EU Cyber Resilience Act — Product Compliance Assessment

Overview

While the CRA Organisational Readiness Assessment evaluates whether your organisation is prepared for the Cyber Resilience Act, this companion tool goes product by product — taking each individual product with digital elements through the CRA conformity pathway end-to-end: classification, technical controls, documentation and Declaration of Conformity.

The assessment covers 136 questions across 9 compliance domains, with each question carrying a reference code (e.g. CLASS-05) and direct hyperlinks to the specific CRA Articles and Annex Parts it addresses. A built-in classification engine assigns each product to its correct tier — Default, Important Class I/II or Critical — and the matching Annex VIII module. An EU Declaration of Conformity Builder pre-fills a draft DoC per Article 28 and Annex V directly from your assessment data.

Per-question evidence attachment, an independent reviewer workflow with evidence confidence ratings, and a chronological audit log produce a defensible, audit-ready position for every product placed on the EU market. Products can be assessed individually or managed as a portfolio — the portfolio dashboard surfaces cross-product compliance via heatmap, identifies common gaps where multiple products are non-compliant, and produces board-ready compliance reports covering your entire product range.

Multi-Product Portfolio Mode

Unlike single-product tools, this assessment is built for organisations with multiple products in scope. The Product Registry holds every product in your CRA portfolio, each with its own classification, conformity module, support-period commitment and assessment status — all visible on a single dashboard:

• Add and assess any number of products within a single assessment instance
• Classify each product independently — Default, Important Class I (Annex III), Important Class II (Annex III), or Critical (Annex IV)
• Portfolio Compliance Heatmap — A cross-product matrix of products against the nine CRA domains, with colour-coded shading (green ≥80%, amber 60–79%, orange 40–59%, red <40%), portfolio average row, and sortable columns to surface the weakest domains across the portfolio
• Portfolio Analysis by Domain — Average compliance across all assessed products, sorted lowest-to-highest so the conversation always starts with the highest-leverage problem
• Common Gaps Register — Requirements where multiple products are non-compliant, with the explicit list of affected products. Fix one root cause, clear many product-level gaps at once
• Common Evidence Weaknesses — Surfaces patterns where evidence quality is consistently weak across products, pointing at systemic documentation deficiencies worth addressing centrally
• Generate portfolio-level Word and Excel reports alongside per-product reports

For team-based assessment, optional Shared Folder Mode turns the portfolio into a collaborative workspace via OneDrive, SharePoint, Microsoft Teams, Google Drive, or Dropbox — with per-product file locking (so two assessors don't trample each other's work), identity stamping (every change attributed to a named assessor), live change polling, automatic merge-on-save when two reviewers edit concurrently, and 30-day soft delete with one-click restore.

Product Classification

The CRA requires different conformity assessment pathways depending on product classification. The assessment includes an interactive classification module that helps you determine the correct category for each product:

• Default — General products with digital elements. Self-assessment permitted under harmonised standards.
• Important — Class I (Annex III) — Products such as identity management systems, browsers, password managers, VPNs, network management systems, SIEM, firewalls for non-industrial use, routers and modems. May use harmonised standards for self-assessment.
• Important — Class II (Annex III) — Products such as operating systems, hypervisors, container runtimes, PKI systems, CPUs with security features, industrial firewalls and IDS. Third-party conformity assessment required.
• Critical (Annex IV) — Highest-risk products requiring mandatory third-party assessment by a notified body.

Assessment Domains

Each product is evaluated across 9 CRA compliance domains, organised into three workflow streams — Product Readiness, Risk & Response, and Documentation & Conformity — that mirror how product compliance work actually flows:

• Product Classification (12 questions) — Classification under Article 7 and Annex III/IV; assignment to the correct CRA tier and Annex VIII conformity module.
• Security by Design (20 questions) — Annex I Part I essential requirements: secure architecture, secure defaults, threat modelling, attack-surface minimisation, secure coding, security verification.
• Technical Security Properties (24 questions) — Access control, data protection, secure communications, secure boot, credential management, network hardening, logging — the technical controls inside the product itself.
• Vulnerability Handling (19 questions) — Coordinated vulnerability disclosure, security update process, severity scoring, update verification and remediation tracking under Annex I Part II.
• Incident Reporting & Response (10 questions) — Three-stage reporting under Article 14 (24-hour early warning, 72-hour notification, 14-day final report), user notification and ENISA platform pre-registration.
• Technical Documentation (15 questions) — Annex VII technical file: design documentation, risk assessment, test results, SBOM, support-period commitment, ten-year retention.
• Conformity Assessment Readiness (12 questions) — Module selection per Annex VIII, conformity procedure execution, EU Declaration of Conformity preparation, CE marking, notified body engagement.
• User Information & Instructions (13 questions) — Annex II user documentation, security information for users, secure-usage guidance, manufacturer identification, language requirements.
• Supply Chain & Components (11 questions) — Third-party component due diligence, SBOM generation and maintenance, dependency vulnerability monitoring, supplier contractual requirements.

Questions adapt to the product's CRA classification — only the questions relevant to the assigned tier and conformity pathway are presented. Each question is referenced (e.g. CLASS-05, SECURE-12, TECHSEC-08) with direct hyperlinks to the CRA Articles and Annex Parts it addresses, so the regulatory basis is always one click away.

