Mapped to your CRA role

Obligations differ by economic-operator role — Manufacturer, Importer, Distributor, Authorised Representative, Open-Source Software Steward — so you assess against Articles 13/18/19/20/24 that actually apply to you.

All twelve CRA domains

Governance, risk, conformity, supply chain, secure-by-design, vulnerability handling, updates, SBOM, incident reporting, market surveillance and more — 102 questions on a four-point maturity scale.

Defensible, not self-graded

Self-assessment, independent reviewer override, and evidence-confidence ratings sit side by side, with a full audit trail — the evidence a market-surveillance authority or notified body expects.

Yours, and private

Runs in your browser — no SaaS, no account. Optional AI connects only when you choose, using your own API key, and never sends data to CyberAssure.

Regulatory Context

The CRA clock is already running

Vulnerability and incident reporting obligations apply from 11 September 2026; full conformity and CE-marking obligations from 11 December 2027. Non-compliance carries penalties of up to €15 million or 2.5% of global turnover, and a product without demonstrable conformity simply can't be placed on the EU market.

Read: the EU Cyber Resilience Act explained →

How it works — in three steps

No installs, no accounts, no data leaving your environment.

1

Get the tool

Request access and we provide the assessment — a self-contained file that opens in your browser. Nothing to install, no account to create.

2

Assess your organisation locally

Answer the 102 questions against the roles you hold, attach evidence, and run the independent-reviewer pass — all on your own device. Optional AI runs on your own Anthropic key.

3

Export reports & deliverables

Generate the readiness report, gap register, the Module H preparation pack, the CRA Coverage Map and a draft Declaration of Conformity — in one click.

What You Receive

One assessment becomes every deliverable — board narrative, project tracker, evidence pack, regulator dossier and notified-body audit pack.

AI-Enhanced Word Report

The narrative deliverable — domain compliance analysis, gap register with CRA Article references, prioritised remediation plan and glossary. When AI is enabled, the report includes AI-generated executive summary, per-domain narratives, remediation roadmap commentary and a "What You're Doing Well" strengths section.

Excel Workbook

The same data in tabular form across multiple sheets for project tracking, owner assignment and status. Drops into JIRA, Asana or Smartsheet without re-keying.

Evidence Package (ZIP)

Every attached evidence file, organised by question reference, with a full Excel register cataloguing each file. The audit pack — ships in one click when a regulator or notified body asks for substantiation.

CRA Article Coverage Map

A downloadable Word document showing which CRA Articles and Annex items your assessment covers, with per-item coverage statistics, semantic status colours (Met / Partial / Not Met / N/A / Unanswered), and one section per page. Surfaces uncovered Articles that auditors ask about first.

Period-over-Period Comparison

Load a previous assessment to generate a domain-by-domain change report — improvements, regressions, evidence added/removed, reviewer-decision changes, and compliance trajectory over time. Multi-period trend analysis supported.

Evidence-Validated Scoring

The headline view that separates self-assessed scores from evidence-validated scores — with an Evidence Confidence Breakdown (Full, Partial, No-evidence) that protects against the optimism bias that makes self-assessments unreliable.

JSON Backup & Restore

Portable, self-contained snapshot of the assessment, evidence references and audit history. Restore from backup at any time. Your data, your format, no vendor lock-in.

Audit Log & Version History

Chronological record of every answer, note, evidence change and reviewer override — plus an in-app version history viewer. The full defensibility trail for the ten-year retention period the CRA requires.

Action Register

A tracked remediation register built from the gap list — owner, priority, target date and status on every action, with overdue items flagged and open/in-progress/complete counts for the board. Exportable to Word and Excel.

CRA Suite Coverage Mapping

A fixed reference document mapping every question in the CRA suite to its precise CRA Article and Annex citations — the reconciliation auditors and notified bodies ask for, separate from your own personalised Coverage Map.

Consultant vs spreadsheet vs CyberAssure

The defensibility of a consultant engagement, the control of doing it yourself — without the cost of either failing you.

