ChecklistEU

EU Cyber Resilience Act Product Security Checklist

A grounded CRA checklist for manufacturers and product teams preparing products with digital elements for EU market access.

Use it to turn scope, security requirements, vulnerability handling, reporting, documentation, conformity, CE marking, and support-period duties into evidence-backed release gates.

Back to main artifactReview sources
Author
Sorena AI
Published
Mar 4, 2026
Updated
May 25, 2026
Sections
7

Structured answer sets in this page tree.

Primary sources
3

Cited legal and guidance references.

Publication metadata
Sorena AI
Published Mar 4, 2026
Updated May 25, 2026
Overview

Use this checklist before placing a product with digital elements on the EU market and during the support period. Record the product boundary, responsible economic operator, applicable Annex I requirements, conformity route, release decision, reporting readiness, and the evidence that a market surveillance authority could request.

Section 1

Scope, product boundary, and role checks

Start by defining the product with digital elements, the version or product family, and any remote data processing solution that is necessary for the product to perform one of its functions. Do not treat the website, cloud account, mobile app, firmware, backend API, and hardware enclosure as separate evidence sets until the CRA product boundary is clear.

Then record the economic-operator role for each market path. Manufacturers carry the core CRA design, development, production, vulnerability-handling, conformity, documentation, and CE marking duties; importers and distributors need checks that the required marking, declaration, instructions, and contact information are present before making products available.

  • Create one inventory record per product, product family, version line, hardware variant, firmware branch, software release train, and necessary remote data processing solution.
  • Confirm whether the product is made available on the EU market in the course of a commercial activity and whether a sector exclusion or overlapping Union product law changes the compliance route.
  • Classify each in-scope product as default, important class I, important class II, or critical, and keep the Annex III or Annex IV rationale if the product has a listed core functionality.
  • Name the manufacturer, authorised representative if used, importer, distributor, fulfilment service provider if relevant, and the EU contact point responsible for authority cooperation.
  • Keep evidence for scope exclusions, open-source component treatment, third-party component due diligence, tailor-made product terms, and any decision that a remote service is outside the CRA product boundary.
Recommended next step

Convert the CRA checklist into release gates

Use Assessment Autopilot to turn CRA scope records, Annex I controls, vulnerability-handling duties, Article 14 reporting templates, technical documentation, conformity evidence, and CE marking checks into owned implementation work.

Assessment workflow
Open Assessment Autopilot

Create owned CRA work items for product scope, security controls, vulnerability handling, reporting readiness, documentation, and conformity evidence.

Explore next step
Talk to Sorena
Talk through implementation

Review product boundaries, conformity routes, evidence gaps, and support-period operations before EU market placement.

Explore next step
Section 2

Annex I Part I product security checks

The CRA does not ask teams to prove that a product has no vulnerabilities at all. It requires a cybersecurity risk assessment and, where applicable, release of products without known exploitable vulnerabilities, with secure-by-default configuration, security-update capability, and other objective security properties.

Use these checks as release gates. For every Annex I Part I requirement, record whether it is applicable, the implemented control, the test or review evidence, and the reason if the requirement is not applicable to the product.

  • Risk assessment: document intended purpose, reasonably foreseeable use and misuse, operating environment, threat assumptions, security objectives, residual risks, and the product lifetime considered.
  • Known exploitable vulnerabilities: block release when reliable evidence shows a vulnerability can be effectively exploited under practical operational conditions and no justified mitigation or release decision exists.
  • Secure by default: verify default credentials, access control, exposed services, cryptographic defaults, logging defaults, network interfaces, reset behavior, and any business-user tailor-made exception.
  • Security updates: verify that vulnerabilities can be addressed through security updates, with automatic security updates enabled by default where applicable, user notification, and an opt-out or postponement mechanism where required.
  • Core security properties: test controls for unauthorised access, confidentiality, integrity, data minimisation, availability, denial-of-service resilience, attack-surface limitation, exploitation mitigation, security monitoring, and secure removal or transfer of user data and settings.
Section 3

Annex I Part II vulnerability-handling checks

Vulnerability handling is a support-period operating obligation. The evidence should show that security issues can be received, triaged, remediated, disclosed, and distributed as updates without losing traceability.

