Tools · Manufacturer's checklist
Compliance matrix
Every obligation for manufacturers of products with digital elements, set out across the product lifecycle with its article reference. Work through it and track your progress; the whole checklist is free to view. Progress is kept in this browser.
Default · route
Default products may self-assess under Module A. No Notified Body is required, but the full technical file and DoC must still be in place.
1 · Foundations
Company-level foundations
0 / 4Organisational requirements that must be in place before any product-specific work begins.
Documented Security Development LifecycleMaintain a documented SDL defining phases, roles and responsibilities. External certification (IEC 62443-4-1, ISO/IEC 27001) is optional but creates a presumption of conformity.
Art. 13(1) · Annex I
Evidence of conformity with the SDLWhere no external certification is held, keep documented evidence of internal conformity with the SDL.
Annex I · Pt I
SDL covers secure-by-design and secure-by-defaultNEWThe SDL must explicitly address how the product minimises its attack surface without configuration by the end user.
Annex I · I(2)(3)
EU Authorised Representative (non-EU manufacturers)NEWManufacturers outside the EU must designate, by written mandate, a representative established in the EU, named in the technical documentation and the DoC.
Art. 19
2 · Before development
Before development begins
0 / 9Classification, risk assessment and technical prerequisites set the scope for everything that follows.
Determine product classificationNEWTOOL AVAILABLEIdentify whether the product is Default, Important Class I/II or Critical (Annexes III & IV). Classification determines the conformity assessment route.
Annex III/IV
Identify the conformity assessment routeNEWDefault: Module A self-assessment. Important Class I: Module A with a harmonised standard, else B+C or H. Important Class II & Critical: always via a Notified Body. Lead times of 4–10 months are common.
Art. 32 · Annex VIII
Product-specific cybersecurity risk assessmentPerform a risk assessment before development. Retain all versions; the initial pre-development version is part of the technical documentation.
Annex I · I(1)
Threat modellingNEWIdentify attack surface, threat actors, attack vectors and resulting security requirements. Document the methodology used.
Annex I · I(1)
Third-party & open-source component policyNEWTOOL AVAILABLEDefine how third-party and open-source components are selected, evaluated and approved, including minimum EOL and vulnerability-response obligations.
Annex I · Pt II
EOL check for tools and dependenciesTOOL AVAILABLECheck the End-of-Life date of all key tools, kernels, databases and libraries. Avoid components whose EOL falls within the product's support lifetime.
Annex I · Pt II
Storage encryption feasibilityConfirm the target hardware supports encryption of data at rest; a mandatory requirement that may force a hardware change.
Annex I · I(4)(e)
Minimal attack-surface designNEWPlan to remove or disable by default every interface, service, port and protocol not required for the intended function.
Annex I · I(2)(b)
Default credential policyNEWShip with no default passwords, or force the user to set a unique credential on first use.
Annex I · I(2)(c)
3 · Development
During development
0 / 5Secure coding, testing and the update mechanism, evidenced throughout the build.
Cybersecurity-focused test planTest cases targeting authentication, access control, input validation, encryption and error handling. Documented and retained in the technical file.
Annex I · I(1)
Evidence of SDL complianceDemonstrate, with documented evidence, that the SDL was followed at each phase.
Annex I · Pt I
Penetration testing / vulnerability assessmentNEWConduct security testing on the product or a representative build before release.
Annex I · I(1)
Secure software update mechanismNEWAn authenticated, integrity-verified update mechanism, verifiable by the device before installation and automatic where feasible.
Annex I · I(2)(f)
Data minimisationNEWCollect, process and store only the data strictly necessary for the intended function.
Annex I · I(4)(f)
4 · Before release
Before product release
0 / 12SBOM, network audit, EOL, conformity assessment, CE marking and the technical file.
SBOM prepared and vulnerability-screenedTOOL AVAILABLEPrepare an SBOM covering at least all top-level dependencies and verify no component carries a known, already-patched vulnerability. Including a resolved CVE is a direct violation.
