CRA Product Compliance Assessment
Classification, Annex I essential requirements, conformity blockers and a draft Declaration of Conformity — for every product you place on the EU market.
Learn moreAssess your organisation's readiness for the EU Cyber Resilience Act with role-based assessments tailored to your obligations.
100% local · runs on your device · no data leaves your environment
Obligations differ by economic-operator role — Manufacturer, Importer, Distributor, Authorised Representative, Open-Source Software Steward — so you assess against Articles 13/18/19/20/24 that actually apply to you.
Governance, risk, conformity, supply chain, secure-by-design, vulnerability handling, updates, SBOM, incident reporting, market surveillance and more — 102 questions on a four-point maturity scale.
Self-assessment, independent reviewer override, and evidence-confidence ratings sit side by side, with a full audit trail — the evidence a market-surveillance authority or notified body expects.
Runs in your browser — no SaaS, no account. Optional AI connects only when you choose, using your own API key, and never sends data to CyberAssure.
Regulatory Context
Vulnerability and incident reporting obligations apply from 11 September 2026; full conformity and CE-marking obligations from 11 December 2027. Non-compliance carries penalties of up to €15 million or 2.5% of global turnover, and a product without demonstrable conformity simply can't be placed on the EU market.
Read: the EU Cyber Resilience Act explained →No installs, no accounts, no data leaving your environment.
Request access and we provide the assessment — a self-contained file that opens in your browser. Nothing to install, no account to create.
Answer the 102 questions against the roles you hold, attach evidence, and run the independent-reviewer pass — all on your own device. Optional AI runs on your own Anthropic key.
Generate the readiness report, gap register, the Module H preparation pack, the CRA Coverage Map and a draft Declaration of Conformity — in one click.
One assessment becomes every deliverable — board narrative, project tracker, evidence pack, regulator dossier and notified-body audit pack.
The narrative deliverable — domain compliance analysis, gap register with CRA Article references, prioritised remediation plan and glossary. When AI is enabled, the report includes AI-generated executive summary, per-domain narratives, remediation roadmap commentary and a "What You're Doing Well" strengths section.
The same data in tabular form across multiple sheets for project tracking, owner assignment and status. Drops into JIRA, Asana or Smartsheet without re-keying.
Every attached evidence file, organised by question reference, with a full Excel register cataloguing each file. The audit pack — ships in one click when a regulator or notified body asks for substantiation.
A downloadable Word document showing which CRA Articles and Annex items your assessment covers, with per-item coverage statistics, semantic status colours (Met / Partial / Not Met / N/A / Unanswered), and one section per page. Surfaces uncovered Articles that auditors ask about first.
Load a previous assessment to generate a domain-by-domain change report — improvements, regressions, evidence added/removed, reviewer-decision changes, and compliance trajectory over time. Multi-period trend analysis supported.
The headline view that separates self-assessed scores from evidence-validated scores — with an Evidence Confidence Breakdown (Full, Partial, No-evidence) that protects against the optimism bias that makes self-assessments unreliable.
Portable, self-contained snapshot of the assessment, evidence references and audit history. Restore from backup at any time. Your data, your format, no vendor lock-in.
Chronological record of every answer, note, evidence change and reviewer override — plus an in-app version history viewer. The full defensibility trail for the ten-year retention period the CRA requires.
A tracked remediation register built from the gap list — owner, priority, target date and status on every action, with overdue items flagged and open/in-progress/complete counts for the board. Exportable to Word and Excel.
A fixed reference document mapping every question in the CRA suite to its precise CRA Article and Annex citations — the reconciliation auditors and notified bodies ask for, separate from your own personalised Coverage Map.
The defensibility of a consultant engagement, the control of doing it yourself — without the cost of either failing you.
| Big-4 consultant | Internal spreadsheet | CyberAssure | |
|---|---|---|---|
| Cost | $40k+ per engagement | Low, but hidden | A fraction of consultant cost |
| Role-mapped obligations + all 12 domains | ✓ | ✗ | ✓ |
| Repeatable, same method every period | ✗ | ~ | ✓ |
| Conformity deliverables (Module H pack, DoC, Coverage Map) | ~ | ✗ | ✓ |
| Independent reviewer & evidence audit trail | ✓ | ✗ | ✓ |
| Data stays on your device | ✗ | ✓ | ✓ |
| Board-ready reports in hours, not weeks | ✗ | ~ | ✓ |
| Expertise stays in-house | ✗ | ✓ | ✓ |
Licensed per entity, per year — completed once per manufacturer organisation. No per-seat fees and no usage metering, and because it runs on your own device there are no hosting or data-residency surprises. Get in touch for a quote.
Yes. Every requirement pairs a self-assessment with an independent reviewer conclusion and an evidence-confidence rating, with a full audit log. It produces the structured, evidence-backed record an authority or notified body expects, plus period-over-period history showing a credible trajectory — exactly what's examined if you're challenged. It doesn't replace a formal assessment; it produces the evidence that makes one efficient.