Evidence Collection & Self-Assessment Guide

Each question is presented with three side-by-side panels designed to eliminate the calibration problem where five assessors give five different answers to the same question:

• Example Evidence to Consider — Lists illustrative artefacts (signed conformity-pathway determinations, module-selection rationales, pathway planning artefacts) that organisations commonly gather. The list is not mandatory but tells the assessor exactly what good looks like for that question.
• Self-Assessment Guide — Defines each compliance level (Compliant, Partially Compliant, In Progress, Not Compliant) with explicit criteria tied directly to CRA evidentiary expectations.
• Evidence Files — Drag-and-drop area for attaching supporting documents directly to the question. PDFs and images can be optionally AI-reviewed for relevance; Word, Excel and CSV files are also accepted.

The assessment maintains a complete evidence register that can be exported as a packaged archive — making it straightforward to compile the documentation needed for conformity assessment, notified-body engagement or audit preparation.

Independent Reviewer Workflow

A second pair of eyes is the difference between "claimed" and "substantiated". An independent reviewer captures observations against the evidence in three structured fields:

• Evidence Review Notes — What the evidence demonstrates, gaps identified, and plans for additional evidence.
• Evidence Confidence — Rated None · Weak · Partial · Strong, with a free-text justification describing evidence quality and documentation gaps.
• Reviewer's Compliance Conclusion — Lets the reviewer override the self-assessment where evidence clearly contradicts it, with both the original answer and the override preserved in the audit trail.

Every answer, note, evidence change and reviewer override is captured in a chronological audit log — the complete record of who did what and when, retained for the ten-year retention period the CRA requires.

Per-Product Gap Register

Once the assessment is complete, every Not Compliant, In Progress and Partially Compliant question is surfaced as a gap for that product — each with a specific recommendation, the originating question reference code (clickable to jump back to the question), the relevant CRA Article and Annex citations, and a status indicator. The per-product gap register feeds the prioritised remediation plan in the Word and Excel exports, turning a compliance assessment directly into engineering work for the product's release plan.

Evidence Expiry Tracking

Much CRA evidence is time-bound — SOC 2 reports, penetration test results, code-signing certificates, third-party security attestations — and silently goes stale. Each piece of attached evidence supports an optional expiry date, and the dashboard surfaces warnings well before evidence lapses. A dedicated Evidence Expiry Overview shows everything coming due across the portfolio, so renewals are planned, not discovered at audit time.

Period-over-Period Comparison

Load a previous assessment for any product and the platform generates a domain-by-domain change report: which questions improved, which regressed, where evidence was added or removed, and what changed about reviewer decisions. The comparison narrative — drafted by AI when enabled — turns "we re-assessed the product" into a board-ready trajectory story.

Audit Log, Version History & Resilient Storage

Every answer, note, evidence change and reviewer override is captured in a chronological audit log with an in-app version history viewer — the complete record of who did what and when, retained for the ten-year retention period the CRA requires.

Evidence storage is resilient by design — per-file on-disk storage with content-derived filenames (so evidence titles do not leak through the folder browser), per-question and per-file caps, browser-storage quota monitoring with persistent-storage request, sync-conflict detection for OneDrive/SharePoint/Dropbox, a crash-recovery mirror in localStorage, and a read-only Evidence Health Check audit available from Settings.

Reporting & Exports

The assessment produces five per-product exports plus two portfolio-level exports — every deliverable drawn from the same underlying assessment data, so there is one single source of truth across the board pack, the project tracker, the audit pack and the regulator-ready dossier.

Per-Product Exports

• AI-Enhanced Word Report — Domain compliance analysis, full gap register with CRA Article references, prioritised remediation plan, evidence register and complete responses. When AI is enabled, the report includes an AI-generated executive summary and per-domain narratives. The board-and-leadership narrative, drafted.
• Excel Workbook — The same content in tabular form across multiple sheets — owners can be assigned, target dates added, statuses tracked. Drops into JIRA, Asana or Smartsheet without re-keying.
• Evidence Package (ZIP) — Every attached evidence file (PDFs, Word docs, images) organised by question reference, plus an Excel register cataloguing each file with metadata. The audit pack — ships in one click when a regulator, auditor or notified body asks for substantiation.
• Draft EU Declaration of Conformity (.docx) — A draft DoC pre-filled per Article 28 and Annex V from the assessment data, including manufacturer details, product identification, conformity assessment route, notified body details (if Class II/Critical), signature block, and additional information. When AI is enabled, AI also drafts the narrative content sections. The manufacturer reviews, verifies, signs and formally issues the final DoC.
• Backup (.cra.json) — A portable, self-contained snapshot of the assessment, evidence references and audit history. For disaster recovery, device transfer or archival — your assessment is retained in your own format, not locked to any vendor or environment.

Portfolio-Level Exports

• Portfolio Word Report — Cross-product executive summary, compliance heatmap, common gaps analysis, common evidence weaknesses, product-by-product domain scores, and portfolio-wide recommendations.
• Portfolio Excel Workbook — Consolidated data across all assessed products for cross-portfolio analysis and prioritisation.

Who It's For

This assessment is designed for:

• Manufacturers needing to assess individual products against CRA essential requirements
• Product security teams responsible for multiple products with digital elements
• Organisations preparing products for CRA conformity assessment
• Teams needing to classify products against CRA Annex III and Annex IV categories
• Compliance teams requiring portfolio-level visibility across a product range
• Organisations compiling evidence and documentation for notified body engagement