Big-4 consultant Internal spreadsheet CyberAssure
Cost$40k+ per engagementLow, but hiddenA fraction of consultant cost
Role-mapped obligations + all 12 domains
Repeatable, same method every period~
Conformity deliverables (Module H pack, DoC, Coverage Map)~
Independent reviewer & evidence audit trail
Data stays on your device
Board-ready reports in hours, not weeks~
Expertise stays in-house

Pricing

Licensed per entity, per year — completed once per manufacturer organisation. No per-seat fees and no usage metering, and because it runs on your own device there are no hosting or data-residency surprises. Get in touch for a quote.

Book a demo Contact for pricing

Common questions

Will this hold up under market surveillance or a notified-body engagement?

Yes. Every requirement pairs a self-assessment with an independent reviewer conclusion and an evidence-confidence rating, with a full audit log. It produces the structured, evidence-backed record an authority or notified body expects, plus period-over-period history showing a credible trajectory — exactly what's examined if you're challenged. It doesn't replace a formal assessment; it produces the evidence that makes one efficient.

How do we know which obligations actually apply to us?

The assessment maps obligations to your economic-operator role(s) — Manufacturer, Importer, Distributor, Authorised Representative or Open-Source Software Steward (Articles 13/18/19/20/24). You identify the roles you hold and the questions for roles you don't are excluded, so you're not scored against duties that aren't yours.

If we enable AI, what data is sent — and to whom?

AI is off by default. When you switch it on, requests go directly from your browser to Anthropic using your own API key — never through CyberAssure's servers, and nothing is stored by us. A sensitive-data warning is shown before any evidence is submitted, and AI can be disabled entirely for regulated environments.

What happens to our assessment and evidence if we stop — or if CyberAssure disappears?

You own everything outright. Your assessment and evidence live in your own files and export to Word, Excel and JSON. There's no cloud database to be locked out of and no vendor hosting your data.

How current is it as the CRA's implementing acts and harmonised standards land?

It tracks Regulation (EU) 2024/2847, its Annexes and the emerging harmonised standards, and is maintained as they're finalised — so you assess against the current requirements, not a frozen snapshot.

See the full enterprise FAQ →

Know exactly where your organisation stands on the CRA

Book a demo, or request access and run your organisational readiness assessment.

Book a demo Request access
Explore every feature, domain and AI capability Expand ▾

Overview

The EU Cyber Resilience Act (CRA) Organisational Readiness Assessment helps manufacturers, importers, distributors, authorised representatives and open-source software stewards evaluate their enterprise-wide preparedness for the EU's landmark cybersecurity regulation for products with digital elements.

The assessment covers 100 questions across 12 CRA domains, each mapped to specific CRA Articles and Annexes. Question sets adapt to the CRA roles your organisation plays — presenting the specific obligations relevant to your responsibilities under the regulation, with detailed self-assessment guidance defining what each compliance level means for that question.

Per-question evidence attachment, an independent reviewer workflow, and a complete chronological audit log produce a defensible, evidence-backed view of enterprise CRA readiness — with a prioritised remediation roadmap mapped to specific CRA Articles and clear visibility for the board on where investment is required.

Period-over-period reassessments anchor to the board reporting calendar, and the assessment updates in real time as CRA implementing acts and harmonised standards are finalised.

EU CRA Enforcement Timeline

December 2024

Regulation in force

CRA published in the EU Official Journal. Compliance planning should begin now.

September 2026

Reporting obligations apply

Vulnerability and incident reporting to ENISA becomes mandatory. First hard deadline.

December 2027

Full compliance required

All essential requirements, CE marking, and conformity assessment obligations enforceable.

Also Available: CRA Product Compliance Assessment

Need to assess individual products against the CRA's essential requirements? Our companion Product Compliance Assessment evaluates each of your products with digital elements across 136 questions and 9 domains — with binary essential-requirement scoring that flags conformity blockers, multi-product portfolio reporting, classification support, and evidence management.