Treat component vulnerability intelligence and coordinated vulnerability disclosure as part of product maintenance, not as a separate security-team inbox.

  • Maintain a commonly used, machine-readable software bill of materials covering at least top-level dependencies, and connect each SBOM record to the product version it supports.
  • Document the vulnerability intake path, public reporting contact, coordinated vulnerability disclosure policy, component-maintainer notification process, severity assessment, exploitability assessment, remediation owner, and closure evidence.
  • Run regular product security tests and reviews, including regression checks for update mechanisms, default configuration, authentication, exposed interfaces, logging, and data-removal behavior.
  • Address and remediate vulnerabilities without delay in relation to product risk, using patches, mitigations, workarounds, configuration guidance, user advisories, or documentation updates as appropriate.
  • Distribute security updates securely, free of charge unless a tailor-made business-user exception applies, and separate security updates from functionality updates where technically feasible.
Section 4

Article 14 reporting and user-notification checks

Article 14 reporting should be prepared as an incident workflow before the reporting obligations apply. The trigger is awareness of an actively exploited vulnerability or a severe incident having an impact on the security of the product with digital elements.

The checklist should distinguish discovery, legal/reporting assessment, ENISA single reporting platform submission, user notification, component notification, and authority follow-up.

  • Define awareness sources: customer reports, partner evidence, threat intelligence, government agency notice, ethical hacker reports, telemetry, honeypots, internal monitoring, and component-maintainer notifications.
  • Prepare early-warning templates for the 24-hour notification clock covering product identity, affected Member States where known, suspected malicious activity, sensitivity marking, and known immediate mitigation.
  • Prepare 72-hour notification templates for general product information, exploit or incident nature, initial assessment, corrective or mitigating measures taken, and user actions that can reduce impact.
  • Prepare final-report templates: for actively exploited vulnerabilities, due no later than 14 days after a corrective or mitigating measure is available; for severe incidents, due within one month after the incident notification.
  • Keep user-notification records showing which impacted users, and where appropriate all users, were informed of the vulnerability or incident and what action they were asked to take.
Section 5

Technical documentation and user-information checks

The technical documentation is not only an internal engineering archive. It must be comprehensive enough for market surveillance authorities to assess the product, the cybersecurity risk assessment, the vulnerability-handling process, the standards or specifications used, and the test evidence.

User information should let buyers and operators identify the product, understand secure deployment conditions, find the vulnerability reporting point, install security updates, and know the support-period end date.

  • Product description: include intended purpose, affected software versions, hardware photos or illustrations where relevant, architecture diagrams, interfaces, remote data processing dependencies, and user instructions.
  • Design and process evidence: include architecture, development controls, production and monitoring process validation, vulnerability-handling specifications, SBOM, disclosure policy, reporting contact, and secure-update distribution design.
  • Risk and requirements evidence: include the cybersecurity risk assessment, Annex I applicability mapping, support-period rationale, residual-risk decisions, standards or common specifications used, and alternative technical solutions where standards were not fully applied.
  • Verification evidence: include test reports for product requirements and vulnerability-handling processes, conformity-assessment records, the EU declaration of conformity, and authority-request handling for SBOM access where applicable.
  • User-facing information: include manufacturer contact details, vulnerability contact, unique product identification, intended purpose, secure deployment assumptions, significant cybersecurity risks, support type, support-period end date, update installation instructions, and declaration-of-conformity access.
Section 6

Conformity assessment, declaration, and CE marking checks

Select the conformity route after scope and classification are documented. Default products can generally use internal control, while important or critical products may need Module B+C or Module H unless a specific self-assessment route is available.

