CRA Organisational Assessment

EU Cyber Resilience Act — Product Compliance Assessment

Assess each of your products with digital elements against the CRA's essential cybersecurity requirements — individually and across your entire product portfolio.

Overview

While the CRA Organisational Readiness Assessment evaluates whether your organisation is prepared for the Cyber Resilience Act, this companion tool goes product by product — assessing each product with digital elements against the CRA's essential cybersecurity requirements at the individual product level.

The assessment covers 126 questions across 9 compliance domains, evaluating everything from how a product is classified under the CRA through to its technical security properties, vulnerability handling processes, and conformity assessment readiness. Each question is mapped to specific CRA articles and annexes, with guidance on what evidence is expected.

Products can be assessed individually or managed as a portfolio, giving you a consolidated view of CRA compliance across all your products with digital elements. The portfolio view highlights common gaps, generates cross-product heatmaps, and produces board-ready compliance reports covering your entire product range.

Multi-Product Portfolio Assessment

Unlike single-product tools, this assessment is built for organisations with multiple products. You can:

  • Add and assess multiple products within a single assessment instance
  • Classify each product independently — Default, Important Class I (Annex III), Important Class II (Annex III), or Critical (Annex IV)
  • View a portfolio dashboard with compliance scores, heatmaps and domain breakdowns across all products
  • Identify common gaps that affect multiple products — so you can fix systemic issues once rather than product by product
  • Generate portfolio-level Word and Excel reports alongside individual product reports

Product Classification

The CRA requires different conformity assessment pathways depending on product classification. The assessment includes an interactive classification module that helps you determine the correct category for each product:

  • Default — General products with digital elements. Self-assessment permitted under harmonised standards.
  • Important — Class I (Annex III) — Products such as identity management systems, browsers, password managers, VPNs, network management systems, SIEM, firewalls for non-industrial use, routers and modems. May use harmonised standards for self-assessment.
  • Important — Class II (Annex III) — Products such as operating systems, hypervisors, container runtimes, PKI systems, CPUs with security features, industrial firewalls and IDS. Third-party conformity assessment required.
  • Critical (Annex IV) — Highest-risk products requiring mandatory third-party assessment by a notified body.

Assessment Domains

Each product is evaluated across 9 CRA compliance domains:

  • Product Classification (12 questions) — Determining the correct CRA product classification and conformity assessment pathway
  • Security by Design (18 questions) — Embedding cybersecurity into the product design and development lifecycle
  • Technical Security Properties (20 questions) — Implementing technical controls for confidentiality, integrity and availability
  • Vulnerability Handling (17 questions) — Identifying, disclosing and remediating product vulnerabilities
  • Incident Reporting & Response (10 questions) — Detecting, reporting and responding to security incidents
  • Technical Documentation (15 questions) — Maintaining technical documentation required under Annex VII
  • Conformity Assessment Readiness (11 questions) — Preparing for and completing the conformity assessment procedure
  • User Information & Instructions (12 questions) — Providing users with security information and secure usage guidance
  • Supply Chain & Components (11 questions) — Managing third-party component security and supply chain risks

Evidence & Documentation

Each question supports evidence attachment — upload supporting documents, policies, screenshots and test results directly against the relevant question. The assessment maintains a complete evidence register that can be exported as a packaged archive, making it straightforward to compile the documentation needed for conformity assessment or audit preparation.

Assessors can also add notes and justifications for any questions marked as not applicable, creating a complete record of assessment decisions.

Reporting

The assessment generates comprehensive reports at both the individual product and portfolio levels:

  • Product Word Report — Executive summary, domain compliance scores, gap register with CRA article references, prioritised remediation plan, evidence register, N/A exclusions, and full response record
  • Product Excel Workbook — Detailed compliance data for tracking, filtering and analysis
  • Portfolio Word Report — Cross-product executive summary, compliance heatmap, common gaps analysis, product-by-product domain scores, and portfolio-wide recommendations
  • Portfolio Excel Workbook — Consolidated data across all assessed products
  • Evidence Package — Downloadable archive of all attached evidence files organised by question reference

Who It's For

This assessment is designed for:

  • Manufacturers needing to assess individual products against CRA essential requirements
  • Product security teams responsible for multiple products with digital elements
  • Organisations preparing products for CRA conformity assessment
  • Teams needing to classify products against CRA Annex III and Annex IV categories
  • Compliance teams requiring portfolio-level visibility across a product range
  • Organisations compiling evidence and documentation for notified body engagement

What You Get

Comprehensive product-level and portfolio-level CRA compliance outputs.