Learn More → Compare both →

Role-Based Assessments

The CRA places different obligations on different supply chain roles. Your 100-question assessment adapts to the roles your organisation plays under the regulation:

  • Manufacturer — The most comprehensive scope, covering secure development, vulnerability handling, product security properties, incident reporting, conformity assessment and technical documentation, supply chain, user transparency, and lifecycle and support management under Article 13.
  • Importer — Due diligence, verification of manufacturer conformity, retention of documentation, market surveillance cooperation and vulnerability handling obligations under Article 19.
  • Distributor — Verification responsibilities, supply chain integrity, storage and transport conditions, market surveillance cooperation, and corrective action procedures under Article 20.
  • EU Authorised Representative — Mandate scope, documentation management, authority cooperation, compliance monitoring, and communication obligations between manufacturer and regulators under Article 18.
  • Open-Source Software Steward — The obligations specific to open-source software stewards under Article 24, including cybersecurity policy, vulnerability handling and cooperation with market surveillance.

Where your organisation plays more than one role, the assessment combines the relevant question sets so a single instance covers your full CRA exposure.

Who It's For

This assessment is designed for:

  • Manufacturers of products with digital elements sold into the EU market
  • Importers placing products with digital elements on the EU market
  • Distributors making products with digital elements available on the EU market
  • EU authorised representatives acting on behalf of manufacturers
  • Open-source software stewards with Article 24 obligations
  • Product security teams preparing for CRA conformity assessment
  • GRC and compliance teams assessing organisational readiness
  • Organisations needing to classify products against CRA Annex III and Annex IV

Typical Outcomes

Organisations using this assessment typically gain:

  • A defensible, evidence-backed view of enterprise CRA readiness across all 12 domains
  • Identification of compliance gaps mapped to specific CRA Articles and Annexes
  • A prioritised remediation roadmap for achieving CRA conformity
  • Documentation to support board reporting on regulatory readiness
  • A baseline that can be re-assessed period-over-period to demonstrate progress
  • A notified-body-ready evidence pack for Module H engagement where required
  • A framework for ongoing CRA compliance monitoring as the regulation evolves

Assessment Domains

The 100 questions are organised across 12 CRA domains, grouped into three workflow streams that mirror how CRA compliance work actually flows through an organisation:

Stream 1 · Governance & Design

  • Product Security Governance — Board accountability, security policy, roles and responsibilities, programme governance and resource allocation.
  • Security by Design & Default — Annex I Part I essential requirements built into the product across its lifecycle: secure architecture, secure defaults, attack-surface minimisation, access controls and security verification.
  • Conformity Assessment & Documentation — Classification under Article 7 and Annex III, selection of the correct Annex VIII module, technical file under Annex VII, and EU Declaration of Conformity under Article 28 and Annex V.
  • Economic Operator Obligations — Manufacturer, EU authorised representative, importer, distributor and open-source software steward obligations under Articles 13, 18, 19, 20 and 24.

Stream 2 · Risk & Response

  • Risk Assessment & Management — Cybersecurity risk assessment, threat modelling, residual risk treatment and ongoing risk review.
  • Vulnerability Handling & Disclosure — Coordinated vulnerability disclosure policy, continuous vulnerability monitoring and remediation tracking under Annex I Part II.
  • Secure Update Mechanisms — Free security updates delivered throughout the declared support period, secure update channels, and update verification under Article 10(6).
  • Incident Reporting & Response — Three-stage reporting under Article 14: 24-hour early warning, 72-hour incident notification and 14-day final report to ENISA and the national CSIRT, plus user notification obligations.

Stream 3 · Documentation & Conformity

  • Supply Chain & Third-Party Management — Third-party component due diligence, supplier contractual requirements, and component security evaluation.
  • Software Bill of Materials — SBOM generation, format, maintenance and dependency vulnerability monitoring.
  • Market Surveillance & Post-Market — Cooperation with national market surveillance authorities under Articles 52–55, documented non-conformity escalation and recall procedures.
  • User Information & Instructions — Annex II user documentation requirements, support period policy, and manufacturer identification.