The assessment maps obligations to your economic-operator role(s) — Manufacturer, Importer, Distributor, Authorised Representative or Open-Source Software Steward (Articles 13/18/19/20/24). You identify the roles you hold and the questions for roles you don't are excluded, so you're not scored against duties that aren't yours.
AI is off by default. When you switch it on, requests go directly from your browser to Anthropic using your own API key — never through CyberAssure's servers, and nothing is stored by us. A sensitive-data warning is shown before any evidence is submitted, and AI can be disabled entirely for regulated environments.
You own everything outright. Your assessment and evidence live in your own files and export to Word, Excel and JSON. There's no cloud database to be locked out of and no vendor hosting your data.
It tracks Regulation (EU) 2024/2847, its Annexes and the emerging harmonised standards, and is maintained as they're finalised — so you assess against the current requirements, not a frozen snapshot.
Book a demo, or request access and run your organisational readiness assessment.
The EU Cyber Resilience Act (CRA) Organisational Readiness Assessment helps manufacturers, importers, distributors, authorised representatives and open-source software stewards evaluate their enterprise-wide preparedness for the EU's landmark cybersecurity regulation for products with digital elements.
The assessment covers 100 questions across 12 CRA domains, each mapped to specific CRA Articles and Annexes. Question sets adapt to the CRA roles your organisation plays — presenting the specific obligations relevant to your responsibilities under the regulation, with detailed self-assessment guidance defining what each compliance level means for that question.
Per-question evidence attachment, an independent reviewer workflow, and a complete chronological audit log produce a defensible, evidence-backed view of enterprise CRA readiness — with a prioritised remediation roadmap mapped to specific CRA Articles and clear visibility for the board on where investment is required.
Period-over-period reassessments anchor to the board reporting calendar, and the assessment updates in real time as CRA implementing acts and harmonised standards are finalised.
EU CRA Enforcement Timeline
December 2024
Regulation in force
CRA published in the EU Official Journal. Compliance planning should begin now.
September 2026
Reporting obligations apply
Vulnerability and incident reporting to ENISA becomes mandatory. First hard deadline.
December 2027
Full compliance required
All essential requirements, CE marking, and conformity assessment obligations enforceable.
Need to assess individual products against the CRA's essential requirements? Our companion Product Compliance Assessment evaluates each of your products with digital elements across 136 questions and 9 domains — with binary essential-requirement scoring that flags conformity blockers, multi-product portfolio reporting, classification support, and evidence management.
Learn More → Compare both →The CRA places different obligations on different supply chain roles. Your 100-question assessment adapts to the roles your organisation plays under the regulation:
Where your organisation plays more than one role, the assessment combines the relevant question sets so a single instance covers your full CRA exposure.
This assessment is designed for:
Organisations using this assessment typically gain:
The 100 questions are organised across 12 CRA domains, grouped into three workflow streams that mirror how CRA compliance work actually flows through an organisation:
Stream 1 · Governance & Design
Stream 2 · Risk & Response
Stream 3 · Documentation & Conformity
Each of the 100 questions uses a 4-point answer scale — Not Met · Partially Met · Met · Met with Continuous Improvement — plus N/A with required justification. A free-text justification field captures the rationale, inline glossary tooltips explain CRA terminology on hover, and side-by-side panels present a detailed Self-Assessment Guide defining what each compliance level means and an Evidence Files drag-and-drop area for attaching supporting documents directly to the question. PDFs, images, Word, Excel and CSV are all accepted, and a "No evidence available" checkbox handles cases where evidence cannot be provided.
Evidence lives with the answer that depends on it — not in a SharePoint folder, not in someone's email, not in a shared drive nobody can find. When an auditor or notified body asks "prove it", the substantiating artefact is one click away.
A second pair of eyes is the difference between "claimed" and "substantiated". An independent reviewer captures observations against the evidence in three structured fields:
The reviewer workflow underpins the difference between self-assessed and evidence-validated scoring on the results dashboard — the view a notified body will look at first.
Once questions are answered, results surface in three connected views: a Domain Compliance Analysis showing per-domain rollup scores with a red-to-green gradient bar and one-line descriptions of regulatory scope; an Evidence Review Validation section that separates self-assessed scores from evidence-validated scores with an Evidence Confidence Breakdown (Full, Partial, No-evidence); and a Compliance Gaps Register where every Not Met or Partially Met answer is surfaced as a discrete gap with a recommendation, an internal reference code (e.g. CONFORMITY-02), and the specific CRA Articles and Annexes the gap relates to.
The register is sortable, exportable, and forms the core input to the remediation plan — every gap arrives ready to be assigned to an owner and slotted into a sprint, release plan or audit committee timeline.
A gap register tells you what is wrong; the Action Register tracks what you are doing about it. Raise a remediation action against any gap and carry it to completion in a single tracked register — each action holds an owner, a priority, a target date and a status (Open, In Progress, Complete), with overdue items flagged automatically so nothing silently slips past its deadline.
