EN 
FR 
DE 
IT CRA Compliance Checklist: Step-by-Step Guide
A complete checklist to verify your Cyber Resilience Act compliance. 10 steps covering scope, classification, technical documentation, SBOM, and reporting.
CRA compliance may seem complex, but it breaks down into clear steps. This checklist guides you from initial assessment through CE marking, reporting obligations, and ongoing vulnerability management.
Step 1: Determine if your product is in scope
All products with digital elements are covered, with limited exceptions (non-commercial open source software, spare parts, certain sectors covered by equivalent sectoral regulation).
Step 2: Classify your product
The CRA classifies products into three categories: Class I (moderate risk), Class II (higher risk), and Outside class (critical products). Classification determines the required conformity assessment procedure.
Step 3: Establish technical documentation
Per CRA Annex VII, you must compile a dossier including: general product description, design plans, specifications and standards applied, risk analysis results, and cybersecurity measures implemented.
Step 4: Implement security by design
Annex I (Part I) requirements cover: secure default configuration, lifecycle vulnerability management, automatic security updates, secure authentication, and protection of stored and transmitted data.
Step 5: Generate and manage your SBOM
The Software Bill of Materials lists all software components, versions, and licenses. Accepted formats: CycloneDX (recommended) and SPDX.
Step 6: Establish vulnerability management
You must demonstrate ability to monitor CVEs affecting your components, analyze product impact, develop and deploy patches, and document decisions (VEX).
Step 7: Prepare Article 14 reporting
From September 2026, any actively exploited vulnerability or severe incident must be reported: Early warning within 24 hours, Notification within 72 hours, Final report within 14 days.
Step 8: Draft the EU Declaration of Conformity
This official document certifies your product meets all applicable CRA requirements. It must be signed by the manufacturer and kept for market surveillance authorities.
Step 9: Affix CE marking
The cyber CE marking is the culmination of the process. Without it, your product cannot be placed on the EU market after December 2027.
Step 10: Maintain ongoing compliance
CRA compliance is not a one-time event. Update your SBOM with each release, monitor new vulnerabilities, keep technical documentation current, and perform periodic reviews.
Need help applying this checklist? The Expert CRA platform automates steps 1 through 10: classification, documentation, SBOM, CVE monitoring, Article 14 reporting, and full audit trail.