Per-Product Compliance Reports

Executive summary with domain scores, gap register mapped to CRA articles, and prioritised remediation plan — exportable to Word and Excel.

Portfolio Dashboard & Heatmap

Consolidated view across all assessed products with domain-by-domain compliance heatmap and portfolio-wide scoring.

Common Gaps Analysis

Identifies compliance gaps shared across multiple products so systemic issues can be resolved once at the organisational level.

Product Classification Module

Interactive classification against CRA Annex III and Annex IV categories to determine the correct conformity assessment pathway.

Evidence Register

Attach supporting documents to each question and export a complete evidence package for conformity assessment preparation.

Save & Restore

Save assessment progress to file and restore later. Work across sessions without losing data — no cloud account required.

AI Question Helper

Per-domain AI assistant that explains any CRA question in plain English — what the requirement means, why it matters, and what good looks like. Requires Claude API key.

AI Evidence Review

Upload evidence files and AI assesses them against the CRA's Annex I requirements — identifying gaps, flagging quality concerns, and suggesting what additional documentation is needed. Requires Claude API key.

Personal Security Advisor

Post-assessment AI advisor with full context of your results — ask about any gap, any action, or any CRA article. Like a product security specialist who's already reviewed your assessment. Requires Claude API key.

AI-Powered

Three AI Capabilities Built Into the Assessment

The CRA Product Compliance Assessment integrates Claude AI across the entire workflow — from understanding CRA requirements, to reviewing your evidence against Annex I, to interrogating your results. All powered by your own API key.

During the assessment

AI Question Helper

Every domain section includes an AI assistant that can explain any question in plain English — what the CRA Annex I requirement actually means, why it matters for product security, and what a compliant implementation looks like in practice.

Ask questions like "What does question 5 mean in simple terms?" or "What is a SBOM?" — and get a clear, practical answer relevant to the current domain, without leaving the assessment.

AI Question Helper explaining a CRA compliance question in plain English
AI Evidence Review panel showing evidence upload and AI Review Evidence button
During evidence collection

AI Evidence Review

Attach your evidence files directly to each question — PDFs and images are read by the AI; Word, Excel, and CSV files are also accepted. The AI assesses whether your documentation satisfies the CRA's specific Annex I requirements for that question.

For each uploaded file, it tells you whether the evidence is sufficient, identifies specific compliance gaps, lists what additional documentation is needed, and flags quality concerns — giving you a clear picture of your evidence posture before conformity assessment.

After you finish

Personal Security Advisor

Once your product assessment is complete, your Personal Security Advisor has full context of your results — every domain score, every gap, every CRA article reference. Ask about any finding, get help prioritising remediation, or understand what a gap means for your conformity pathway.

Suggested prompts are built in, or ask your own questions freely. Like a CRA product security specialist who's already read your entire assessment report.

Personal Security Advisor AI chat interface with full CRA assessment results context

Bring your own API key

All three AI features are built into the tool — connect using your own Claude API key and pay only for what you use. Typical usage costs a few dollars per full assessment cycle. Your data is never stored or used for AI training.

Assess Your Products for CRA Compliance

Get in touch to see the CRA Product Compliance Assessment in action.

Contact for Pricing

Related CRA Assessment

Pair product-level assessments with organisational readiness evaluation.

Enterprise

CRA Organisational Readiness Assessment

Evaluate your organisation's overall preparedness for the Cyber Resilience Act with role-based assessments for manufacturers, importers, distributors and authorised representatives.

Learn more

Related Assessments

CRA Organisational Readiness Assessment GDPR Compliance Assessment ISO 27001 Maturity Assessment

Further Reading

Resource

The EU Cyber Resilience Act: What Manufacturers Need to Do Before December 2027

A plain-language guide to the CRA's enforcement timeline, product classification categories, essential requirements under Annex I, vulnerability reporting obligations, and conformity assessment pathways.

Read the guide