This is what turns a point-in-time assessment into a managed programme: leadership sees open, in-progress, overdue and complete counts at a glance, and the same data exports to Word and Excel for the audit committee. When AI is enabled, it can draft a tailored remediation action for any gap — owner-ready wording mapped to the gap's CRA citation — which you review before it lands.
Marking a question Not Applicable is the easiest answer to give and the hardest to defend — so the assessment requires a written justification for every N/A, and logs each one in a dedicated Exclusions Register. The result is a single, reviewable list of every requirement you have scoped out and exactly why — the first thing a notified body or auditor interrogates, prepared in advance rather than reconstructed under questioning.
Every answer, note, evidence change and reviewer override is captured in a chronological audit log with an in-app version history viewer — the complete record of who did what and when, retained for the ten-year retention period the CRA requires.
Optional Shared Folder Mode turns the assessment into a true team workspace. Multiple reviewers work in parallel on the same assessment via OneDrive, SharePoint, Microsoft Teams, Google Drive, or Dropbox. Concurrent edits are reconciled automatically with merge-on-save, identity stamping shows who changed what, live change polling surfaces edits in seconds, and a 30-day soft delete with one-click restore prevents accidental data loss.
Evidence storage is resilient by design — per-file on-disk storage with content-derived filenames (so evidence titles do not leak through the folder browser), per-question and per-file caps, browser-storage quota monitoring, sync-conflict detection for OneDrive/SharePoint/Dropbox, a crash-recovery mirror, and a read-only Evidence Health Check audit available from Settings.
Twelve AI capabilities, optional and opt-in via your own Anthropic API key, accelerate every phase of the assessment — from understanding a question, to reviewing evidence, to drafting the narrative inside the Word report itself. The platform works fully without them; with them, weeks of consultant facilitation collapse to hours.
Phase 1
During the assessment
Phase 2
During review
Phase 3
Before & in the report
Phase 4
After completion
Phase 1
Per-question AI explanation in plain English with conversational follow-up — what the CRA requirement means, why it matters, and what good looks like. Ask follow-up questions without leaving the assessment.
Phase 1
Generate plain-English explanations for every question in a whole domain in one operation — with progress tracking. The on-ramp for a non-specialist who needs to come up to speed on a domain fast.
Phase 2
Turn bullet-point facts into structured prose justifications — the assessor captures key facts, AI drafts the defensible written rationale that lives with the answer.
Phase 2
Attached PDFs and images are read by AI and assessed against the specific CRA requirement for that question — gaps identified, quality concerns flagged, additional documentation suggested.
Phase 3
Diagnostic AI scan over the entire assessment before export — surfaces empty notes on Compliant answers, missing evidence on critical questions, reviewer/confidence inconsistencies, and overrides without justification. Diagnostic only; no answers are changed.
Phase 3 · In the Word report
The Word report opens with an AI-generated executive summary written from your actual assessment data — domain posture, headline gaps, regulatory exposure, and recommended priorities. The board narrative, drafted.
Phase 3 · In the Word report
Each of the 12 domains gets an AI-written narrative inside the Word report — what the domain covers, your posture, where the gaps sit, and what to do next. The kind of prose audit committees expect.
Phase 3 · In the Word report
AI-drafted prioritised remediation roadmap commentary inside the Word report — the bridge between the raw gap register and an executable plan, written in language that lands with leadership.
Phase 3 · In the Word report
An AI-generated strengths commentary section — the parts of the programme worth amplifying and signalling to the board. The assessment doesn't only catalogue gaps; it also recognises where you're already strong.
Phase 4
A free-form AI chat with full context of your completed assessment — every domain score, every gap, every CRA Article reference. Ask about any finding, prioritise remediation, or explore implications. Like an experienced second opinion that is always available.
Phase 4
An AI-organised scoping memo for borderline CRA classification questions — your inputs structured and aligned to the relevant CRA Articles, ready to take into a conversation with a notified body or qualified counsel. Does not make classification decisions.
Phase 4
When you load a previous assessment for comparison, AI drafts the narrative of what changed — what got better, what regressed, where evidence strengthened, and the trajectory story for the board.
All twelve AI features connect using your own Anthropic Claude API key. Typical usage costs a few dollars per full assessment cycle. Your data is never stored, transferred to CyberAssure, or used for AI training — and AI can be disabled site-wide via Settings for regulated environments.
The CRA imposes duties on the organisation and on every product. Assess both.
Classification, Annex I essential requirements, conformity blockers and a draft Declaration of Conformity — for every product you place on the EU market.
Learn moreHow the organisational and product assessments fit together into one compliance picture.
Compare bothFurther Reading
Resource
A plain-language guide to the CRA's enforcement timeline, product classification categories, essential requirements under Annex I, vulnerability reporting obligations, and conformity assessment pathways.
Read the guide