CRA Checklist 2025
The definitive CRA checklist for assessing your organization’s readiness for the Cyber Resilience Act.
The Cyber Resilience Act establishes new cybersecurity obligations for any product with digital elements sold in the EU. Our CRA Readiness Checklist helps you quickly assess whether your organization is prepared to meet the requirements coming into force between 2025 and 2027.
By submitting this form, you accept our Terms and acknowledge that Regulus will process your data to send the checklist. For more details, see our Privacy Policy.
Key Facts About the CRA’s Impact
The Cyber Resilience Act introduces cybersecurity obligations with an unprecedented scope across the digital product landscape. These figures illustrate its market impact.
90%
of digital products will fall under the CRA scope. The regulation affects nearly all connected products, embedded software, and digital components.
100%
of manufacturers must ensure security support throughout the product lifecycle. This includes vulnerability handling, security updates, and incident reporting.
70%
of companies have not yet assessed whether their product is “default” or “critical”
Correct classification is essential to determine obligations.
What the CRA Checklist Includes
This checklist brings together the essential criteria you need to determine how the Cyber Resilience Act affects your product and your organization. It distills the regulation into clear, actionable checkpoints so you can validate scope, risk class, obligations and required documentation without navigating the full legal text.
👉🏻 Inside you will find:
🔸 Core guidance for understanding CRA scope
🔸 Quick-reference guides on key CRA requirements:
▪️ Determining whether your product qualifies as a product with digital elements.
▪️ Validating your product’s risk class (default, critical o low risk).
▪️ Understanding mandatory security requirements and lifecycle obligations.
▪️ Listing all required documentation for CRA conformity.
Updated for 2025
This CRA Checklist is maintained according to the latest updates from the European Commission and evolving CRA guidance.
How the CRA Checklist Helps You
The Cyber Resilience Act introduces cybersecurity obligations with an unprecedented scope across the digital product landscape. These figures illustrate its market impact.
1️⃣ Quickly identify whether the CRA applies to you and to what extent.
2️⃣ Detect compliance gaps well ahead of regulatory deadlines.
3️⃣ Facilitate alignment between product, engineering, security, and compliance teams.
4️⃣ Reduce time spent interpreting the regulation and focus on actionable steps.
Other Free CRA Templates
Access a set of complementary resources designed to accelerate your Cyber Resilience Act readiness. These templates help you structure documentation, standardize internal processes and ensure consistency across product, security and compliance workflows while preparing for CRA requirements. Available soon:
- 📝 CRA Product Classification Template
- 📚 Coordinated Vulnerability Disclosure Policy
- 📄 Technical Documentation Structure
- 🔐 Security Requirements Checklist for Manufacturers
- 🔧 Post-Market Cybersecurity Obligations Guide
- 📑 EU Declaration of Conformity (DoC) Outline
- 🧭 CRA Scope Assessment Worksheet
- 🛠️ Secure Development Lifecycle (SDL) Starter Framework
- 📊 CRA Compliance Roadmap Template
How to Use This CRA Checklist
Use this checklist to evaluate your current readiness, detect compliance gaps, guide internal conversations between engineering and compliance teams, and plan your preparation for CRA enforcement. It can be used as a standalone tool or as part of a broader CRA compliance workflow.
- Step 1: Determine CRA applicability
- Step 2: Identify compliance gaps
- Step 3: Align engineering and compliance teams
- Step 4: Plan your CRA roadmap
Not sure whether the CRA applies to your product?
Read our full applicability guide → “Does the CRA Apply to Your Product?”
Who Should Use This CRA Checklist
This CRA checklist is designed for:
- Manufacturers of products with digital elements
- IoT and connected-device vendors
- Embedded and firmware engineering teams
- Importers and distributors operating in the EU
- Product security and compliance teams preparing for CRA obligations
CRA Timeline (2025–2027)
The Cyber Resilience Act enters into force in 2025 with progressive obligations enforced until 2027. Companies must assess CRA applicability, prepare technical documentation, implement vulnerability handling processes and ensure lifecycle security before the end of the transition period.
Get 20% off your first year of Regulus.
Preview of the CRA Checklist
Below is a short extract of the technical checkpoints included in the full CRA Readiness Checklist. These items reflect the real structure of the PDF you will receive:
Scope & Product Determination
• Product qualifies as a “product with digital elements”
• Connectivity and data-processing analysis completed
• Sector-specific exemptions reviewed
• EU market placement validated
Economic Operator Role
• Manufacturer responsibilities assessed
• Importer/distributor obligations mapped
• Authorized Representative requirements verified
Risk Classification (Default vs Critical Class)
• Annex III criteria evaluated
• Critical functionalities identified
• Classification documented for conformity assessment
Security & Lifecycle Requirements
• Annex I, Section 1 security controls reviewed
• Annex I, Section 2 vulnerability handling requirements validated
• Update mechanisms and support lifetime defined
Technical Documentation & Evidence
• Architecture and design documentation available
• SBOM and third-party components recorded
• Test results, logs and evidence prepared for conformity
Free CRA Checklist (2025)
Download the CRA Checklist to assess applicability, product classification, security requirements and documentation.
Frequently Asked Questions About the Cyber Resilience Act
This section addresses the most common questions organizations face when preparing for CRA compliance. It provides clear, practical answers to help you understand scope, obligations, timelines and the concrete steps required to bring your digital products in line with the Cyber Resilience Act.
Who must comply with the Cyber Resilience Act?
Any organization that manufactures, imports, distributes, or places products with digital elements on the EU market must comply with the CRA. This includes hardware vendors, IoT companies, embedded software teams, and digital product manufacturers.
Does the CRA apply to software-only products?
Yes. Software-only products fall under the CRA if they have direct or indirect connectivity or are necessary for a product to operate securely. Cloud-only SaaS platforms are generally excluded unless they ship an installable or connectable component.
How do I know if my product is in scope?
A product is in scope if it meets the definition of a “product with digital elements,” which includes embedded software, connected devices, firmware-driven systems, and software components placed on the EU market. You can follow the CRA applicability criteria or use your applicability article here: CRA Applicability Guide.
What is the difference between Default Class and Critical Class products?
Default Class products follow standard CRA requirements. Critical Class products meet additional criteria defined in Annex III (e.g., critical infrastructure, privileged access, security-related functions) and require stricter assessment. Classification determines conformity procedures and documentation obligations.
What documentation is required under the CRA?
Manufacturers must prepare technical documentation, a cybersecurity risk assessment, vulnerability handling procedures, SBOM, update policies, testing evidence, and the EU Declaration of Conformity. Distributors and importers also have documentation responsibilities.
What happens if an organization fails to comply?
Non-compliance can result in products being banned from the EU market, mandatory withdrawals, or administrative fines. Manufacturers also risk liability if cybersecurity incidents arise from missing requirements.
What is the timeline for CRA enforcement?
The CRA enters into force in 2025, with obligations progressively enforced until 2027. Companies must use this transition period to assess applicability, classify products, build technical documentation, and implement vulnerability management processes.
How does this CRA checklist help my organization?
The checklist provides a structured, step-by-step review of CRA obligations covering scope, classification, technical documentation, security requirements, and lifecycle processes. It helps teams identify gaps and accelerate compliance preparation.