CE marking and the EU declaration of conformity should be the end of a documented assessment, not a substitute for it.

  • Record the chosen conformity route: Module A internal control, Module B+C EU-type examination plus conformity to type, Module H full quality assurance, or another route permitted by the CRA for the product category.
  • For Module A, keep evidence that the manufacturer verified applicable CRA essential requirements, drew up technical documentation, controlled production and vulnerability handling, signed the declaration, and affixed CE marking.
  • For Module B+C or Module H, keep notified-body selection, certificate, audit, quality-system, reassessment, and surveillance evidence, including changes that may affect the approved type or vulnerability-handling process.
  • Prepare the EU declaration of conformity for the product, keep it with the technical documentation for 10 years after placing on the market or for the support period, whichever is longer, and make it available to authorities on request.
  • Verify CE marking placement: visible, legible, indelible for physical products where possible; for software, on the EU declaration of conformity or an easily and directly accessible accompanying website section.
Section 7

Support-period and evidence-control checks

The support period determines how long vulnerability handling and security-update expectations remain operational. The manufacturer should justify it with product use expectations, operating environment, similar products, component support, and other relevant factors.

Evidence control matters because CRA records can outlive a release cycle. Keep product, security, legal, and compliance records tied to the exact version or unit placed on the market.

  • Set a support period of at least five years unless the product is expected to be in use for less than five years; use a longer period where the product is reasonably expected to remain in use longer.
  • Document the support-period rationale in the technical documentation, including expected use time, component support, operating environment, and why any shorter-than-five-year period is justified by product nature.
  • Track end-of-support communications, update availability, archival access, component end-of-support dependencies, and user guidance for secure retirement or replacement.
  • Retain the declaration of conformity, technical documentation, certificates, test reports, SBOM records, vulnerability decisions, user notices, and authority correspondence under version-controlled evidence ownership.
  • Create release and change-control gates for substantial modifications, security-relevant updates, support-period changes, new market paths, new importers or distributors, and authority requests.
Primary sources

References and citations

European Commission Cyber Resilience Act policy page
digital-strategy.ec.europa.eu
Referenced sections
  • Supports the page framing that the CRA covers software and hardware products with digital elements, lifecycle vulnerability handling, CE marking, market surveillance, and staged application of reporting and main obligations.
"mandatory cybersecurity requirements for manufacturers"
European Commission FAQs on the Cyber Resilience Act, version 1.2
ec.europa.eu
Referenced sections
  • Supports implementation distinctions used in the checklist, including known exploitable vulnerabilities, secure-by-default expectations, support-period criteria, reporting triggers, conformity modules, CE marking, and declaration-of-conformity handling.
"The CRA does not require manufacturers to ensure that a product is free from all vulnerabilities."
Regulation (EU) 2024/2847, Cyber Resilience Act, Official Journal
eur-lex.europa.eu
Referenced sections
  • Supports the checklist items for CRA scope, Annex I essential cybersecurity requirements, Article 14 reporting clocks, technical documentation contents, conformity assessment, declaration retention, CE marking, and support-period obligations.
"essential cybersecurity requirements for products with digital elements"
Related guides

