EU Cyber Resilience Act — Organisational Readiness Assessment

Overview

The EU Cyber Resilience Act (CRA) Organisational Readiness Assessment helps manufacturers, importers, distributors, authorised representatives and open-source software stewards evaluate their enterprise-wide preparedness for the EU's landmark cybersecurity regulation for products with digital elements.

The assessment covers 100 questions across 12 CRA domains, each mapped to specific CRA Articles and Annexes. Question sets adapt to the CRA roles your organisation plays — presenting the specific obligations relevant to your responsibilities under the regulation, with detailed self-assessment guidance defining what each compliance level means for that question.

Per-question evidence attachment, an independent reviewer workflow, and a complete chronological audit log produce a defensible, evidence-backed view of enterprise CRA readiness — with a prioritised remediation roadmap mapped to specific CRA Articles and clear visibility for the board on where investment is required.

Period-over-period reassessments anchor to the board reporting calendar, and the assessment updates in real time as CRA implementing acts and harmonised standards are finalised.

Role-Based Assessments

The CRA places different obligations on different supply chain roles. Your 100-question assessment adapts to the roles your organisation plays under the regulation:

• Manufacturer — The most comprehensive scope, covering secure development, vulnerability handling, product security properties, incident reporting, conformity assessment and technical documentation, supply chain, user transparency, and lifecycle and support management under Article 13.
• Importer — Due diligence, verification of manufacturer conformity, retention of documentation, market surveillance cooperation and vulnerability handling obligations under Article 19.
• Distributor — Verification responsibilities, supply chain integrity, storage and transport conditions, market surveillance cooperation, and corrective action procedures under Article 20.
• EU Authorised Representative — Mandate scope, documentation management, authority cooperation, compliance monitoring, and communication obligations between manufacturer and regulators under Article 18.
• Open-Source Software Steward — The obligations specific to open-source software stewards under Article 24, including cybersecurity policy, vulnerability handling and cooperation with market surveillance.

Where your organisation plays more than one role, the assessment combines the relevant question sets so a single instance covers your full CRA exposure.

Who It's For

This assessment is designed for:

• Manufacturers of products with digital elements sold into the EU market
• Importers placing products with digital elements on the EU market
• Distributors making products with digital elements available on the EU market
• EU authorised representatives acting on behalf of manufacturers
• Open-source software stewards with Article 24 obligations
• Product security teams preparing for CRA conformity assessment
• GRC and compliance teams assessing organisational readiness
• Organisations needing to classify products against CRA Annex III and Annex IV

Typical Outcomes

Organisations using this assessment typically gain:

• A defensible, evidence-backed view of enterprise CRA readiness across all 12 domains
• Identification of compliance gaps mapped to specific CRA Articles and Annexes
• A prioritised remediation roadmap for achieving CRA conformity
• Documentation to support board reporting on regulatory readiness
• A baseline that can be re-assessed period-over-period to demonstrate progress
• A notified-body-ready evidence pack for Module H engagement where required
• A framework for ongoing CRA compliance monitoring as the regulation evolves

Assessment Domains

The 100 questions are organised across 12 CRA domains, grouped into three workflow streams that mirror how CRA compliance work actually flows through an organisation:

Stream 1 · Governance & Design

• Product Security Governance — Board accountability, security policy, roles and responsibilities, programme governance and resource allocation.
• Security by Design & Default — Annex I Part I essential requirements built into the product across its lifecycle: secure architecture, secure defaults, attack-surface minimisation, access controls and security verification.
• Conformity Assessment & Documentation — Classification under Article 7 and Annex III, selection of the correct Annex VIII module, technical file under Annex VII, and EU Declaration of Conformity under Article 28 and Annex V.
• Economic Operator Obligations — Manufacturer, EU authorised representative, importer, distributor and open-source software steward obligations under Articles 13, 18, 19, 20 and 24.

