conformity and keep it available for market surveillance.

✓Product description and intended use
✓Cybersecurity risk assessment
✓Records of standards applied

Assess conformity and affix CE

Art. 32 · 36

Carry out the conformity assessment route for your class and complete the EU declaration of conformity.

✓Self-assess (default) or use a notified body (important/critical)
✓Draw up and sign the EU declaration of conformity
✓Affix the CE marking

Tool for this step

Meet reporting obligations & maintain the product

Art. 13(8) · 14

From September 2026, notify actively exploited vulnerabilities and severe incidents, and keep maintaining the product for its whole support period.

✓Submit an early warning to ENISA and the CSIRT within 24 hours
✓Follow up with a notification and final report
✓Inform affected users where appropriate

Your ongoing obligation

The support period must be at least five years (or the product's expected lifetime, if longer), counted from when it is placed on the EU market. Throughout it you must handle vulnerabilities and provide free security updates; each update must then stay available for 10 years, and the technical file and EU declaration must be kept for 10 years.

Free tools for this role

Every tool below is free to use and opens here in a side panel, so you don't lose your place.

FreeCRA Fast Check

Confirm whether the Act applies and your likely class.

Open here →FreeCompliance matrix

Map every Annex I & VII obligation and track it to done.

Open here →FreeCost calculator

Estimate the one-off and annual cost of compliance.

Open here →FreeVulnerability Analyzer

Cross-reference your SBOM against the NVD & EUVD, and track End-of-Life components.

Open here →FreeDoC generator

Generate an EU Declaration of Conformity (Annex V) for your product.