Explore more topics

CRA Applicability Test for Products With Digital Elements
Check whether the EU Cyber Resilience Act applies to a hardware, software, firmware, open-source, or connected product before conformity planning.
CRA Article 14 Reporting Obligations for Vulnerabilities and Incidents
Article 14 guide to CRA reports for actively exploited vulnerabilities and severe product-security incidents, including deadlines, CSIRT routing, users, and evidence.
CRA Blue Guide Concepts FAQ | Placing on the Market, Making Available, Distance Sales
CRA FAQ explaining Blue Guide market-access concepts for products with digital elements: placing on the market, making available, imports, CE marking, operator roles, online sales, stock, and testing exceptions.
CRA CE Marking FAQ | Conformity Assessment, EU Declaration, Evidence
Practical CRA CE marking answers for products with digital elements: conformity assessment, EU declaration, technical documentation, standards, software placement, and launch evidence.
CRA Component Due Diligence FAQ | Third-Party Software, FOSS, SBOMs
Cyber Resilience Act FAQ on manufacturer due diligence for integrated components, third-party software, FOSS dependencies, SBOMs, vulnerability handling, and evidence records.
CRA Conformity Assessment and CE Marking
How to choose a Cyber Resilience Act conformity route, prepare technical documentation, issue the EU declaration of conformity, and affix CE marking.
CRA Conformity Assessment Routes FAQ | Module A, Module B+C, Module H, Important and Critical Products
Cyber Resilience Act FAQ on when manufacturers can use module A, when module B+C or module H is required, and how important and critical products affect the route.
CRA Cybersecurity Risk Assessment FAQ | Article 13, Annex I, Updates
CRA FAQ on Article 13 cybersecurity risk assessments, Annex I applicability, intended purpose, foreseeable use, technical documentation, and update evidence.
CRA deadlines and compliance calendar | EU Cyber Resilience Act
Track the Cyber Resilience Act entry into force, staged application dates, Article 14 reporting deadlines, transitional rules, and review dates.
CRA Declaration of Conformity FAQ | Annex V, Simplified Declaration, CE Marking
FAQ on the Cyber Resilience Act EU Declaration of Conformity: Annex V contents, simplified Annex VI wording, CE marking link, technical documentation, retention, updates, and operator duties.
CRA Economic Operators FAQ | Manufacturers, Importers, Distributors, Authorised Representatives
CRA FAQ on economic-operator roles: manufacturers, importers, distributors, authorised representatives, substantial modification, traceability, and evidence controls.
CRA Essential Cybersecurity Requirements FAQ | Annex I Part I and Part II
CRA FAQ on Annex I product cybersecurity requirements, vulnerability handling, secure-by-default design, risk assessment, documentation, lifecycle duties, and user information.
CRA Essential Cybersecurity Requirements in Annex I
A grounded guide to the Cyber Resilience Act Annex I requirements for product security, vulnerability handling, secure-by-design controls, documentation, and evidence.
CRA Hardware and Software Boundaries FAQ | Product Scope, Components, RDPS
FAQ on Cyber Resilience Act hardware and software boundaries: combined products, standalone software, source code, components, remote data processing, SaaS and market-placement changes.
CRA Harmonised Standards FAQ | Presumption of Conformity, Common Specifications
Cyber Resilience Act FAQ on how harmonised standards, common specifications, certification schemes, and OJ publication affect CRA conformity evidence.
CRA Important and Critical Products FAQ | Annex III, Annex IV, Conformity Assessment
FAQ on CRA important and critical products, Annex III and Annex IV classification, core functionality, and conformity assessment consequences.
CRA Integrated Components and Dependencies FAQ | Third-Party Software and SBOM Evidence
Cyber Resilience Act FAQ on integrated components, third-party software, remote data processing, SBOM-style evidence, upstream fixes, FOSS dependencies, and manufacturer responsibility.
CRA Interplay With EU Product Laws FAQ | RED, Machinery, Data Act
Grounded CRA FAQ on overlap with the Radio Equipment Directive, Machinery Regulation, GPSR, Data Act, exclusions, declarations, documentation, and existing certificates.
CRA Known Exploitable Vulnerabilities at Launch FAQ
