Cyber Resilience Act

Readiness Assessment

Coming Soon

Cyber Resilience Act

Use our readiness assessment questionnaire and receive a comprehensive benchmark report detailing your current readiness to comply with the Cyber Resilience Act. Talk to us today about how we can support you to prepare for the CRA!

Contact Us
Step 1
Company Details

Fill in some high level company and product information and your contact details.

Step 2
Essential Requirements

Answer the questions related to risk assessment, vulnerability handling, security by design and secure coding.  The questions will be weighted so some questions will carry a higher importance.

Step 3
Documentation Checklist

Fill in the documentation checklist for the cyber resilience act and submit your answers.

Step 4
Readiness Report

Receive your comprehensive report on your performance against the cyber resilience act essential requirements to see a snapshot of where you stand today in relation to the CRA.

1.1 //


Our CRA Readiness Assessment gives you an opportunity to get an early snapshot against the CRA requirements to help you plan and budget early for your compliance journey.

1.2 //

Readiness Report

You will receive a comprehensive report of your current status against the essential requirements.  Use our report in your organisation to demonstrate at a high level what the areas of improvement are and where you need to add resources, expertise and budget.

1.3 //


We have been active members of the ECSO CRA working group since August 2023, we are tracking all of the developments so you don’t have to!

blogpost blogpost
Your Questions Answered

Frequently Asked Questions

What is the Cyber Resilience Act?

The Cyber Resilience Act (CRA) is a first of its kind legislation that provides a baseline cybersecurity standard for products with digital elements within the European Union. The CRA aims to address two main problems identified in products with digital elements:

  1. Products with digital elements are being manufactured with low levels of cybersecurity. This is resulting in widespread vulnerabilities and lacking security updates to address said vulnerabilities. This makes these products attractive targets to cybercriminals as a vehicle to attack larger networks.
  2. Users of products with digital elements have an insufficient understanding of the product. As well as a lack of information that would allow them to make informed decisions on choosing products with proper cybersecurity features and using them in a secure manner.
What products are in scope?

The CRA will apply to any products that adhere to all the following criteria:

  1. Products that directly or indirectly have a data connection to a device or network. For example, wireless speakers which connect to other devices via a Bluetooth connection or a USB drive that plugs into a computer.
  2. A hardware and/or software based product.
  3. Will be sold in the EU internal market.
What are the timelines for the CRA?

The CRA will become a fully enacted legislation. It is estimated to be adopted in full Autumn 2024. It has yet to be decided if the transition period will be 24 or 36 months.

Who needs to comply?

Manufacturers including software developers, importers and distributors of software and hardware products with digital elements who sell on the EU market will need to comply with the CRA.  Entities outside of the EU who sell their products in the EU will also need to comply.

What are the categories of products?

There are three categories of products important, critical and default.

Default category

Products that fall into the default category have the lowest cybersecurity risk associated with them. These products do not hold sensitive data or interact with critical networks and so if they are exploited there is minimal risk of a large data breach or the attacker being able to use the product to access more sensitive systems.

Examples of products in this category given by the European Commission include smart speakers, word processers and photo editors.

To be compliant with the CRA products in the default category must adhere to a set of essential requirements (found in Annex I of the CRA) and complete a self assessment to prove compliance to these essential requirements.

Product with higher risk associated with them are separated into two groups Class I and Class II.  They can be found in ANNEX III of the CRA text.

Some examples of Class I products:

Network Management Systems, Password Managers, standalone and embedded browsers.

Some examples of Class II products:

Operating systems, HSMs, smartcards, smartcard readers and tokens.

I have more questions ...

If you have questions about the Cyber Resilience Act we are happy to help you.  Please contact us and we would be delighted to setup a call with you.