Evidence Collection & Self-Assessment Guide

Each of the 100 questions uses a 4-point answer scaleNot Met · Partially Met · Met · Met with Continuous Improvement — plus N/A with required justification. A free-text justification field captures the rationale, inline glossary tooltips explain CRA terminology on hover, and side-by-side panels present a detailed Self-Assessment Guide defining what each compliance level means and an Evidence Files drag-and-drop area for attaching supporting documents directly to the question. PDFs, images, Word, Excel and CSV are all accepted, and a "No evidence available" checkbox handles cases where evidence cannot be provided.

Evidence lives with the answer that depends on it — not in a SharePoint folder, not in someone's email, not in a shared drive nobody can find. When an auditor or notified body asks "prove it", the substantiating artefact is one click away.

Independent Reviewer Workflow

A second pair of eyes is the difference between "claimed" and "substantiated". An independent reviewer captures observations against the evidence in three structured fields:

  • Evidence Review Notes — What the evidence demonstrates, gaps identified, and plans for additional evidence.
  • Evidence Confidence — Rated None · Weak · Partial · Strong, with a free-text justification describing evidence quality and documentation gaps.
  • Reviewer's Compliance Conclusion — Lets the reviewer override the original self-assessment where the evidence clearly contradicts it, with both the original answer and the reviewer override preserved in the audit trail.

The reviewer workflow underpins the difference between self-assessed and evidence-validated scoring on the results dashboard — the view a notified body will look at first.

Domain Compliance & Gaps Register

Once questions are answered, results surface in three connected views: a Domain Compliance Analysis showing per-domain rollup scores with a red-to-green gradient bar and one-line descriptions of regulatory scope; an Evidence Review Validation section that separates self-assessed scores from evidence-validated scores with an Evidence Confidence Breakdown (Full, Partial, No-evidence); and a Compliance Gaps Register where every Not Met or Partially Met answer is surfaced as a discrete gap with a recommendation, an internal reference code (e.g. CONFORMITY-02), and the specific CRA Articles and Annexes the gap relates to.

The register is sortable, exportable, and forms the core input to the remediation plan — every gap arrives ready to be assigned to an owner and slotted into a sprint, release plan or audit committee timeline.

Action Register — Close the Loop on Every Gap

A gap register tells you what is wrong; the Action Register tracks what you are doing about it. Raise a remediation action against any gap and carry it to completion in a single tracked register — each action holds an owner, a priority, a target date and a status (Open, In Progress, Complete), with overdue items flagged automatically so nothing silently slips past its deadline.

This is what turns a point-in-time assessment into a managed programme: leadership sees open, in-progress, overdue and complete counts at a glance, and the same data exports to Word and Excel for the audit committee. When AI is enabled, it can draft a tailored remediation action for any gap — owner-ready wording mapped to the gap's CRA citation — which you review before it lands.

N/A Handling & the Exclusions Register

Marking a question Not Applicable is the easiest answer to give and the hardest to defend — so the assessment requires a written justification for every N/A, and logs each one in a dedicated Exclusions Register. The result is a single, reviewable list of every requirement you have scoped out and exactly why — the first thing a notified body or auditor interrogates, prepared in advance rather than reconstructed under questioning.

Audit Log, Collaboration & Resilient Storage

Every answer, note, evidence change and reviewer override is captured in a chronological audit log with an in-app version history viewer — the complete record of who did what and when, retained for the ten-year retention period the CRA requires.

Optional Shared Folder Mode turns the assessment into a true team workspace. Multiple reviewers work in parallel on the same assessment via OneDrive, SharePoint, Microsoft Teams, Google Drive, or Dropbox. Concurrent edits are reconciled automatically with merge-on-save, identity stamping shows who changed what, live change polling surfaces edits in seconds, and a 30-day soft delete with one-click restore prevents accidental data loss.

Evidence storage is resilient by design — per-file on-disk storage with content-derived filenames (so evidence titles do not leak through the folder browser), per-question and per-file caps, browser-storage quota monitoring, sync-conflict detection for OneDrive/SharePoint/Dropbox, a crash-recovery mirror, and a read-only Evidence Health Check audit available from Settings.