FAQ for Cyber Resilience Act launch decisions: known exploitable vulnerabilities, CVEs, component flaws, secure-by-default settings, release gates, Article 14 reporting, and evidence.
CRA Legacy Products FAQ | Pre-11 December 2027 Products
Cyber Resilience Act FAQ on products placed on the market before 11 December 2027, Article 14 reporting, substantial modification, distributor stock, spare parts, and records.
CRA Manufacturer Obligations FAQ | Article 13, Annex I, CE Marking
FAQ for Cyber Resilience Act manufacturers covering Article 13 duties, risk assessment, Annex I, vulnerability handling, support periods, documentation, conformity assessment, reporting, CE marking, and evidence controls.
CRA Market Surveillance and Enforcement FAQ | Authorities, Corrective Action, Safeguards
Cyber Resilience Act FAQ on market-surveillance authorities, investigations, corrective action, withdrawal, recall, safeguards, sweeps, documentation access, and penalties.
CRA Module B+C FAQ | EU-Type Examination, Conformity to Type, Notified Bodies
CRA Module B+C FAQ explaining EU-type examination, conformity to type, notified-body evidence, production control, CE marking, declarations, and certificate changes.
CRA Module H FAQ | Full Quality Assurance, Notified Body Surveillance, CE Marking
CRA Module H FAQ explaining the full-quality-assurance route, notified-body assessment, quality-system scope, technical documentation, CE marking, declarations, and records.
CRA Notified Bodies FAQ | Scope, Modules B+C and H, Certificates
Practical CRA FAQ on when notified bodies are needed, how CRA bodies are designated, what their notified scope means, and how Module B+C and Module H assessments work.
CRA Open-Source Software FAQ | FOSS Scope, Stewards, Manufacturers
Cyber Resilience Act FAQ for free and open-source software: commercial activity, steward duties, manufacturer due diligence, vulnerability handling, public documentation, and user obligations.
CRA Over-the-Air Updates FAQ
Cyber Resilience Act FAQ on OTA updates, automatic security updates, secure update distribution, support-period evidence, and offline update paths.
CRA penalties and fines FAQ | Article 64 fine caps
FAQ on EU Cyber Resilience Act Article 64 penalties: maximum fine tiers, turnover caps, national enforcement, economic operators, reporting duties, and open-source steward carve-outs.
CRA Penalties and Fines: Article 64 Caps and Enforcement Context
Article 64 of the EU Cyber Resilience Act sets administrative fine ceilings for Annex I, manufacturer, reporting, economic-operator, notified-body, and information-request breaches.
CRA Product Families FAQ | Variants, Shared Assessments, Family Reuse, Conformity Scope
CRA FAQ on product families, variant grouping, shared technical documentation, conformity evidence, and when cybersecurity-relevant differences need separate assessment.
CRA Products with Digital Elements Scope | EU Cyber Resilience Act
Apply the EU Cyber Resilience Act scope test for software, hardware, remote data processing, components, open-source software, exclusions, and economic-operator roles.
CRA Products With Digital Elements Scope FAQ
EU Cyber Resilience Act FAQ on products with digital elements, software, firmware, remote data processing, components, exclusions, market placement, and CRA operator boundaries.
CRA Remote Data Processing Solutions FAQ | Product Scope, Cloud and Backend Boundaries
FAQ on how the EU Cyber Resilience Act treats remote data processing solutions, manufacturer-controlled backends, third-party cloud services, SaaS, risk assessment, documentation, and user information.
CRA Reporting Obligations FAQ | Article 14, CSIRTs, ENISA, User Notices
Cyber Resilience Act FAQ on Article 14 reporting for actively exploited vulnerabilities and severe incidents, including timing, CSIRT routing, ENISA access, user notices, and evidence.
CRA Requirements | Annex I, Manufacturer Duties and CE Evidence
Map Cyber Resilience Act requirements from Annex I to manufacturer duties, vulnerability handling, user information, technical documentation, declaration of conformity, and CE marking evidence.
CRA SBOM and Vulnerability Management Template
Build a CRA-ready SBOM and vulnerability handling record with component inventory, triage, remediation, disclosure, reporting, update, and technical documentation fields.
CRA Secure-by-Default FAQ | Default Configuration and Annex I Controls
