CRA Compliance Checklist

Use this comprehensive checklist to track your progress toward full CRA compliance. Print it, check off items as you complete them, and ensure you haven't missed anything.

Product Classification and Scope

Understand which products are subject to CRA requirements

Identify all products with digital elements you develop/distribute Determine which products are sold/distributed to EU customers Classify each product (standard, important, or critical) Document product versions currently in active support Create list of products with target compliance date

Secure by Design and Default

Implement security throughout development and ensure default configurations are secure

Implement secure coding practices in development process Conduct threat modeling for products Add security testing (SAST, DAST) to development pipeline Review and fix default configurations for security Ensure no default passwords or weak credentials Disable unnecessary services/features by default Follow OWASP and NIST security frameworks Implement input validation and output encoding

Vulnerability Management and Handling

Establish processes for identifying, assessing, and addressing vulnerabilities

Establish vulnerability disclosure program Publish security contact email/form Set up automated dependency scanning Create vulnerability assessment process (severity, impact, CVSS) Define remediation timelines (24h for critical exploited, 14d for critical, 30d for important) Implement code review process for security Conduct or plan penetration testing Document and track identified vulnerabilities Update vulnerable dependencies promptly

Software Bill of Materials (SBOM)

Generate and maintain comprehensive SBOMs for all products

Generate SBOM in CycloneDX format for all products Generate SBOM in SPDX format for all products Include all direct and transitive dependencies Document component versions and sources Include license information for all components Document known vulnerabilities in components Identify bundled third-party libraries Set up automated SBOM regeneration with each release Archive SBOMs for historical versions

Update and Support Process

Establish mechanisms for providing security updates throughout product support period

Define product support period for each product Communicate support period to users (website, documentation, product info) Establish reliable update mechanism for users Ensure updates can be applied without breaking functionality Plan update testing and validation process Create security update release notes template Establish update communication process (email, RSS, changelog) Plan for extended support versions if applicable

Incident Response and Reporting

Create processes for handling and reporting security incidents to authorities

Create incident response plan Identify who is responsible for incident response Define incident severity classification Plan for 24-hour early warning reporting to ENISA (for exploited vulnerabilities) Plan for 72-hour detailed incident reporting Plan for 14-day final report with remediation Create user notification templates for security incidents Document incident tracking and logging process Plan for post-incident review and lessons learned

Conformity Assessment

Prepare for and conduct conformity assessment (self-assessment for most products)

Determine if products require third-party assessment (critical products only) Complete self-assessment against CRA essential requirements Document assessment methodology and results Verify secure by design and default implementation Verify vulnerability management processes Verify documentation completeness Verify update mechanism and support period Maintain technical documentation for conformity assessment Create and sign Declaration of Conformity

Ongoing Compliance (After Enforcement)

Maintain compliance as products evolve and new vulnerabilities emerge

Monitor dependencies for new vulnerabilities (continuously) Regenerate SBOMs with each product release Release security updates within defined timelines Review and update technical documentation Respond to vulnerability reports through disclosure program Report serious incidents to ENISA within required timelines Conduct quarterly security reviews Track CRA enforcement actions and regulatory guidance

Use CRA Compliance Suite to Automate Your Compliance

Our platform handles SBOM generation, vulnerability scanning, and documentation creation so you can focus on checking off this checklist efficiently.

Start Free Trial

CRA Compliance Suite