AI woven through every stage

AI assistance that earns its place.

Twelve AI capabilities, optional and opt-in via your own Anthropic API key, accelerate every phase of the assessment — from understanding a question, to reviewing evidence, to drafting the narrative inside the Word report itself. The platform works fully without them; with them, weeks of consultant facilitation collapse to hours.

Phase 1

During the assessment

Phase 2

During review

Phase 3

Before & in the report

Phase 4

After completion

Phase 1

Explain This Question

Per-question AI explanation in plain English with conversational follow-up — what the CRA requirement means, why it matters, and what good looks like. Ask follow-up questions without leaving the assessment.

Phase 1

Bulk "Explain All" by Domain

Generate plain-English explanations for every question in a whole domain in one operation — with progress tracking. The on-ramp for a non-specialist who needs to come up to speed on a domain fast.

Phase 2

AI-Assisted Note Drafting

Turn bullet-point facts into structured prose justifications — the assessor captures key facts, AI drafts the defensible written rationale that lives with the answer.

Phase 2

AI-Powered Evidence Analysis

Attached PDFs and images are read by AI and assessed against the specific CRA requirement for that question — gaps identified, quality concerns flagged, additional documentation suggested.

Phase 3

Pre-Export Quality Review

Diagnostic AI scan over the entire assessment before export — surfaces empty notes on Compliant answers, missing evidence on critical questions, reviewer/confidence inconsistencies, and overrides without justification. Diagnostic only; no answers are changed.

Phase 3 · In the Word report

AI Executive Summary

The Word report opens with an AI-generated executive summary written from your actual assessment data — domain posture, headline gaps, regulatory exposure, and recommended priorities. The board narrative, drafted.

Phase 3 · In the Word report

AI Domain Narratives

Each of the 12 domains gets an AI-written narrative inside the Word report — what the domain covers, your posture, where the gaps sit, and what to do next. The kind of prose audit committees expect.

Phase 3 · In the Word report

AI Remediation Roadmap

AI-drafted prioritised remediation roadmap commentary inside the Word report — the bridge between the raw gap register and an executable plan, written in language that lands with leadership.

Phase 3 · In the Word report

"What You're Doing Well"

An AI-generated strengths commentary section — the parts of the programme worth amplifying and signalling to the board. The assessment doesn't only catalogue gaps; it also recognises where you're already strong.

Phase 4

Personal Security Advisor

A free-form AI chat with full context of your completed assessment — every domain score, every gap, every CRA Article reference. Ask about any finding, prioritise remediation, or explore implications. Like an experienced second opinion that is always available.

Phase 4

Decision Support Worksheet

An AI-organised scoping memo for borderline CRA classification questions — your inputs structured and aligned to the relevant CRA Articles, ready to take into a conversation with a notified body or qualified counsel. Does not make classification decisions.

Phase 4

Period-Comparison Analysis

When you load a previous assessment for comparison, AI drafts the narrative of what changed — what got better, what regressed, where evidence strengthened, and the trajectory story for the board.

Bring your own API key · Pay only for what you use

All twelve AI features connect using your own Anthropic Claude API key. Typical usage costs a few dollars per full assessment cycle. Your data is never stored, transferred to CyberAssure, or used for AI training — and AI can be disabled site-wide via Settings for regulated environments.

The other half of CRA compliance

The CRA imposes duties on the organisation and on every product. Assess both.

Per product

CRA Product Compliance Assessment

Classification, Annex I essential requirements, conformity blockers and a draft Declaration of Conformity — for every product you place on the EU market.

Learn more
Both, side by side

CRA Assessment Suite

How the organisational and product assessments fit together into one compliance picture.

Compare both

Further Reading

Resource

The EU Cyber Resilience Act: What Manufacturers Need to Do Before December 2027

A plain-language guide to the CRA's enforcement timeline, product classification categories, essential requirements under Annex I, vulnerability reporting obligations, and conformity assessment pathways.

Read the guide