Cyber Resilience Act FAQ on secure-by-default configuration, automatic security updates, attack surface reduction, authentication, data minimisation, user information, and tailor-made products.
CRA Security Updates vs Functionality Updates FAQ
Cyber Resilience Act FAQ on classifying security updates, functionality updates, support-period duties, automatic updates, user notices, and substantial-modification review.
CRA Substantial Modification FAQ | Updates, Repairs, Manufacturer Duties
Cyber Resilience Act FAQ on when software updates, repairs, spare parts, and post-market changes become substantial modifications and trigger CRA manufacturer, evidence, and conformity duties.
CRA Support Period FAQ | Expected Product Lifetime, Security Updates, User Information
Practical CRA FAQ on how manufacturers determine support periods, disclose support end dates, keep security updates available, and document support-period evidence.
CRA Tailor-Made Products FAQ | Bespoke Products, Market Placement, Evidence
FAQ on when a bespoke product may be treated as tailor-made under the EU Cyber Resilience Act, what the carve-out changes, and what manufacturers still need to document.
CRA Technical Documentation FAQ | Annex VII Evidence and Technical File
CRA FAQ explaining Annex VII technical documentation, risk assessment evidence, conformity assessment files, vulnerability handling records, product families, RDPS, language, and authority access.
CRA Transition Period FAQ | Entry Into Force, Application Dates, Reporting, Legacy Products
CRA FAQ on the transition period covering entry into force, 2026 reporting, 2027 application, legacy products, stock, customs timing, and software versions.
CRA Update Availability and Software Archives FAQ
FAQ on CRA security-update availability, support-period notices, optional public software archives, historical versions, and Article 13(10) software-version limits.
CRA User Information and Transparency FAQ | Annex II Instructions
Practical CRA FAQ on Annex II user instructions, support-period disclosure, vulnerability contacts, update notices, importer and distributor information.
CRA vs RED Cybersecurity Delegated Act
Compare the EU Cyber Resilience Act with the RED cybersecurity delegated act for connected and radio equipment, including scope, timing, evidence, and transition treatment.
CRA vs UK PSTI Act | Cyber Resilience Act Comparison
Compare grounded EU Cyber Resilience Act duties with UK PSTI planning points, with UK legal details clearly marked for separate source review.
CRA Vulnerability Handling and Disclosure | Article 14 Reporting and Security Updates
How EU Cyber Resilience Act manufacturers should run vulnerability intake, remediation, coordinated disclosure, Article 14 reporting, secure updates, and evidence records.
CRA Vulnerability Handling FAQ | Support Periods, Components, Reporting
Practical CRA FAQ on vulnerability handling: SBOMs, remediation, coordinated disclosure, component issues, security updates, support periods, Article 14 reporting, and user notices.
Cyber Resilience Act Module A FAQ | Internal Production Control
FAQ on when CRA Module A internal production control is available, when it is blocked, and what documentation, testing, standards, and evidence it still requires.
EU CRA Compliance Program for Manufacturers and Economic Operators
Build a Cyber Resilience Act compliance program around product scope, Annex I security requirements, conformity assessment, technical documentation, vulnerability reporting, and market surveillance.
EU Cyber Resilience Act Core Functionality FAQ | CRA Product Classification
CRA FAQ on core functionality, product boundaries, remote data processing, integrated components, ancillary functions, and software changes that affect product classification.
EU Cyber Resilience Act FAQ
Direct CRA FAQ answers on scope, economic-operator roles, essential requirements, vulnerability reporting, conformity assessment, CE marking, support periods, and market surveillance.
EU Cyber Resilience Act Repairs and Spare Parts FAQ
CRA FAQ for repairs, spare parts, legacy products, security updates, substantial modification, and responsibility after product changes.
EU Cyber Resilience Act Technical Documentation and Audit File
Build an audit-ready CRA technical file around Article 31 and Annex VII: product scope, risk assessment, vulnerability handling, conformity evidence, testing, and retention.