Annex I · II(1)
SBOM in machine-readable formatNEWTOOL AVAILABLEStore the SBOM as SPDX or CycloneDX (JSON/XML). PDF may be rejected as non-machine-readable.
Annex I · Pt II
Inbound connections listList and individually justify every inbound connection and open port; remove or disable by default anything not required.
Annex I · I(2)(b)
Outbound connections listAudit and justify all outbound connections, including those from the OS, third-party libraries and telemetry.
Annex I · Pt I
Declare the product End-of-LifeTOOL AVAILABLECalculate and declare the EOL; it cannot exceed the EOL of key dependencies. Minimum 5-year support period unless the expected use lifetime is shorter.
Art. 13(8)
Complete the conformity assessmentNEWCarry out the applicable procedure (Module A, or B+C / H / Notified Body) and document it before affixing CE marking.
Art. 32
Prepare the EU Declaration of ConformityNEWTOOL AVAILABLEDraft and sign the DoC per Annex V, referencing the regulation, product and assessment procedure. Keep available for 10 years.
Art. 28 · Annex V
Affix the CE markingNEWApply visible, legible, indelible CE marking. No CE marking, no EU market from 11 Dec 2027.
Art. 30
Compile the technical fileNEWAssemble the Annex VII package: description, risk assessment, SDL evidence, test results, SBOM, connection audits, DoC and EOL declaration.
Art. 31 · Annex VII
10-year retention planNEWArchive all technical documentation, including every SBOM version, for at least 10 years from first market placement.
Art. 31(3)
User-facing documentationNEWCommunicate intended use, cybersecurity properties, how to configure security, the declared EOL and how to report vulnerabilities.
Annex II · Art. 13(18)
Vulnerability disclosure contact publishedNEWPublish a single, actively monitored point of contact for reporting vulnerabilities.
Art. 13(5)
5 · After release
After product release
0 / 10Ongoing monitoring, the Article 14 reporting timeline and update obligations across the support period.
Update risk assessment on significant changeReassess when a major product change, significant new threat or exploited vulnerability is identified; document the trigger and outcome.
Annex I · I(1)
Automated SBOM vulnerability monitoringTOOL AVAILABLEDeploy tooling that monitors SBOM components against live feeds (NVD, EUVD, OSV) frequently enough to meet the 24-hour reporting window. Manual monitoring is insufficient.
Art. 14
24-hour initial vulnerability reportNEWOn becoming aware of an actively exploited vulnerability, file an initial report within 24 hours via ENISA's single reporting platform. Applies from 11 Sep 2026.
Art. 14(2)
72-hour technical reportNEWSubmit a detailed technical report to ENISA and the national CSIRT within 72 hours, including severity and any mitigation.
Art. 14(3)
Final report within 14 days of remediationNEWSubmit a final report no later than 14 days after a security update or workaround is made available.
Art. 14(4)
Severe incident reportingNEWReport severe incidents affecting product security on the same 24/72-hour timeline.
Art. 14(2)
Automatic update for third-party vulnerabilitiesMaintain an automatic update system able to patch third-party component vulnerabilities. A fix within 24 hours exempts reporting, not fixing.
Art. 14(2)(a)
Security updates free of chargeNEWProvide all security updates free of charge for the duration of the support period.
Art. 13(9)
Advance notice of End-of-LifeNEWNotify users at least 12 months before the final security update, where feasible.
Art. 13(8)
Corrective measures for non-compliant productsNEWRemediate, withdraw or recall non-compliant products and notify market surveillance. Inaction is itself a violation.
Art. 13(14)
End of checklist · all 40 items shown above
Export (optional)
Export your matrix with your current progress
Everything above is free to read and print. To download the checklist and your live status as a spreadsheet or PDF, leave an email and we'll add you to the CRA newsletter.