The EU Cyber Resilience Act sets mandatory cybersecurity requirements for almost every connected hardware and software product sold in the EU. This checker maps your product to its CRA risk class and tells you which conformity route, security obligations, and reporting deadlines apply.
How it works
The CRA classifies each product with digital elements into a risk tier, and the tier determines how you prove conformity:
Default → self-assessment (internal control)
Class I → self-assessment only if a harmonised standard is applied,
otherwise third-party assessment
Class II → notified-body (third-party) assessment is mandatory
Critical → European cybersecurity certification may also be required
Password managers, VPNs, browsers, antivirus and home routers are Class I. Hypervisors, industrial firewalls and secure microcontrollers are Class II. Hardware security modules, smart-meter gateways and secure-element smartcards are Critical. Everything else connected is Default.
Obligations that apply to every in-scope product
Regardless of risk class, every manufacturer whose product is in scope must meet a common floor of obligations under the CRA:
- Secure by design — cybersecurity must be considered from the outset of design and development, not added as an afterthought.
- No known exploitable vulnerabilities — products may not be placed on the market with known exploitable vulnerabilities.
- Security updates — manufacturers must provide free security updates throughout the support period, which is typically at least five years, and communicate clearly when support ends.
- Vulnerability disclosure — a coordinated vulnerability disclosure (CVD) process must be established, allowing security researchers to report issues.
- Incident and vulnerability reporting — actively exploited vulnerabilities must be reported to ENISA (and optionally to the national CSIRT) within 24 hours of discovery, a fuller notification within 72 hours, and a final report within 14 days.
- Software Bill of Materials (SBOM) — an SBOM must be available in machine-readable format, listing software components and their versions.
- CE marking — products that pass the applicable conformity assessment must carry the CE mark and an EU declaration of conformity before being placed on the market.
- Market surveillance cooperation — manufacturers must cooperate with market surveillance authorities and provide information on request.
Notes and example
A vendor shipping a password manager lands in Important Class I: it can self-assess only if it fully applies a relevant harmonised standard, otherwise it needs a notified body. This means the harmonised standard chosen must be applied fully and correctly — partial compliance does not qualify for the self-assessment route.
Treat the product-category lists in the CRA annexes as a baseline. Delegated acts and implementing acts issued by the European Commission can add or reclassify products after the regulation enters force, so confirm the current annex against the published Official Journal text before finalising your compliance plan. The phased timeline also means vulnerability reporting obligations apply before the full set of requirements, so compliance planning should address each phase separately.