Enterprise

EU Cyber Resilience Act — Organisational Readiness Assessment

Assess your organisation's readiness for the EU Cyber Resilience Act with role-based assessments tailored to your obligations.

Overview

The EU Cyber Resilience Act (CRA) Organisational Readiness Assessment helps manufacturers, importers, distributors and authorised representatives evaluate their preparedness for the EU's landmark cybersecurity regulation for products with digital elements.

The assessment adapts to your role in the supply chain, presenting the specific obligations and questions relevant to your responsibilities under the CRA. For manufacturers, the assessment covers 73 questions across 8 domains — from secure-by-design development practices through to lifecycle support management. Importers, distributors and authorised representatives each receive a tailored question set aligned to their distinct CRA obligations.

Through structured evaluation criteria aligned to the CRA's essential requirements, you will assess your organisation's current readiness posture, identify compliance gaps, and develop a prioritised roadmap for CRA conformity ahead of the regulation's key deadlines.

Built-in snapshot and comparison functionality allows you to save point-in-time results and compare against previous assessments — making it easy to track readiness improvements over time, demonstrate progress to the board, and measure the effectiveness of remediation efforts.

EU CRA Enforcement Timeline

December 2024

Regulation in force

CRA published in the EU Official Journal. Compliance planning should begin now.

September 2026

Reporting obligations apply

Vulnerability and incident reporting to ENISA becomes mandatory. First hard deadline.

December 2027

Full compliance required

All essential requirements, CE marking, and conformity assessment obligations enforceable.

Also Available: CRA Product Compliance Assessment

Need to assess individual products against the CRA's essential requirements? Our companion Product Compliance Assessment evaluates each of your products with digital elements across 126 questions and 9 domains — with multi-product portfolio reporting, classification support, and evidence management.

Learn More →

Role-Based Assessments

The CRA places different obligations on different supply chain roles. This assessment adapts accordingly:

  • Manufacturer — 73 questions across 8 domains. The most comprehensive assessment, covering secure development, vulnerability management, product security, incident reporting, conformity, supply chain, user transparency, and lifecycle management.
  • Importer — 32 questions. Focused on due diligence, verification of manufacturer compliance, conformity documentation, market surveillance cooperation, and vulnerability handling obligations.
  • Distributor — 22 questions. Covers verification responsibilities, supply chain integrity, storage and transport conditions, market surveillance cooperation, and corrective action procedures.
  • Authorised Representative — 22 questions. Addresses mandate scope, documentation management, authority cooperation, compliance monitoring, and communication obligations between manufacturer and regulators.

Who It's For

This assessment is designed for:

  • Manufacturers of products with digital elements sold into the EU market
  • Importers placing products with digital elements on the EU market
  • Distributors making products with digital elements available on the EU market
  • Authorised representatives acting on behalf of manufacturers
  • Product security teams preparing for CRA conformity assessment
  • GRC and compliance teams assessing organisational readiness
  • Organisations needing to classify products against CRA Annex III and Annex IV

Typical Outcomes

Organisations using this assessment typically gain:

  • Clear understanding of current CRA readiness across all relevant obligations
  • Identification of compliance gaps mapped to specific CRA articles and annexes
  • Prioritised remediation roadmap for achieving CRA conformity
  • Documentation to support board reporting on regulatory readiness
  • Evidence of proactive compliance preparation ahead of enforcement deadlines
  • Ability to track and report readiness improvements over time through snapshot comparisons
  • Framework for ongoing CRA compliance monitoring

Assessment Coverage (Manufacturer)

The manufacturer assessment comprehensively evaluates CRA readiness across 8 domains:

  • Secure by Design & Development — Secure development lifecycle, threat modelling, secure coding standards, security testing, architecture review, and substantial modification processes
  • Vulnerability Management & Handling — Vulnerability identification, security update deployment, coordinated disclosure, public disclosure, ongoing testing, severity scoring, update verification, and remediation tracking
  • Product Security Properties — Access control, data protection, attack surface minimisation, data minimisation, secure data removal, secure communications, secure boot, credential management, network interface hardening, cloud backend security, and security logging
  • Incident Reporting & Communication — CSIRT and ENISA reporting within mandated timeframes, user notification, platform pre-registration, escalation procedures, tabletop exercises, and market surveillance authority reporting
  • Technical Documentation & Conformity — Technical documentation, EU Declarations of Conformity, CE marking, product classification, risk assessment methodology, documentation retention, market surveillance cooperation, harmonised standards, lifecycle documentation, language requirements, notified body engagement, compliance register, and substantial modification governance
  • Supply Chain & Third-Party Components — Third-party component due diligence, SBOM generation and maintenance, dependency vulnerability monitoring, supplier contractual requirements, and component security evaluation
  • User Information & Transparency — User documentation standards, support period policy, and manufacturer identification requirements
  • Lifecycle & Support Management — Long-term security update capability and security logging and monitoring standards

What You Receive

Executive Summary Report

Board-ready overview with readiness scores by CRA domain, exportable to Word format.

Detailed Gap Register

Comprehensive findings mapped to CRA articles and annexes with risk ratings, exportable to Excel.

Readiness Visualisations

Charts showing domain-by-domain CRA readiness for board and stakeholder presentations.

Prioritised Remediation Roadmap

Actionable recommendations ranked by risk to guide your path to CRA conformity.

Snapshot Comparison Reports

Save point-in-time snapshots, compare against previous assessments, and generate reports showing domain-by-domain improvements and regressions.

Example Report (Word)

Download a sample executive summary report to see the level of detail and insight the assessment provides.

Download Sample

Assess Your CRA Readiness

Get in touch to see the EU Cyber Resilience Act Organisational Readiness Assessment in action.

Contact for Demo

Further Reading

Resource

The EU Cyber Resilience Act: What Manufacturers Need to Do Before December 2027

A plain-language guide to the CRA's enforcement timeline, product classification categories, essential requirements under Annex I, vulnerability reporting obligations, and conformity assessment pathways.

Read the guide