Stream 2 · Risk & Response

• Risk Assessment & Management — Cybersecurity risk assessment, threat modelling, residual risk treatment and ongoing risk review.
• Vulnerability Handling & Disclosure — Coordinated vulnerability disclosure policy, continuous vulnerability monitoring and remediation tracking under Annex I Part II.
• Secure Update Mechanisms — Free security updates delivered throughout the declared support period, secure update channels, and update verification under Article 10(6).
• Incident Reporting & Response — Three-stage reporting under Article 14: 24-hour early warning, 72-hour incident notification and 14-day final report to ENISA and the national CSIRT, plus user notification obligations.

Stream 3 · Documentation & Conformity

• Supply Chain & Third-Party Management — Third-party component due diligence, supplier contractual requirements, and component security evaluation.
• Software Bill of Materials — SBOM generation, format, maintenance and dependency vulnerability monitoring.
• Market Surveillance & Post-Market — Cooperation with national market surveillance authorities under Articles 52–55, documented non-conformity escalation and recall procedures.
• User Information & Instructions — Annex II user documentation requirements, support period policy, and manufacturer identification.

Evidence Collection & Self-Assessment Guide

Each of the 100 questions uses a 4-point answer scale — Not Met · Partially Met · Met · Met with Continuous Improvement — plus N/A with required justification. A free-text justification field captures the rationale, inline glossary tooltips explain CRA terminology on hover, and side-by-side panels present a detailed Self-Assessment Guide defining what each compliance level means and an Evidence Files drag-and-drop area for attaching supporting documents directly to the question. PDFs, images, Word, Excel and CSV are all accepted, and a "No evidence available" checkbox handles cases where evidence cannot be provided.

Evidence lives with the answer that depends on it — not in a SharePoint folder, not in someone's email, not in a shared drive nobody can find. When an auditor or notified body asks "prove it", the substantiating artefact is one click away.

Independent Reviewer Workflow

A second pair of eyes is the difference between "claimed" and "substantiated". An independent reviewer captures observations against the evidence in three structured fields:

• Evidence Review Notes — What the evidence demonstrates, gaps identified, and plans for additional evidence.
• Evidence Confidence — Rated None · Weak · Partial · Strong, with a free-text justification describing evidence quality and documentation gaps.
• Reviewer's Compliance Conclusion — Lets the reviewer override the original self-assessment where the evidence clearly contradicts it, with both the original answer and the reviewer override preserved in the audit trail.

The reviewer workflow underpins the difference between self-assessed and evidence-validated scoring on the results dashboard — the view a notified body will look at first.

Domain Compliance & Gaps Register

Once questions are answered, results surface in three connected views: a Domain Compliance Analysis showing per-domain rollup scores with a red-to-green gradient bar and one-line descriptions of regulatory scope; an Evidence Review Validation section that separates self-assessed scores from evidence-validated scores with an Evidence Confidence Breakdown (Full, Partial, No-evidence); and a Compliance Gaps Register where every Not Met or Partially Met answer is surfaced as a discrete gap with a recommendation, an internal reference code (e.g. CONFORMITY-02), and the specific CRA Articles and Annexes the gap relates to.

The register is sortable, exportable, and forms the core input to the remediation plan — every gap arrives ready to be assigned to an owner and slotted into a sprint, release plan or audit committee timeline.

Audit Log, Collaboration & Resilient Storage

Every answer, note, evidence change and reviewer override is captured in a chronological audit log with an in-app version history viewer — the complete record of who did what and when, retained for the ten-year retention period the CRA requires.

Optional Shared Folder Mode turns the assessment into a true team workspace. Multiple reviewers work in parallel on the same assessment via OneDrive, SharePoint, Microsoft Teams, Google Drive, or Dropbox. Concurrent edits are reconciled automatically with merge-on-save, identity stamping shows who changed what, live change polling surfaces edits in seconds, and a 30-day soft delete with one-click restore prevents accidental data loss.

Evidence storage is resilient by design — per-file on-disk storage with content-derived filenames (so evidence titles do not leak through the folder browser), per-question and per-file caps, browser-storage quota monitoring, sync-conflict detection for OneDrive/SharePoint/Dropbox, a crash-recovery mirror, and a read-only Evidence Health Check audit available from Settings.