Compliance Checklist

Protect your data, get rid of vulnerabilities and prepare against threats: take the Cyber Resilience Act compliance checklist to verify if your company,  product or software are CRA ready!

Identify any requirements that may be missing to take swift action and be ready on time.

European flag
Manufacturers of non-critical products

Manufacturers of non-critical products can self-assess their compliance with the CRA’s requirements.

You can check the Annex III of the regulation for a list of Critical Products.

Manufacturers of non-critical products may nonetheless choose to undergo the same assessment process as critical products, wherein compliance with the CRA is assessed by a notified body. In this case, they will need to select between two main modules, that are further described in the Critical products tab and for which requirements differ from those described below.

General requirements
IDRequirementReferenceCommentCheck
1Cyber-resilience should be taken into account when designing, developing and producing products with digital elementsAnnex I, Section 1 §1Self-assessment
3Manufacturers shall exercise due diligence when integrating components sourced from third partiesArticle 10(4) of the regulationSelf-assessment
4Secure by default configuration without any known exploitable vulnerabilitiesAnnex I, Section 1 §3aSelf-assessment
6Implement strong authentication protocols (such as N-factor auth) to protect against unauthorized accessAnnex I, Section 1 §3bSelf-assessment
7Protect the confidentiality and integrity of users data (including personal data) using tools such as encryption mechanisms, access control protocols, etc.Annex I, Section 1 §3c and Annex 1, Section 1 §3d Self-assessment
8Process only data that is necessary for the intended use of the product or software (similar to GDPR requirement)Annex I, Section 1 §3eSelf-assessment
9Create resilience against and mitigation of denial of service attacksAnnex I, Section 1 §3fSelf-assessment
10Minimize your own impact on the availability of services provided by other devices or networks. In other words, ensure that your systems cannot be used in a DooS attackAnnex I, Section 1 §3gSelf-assessment
11Design products to limit attack surfaces including external interface. For example: close open ports that should not be open, protect USB portsAnnex I, Section 1 §3hSelf-assessment
12Design products to limit impact of attacks and incidents. For example: auth protocols, user roles with different privileges, incident response plansAnnex I, Section 1 §3iSelf-assessment
13Record and/or monitor relevant users and network activity. For example: activity/user logAnnex I, Section 1 §3jSelf-assessment
14Enable that vulnerabilities can be addressed through security updates, including, where applicable, through automatic updates by default, but with a clear and easy-to-use opt-out mechanism, and where applicable through the notification of available updates to users, and the option to temporarily postpone themAnnex I, Section 1 §3kSelf-assessment
16Creation of a Software Bill of MaterialsAnnex I, Section 2 §1Self-assessment
17Identification of vulnerabilities and documentation writing (including through the SBOM)Annex I, Section 2 §1Self-assessment
18Ability to provide free automatic security updates and alert the end-user that a security update is available/was executed on their deviceAnnex I, Section 2 §2, Section 2 §7 and Section 2 §8Self-assessment
19Design an implement a policy for regular testing and reviews of the security of the productAnnex I, Section 2 §3Self-assessment
20Design and implement a policy for the creation of security update release notes that will be issued every time a security update is releasedAnnex I, Section 2 §4 and Section 2 §8Self-assessment
21Put in place and enforce a policy on coordinated vulnerability disclosure;Annex I, Section 2 §5Self-assessment
22Create a contact address for the third-party reporting of vulnerabilities discovered in your productAnnex I, Section 2 §6Self-assessment
23Design and implement a policy for the third-party sharing of information about vulnerabilities in your product, including the contact addressAnnex I, Section 2 §6Self-assessment
24Manufacturers shall ensure that procedures are in place for products with digital elements that are part of a series of production to remain in conformity.Article 10(9) of the RegulationSelf-assessment
General documentation
IDRequirementReferenceCommentCheck
26A contact information specifically for the reporting and communication of cybersecurity vulnerabilities must be provided in the accompanying documentationAnnex II, Section 2self-written
27The product must be delivered with a name and type and any additional information enabling the uniqueness of the productAnnex II, Section 3self-written
28The intended purpose, essential functionalities and security features/properties provided by the manufacturer must be detailed in the accompanying documentationAnnex II, Section 4self-written
29Any intended use of the product which may lead to a significant cybersecurity risk must be detailed in the accompanying documentationAnnex II, Section 5self-written
32The type of technical and security support and time limit for support must be detailed in the accompanying documentationAnnex II, Section 8self-written
33Detailed instructions or a link to the detailed instructions on necessary measures during initial commissionning and throughout the lifetime of the product to ensure its secure use must be provided.Annex II, Section 9 §aself-written
34Detailed instructions or a link to the detailed instructions on how changes to the product can affect the security of the data must be providedAnnex II, Section 9 §bself-written
35Detailed instructions or a link to the detailed instructions on how changes to install security updates must be providedAnnex II, Section 9 §cself-written
36Detailed instructions or a link to the detailed instructions on secure decommissioning and user data erasure must be providedAnnex II, Section 9 §dself-written
37How the default setting of automatically installed updates can be turned off.Annex II, Section 9§e
38The CE marking should be affixed to the productAnnex VI, Section 4.1
EU declaration of conformity
IDRequirementReferenceCommentCheck
38The EU declaration of conformity must contain the name, type and any unique identifying information of the product (including a photograph if appropriate) allowing its traceabilityAnnex IV, Section 1 and Annex IV, Section 4self-written
39The EU declaration of conformity must contain the name and address of the manufacturer or his authorised representativeAnnex IV, Section 2self-written
40The declaration must contain a statement that it is issued under the sole responsibility of the providerAnnex IV, Section 3self-written
41The declaration must contain a statement that it is in conformity with the relevant Union harmonisation legislationAnnex IV, Section 5self-written
42The declaration must reference any relevant harmonised standards used or related certification to which conformity is declared.Annex IV, Section 6self-written
43Where applicable (such as Class I and II products), the name and number of the notified body, description of the conformity assessment procedure performed and id of the issued certificated must be referenced.Annex IV, Section 7if applicable
44The declaration can contain additional information if relevant.Annex IV, Section 8-
45The declaration must be signed for and on behalfed of the manufacturer, designated by its trademark, dated at (location) and dated on.Annex IV-
46The declaration must be signed by an authorised representative, designated by name and functionAnnex IV and article 12(1) of the Regulation-
47The EU declaration of conformity must be created for each product and kept for 10 years after it has been placed on the marketAnnex VI, Section 4.2-
Technical documentation
IDRequirementReferenceCommentCheck
48The technical documentation must contain a general description of the product.Annex V, Section 1self-written
49The general description must include the product's intended purposeAnnex V, Section 1 §aself-written
50The general description must include the versions of software affecting compliance with the essential requirements of the CRAAnnex V, Section 1 §bself-written
51For hardware products, the general description must include photographs or illustrations detailing external features, marking and internal layoutAnnex V, Section 1 §cself-written
52The general description must include the information described in Annex II (manufacturer's name, registered trademark, contact info - general and for cybersecurity risk reporting -, type, bash, version or serial number of the product, technical and security support provided, how to safely commission and decommission the product, how to install securiy updates)Annex V, Section 1 §d and the whole of Annex IIself-written
53The technical documentation must contain a description on the design and development of the product including drawings and schemes (if applicable) and/or description of the system architectureAnnex V, Section 2 §aself-written
54The technical description must contain complete information on vulnerabilities handling processes and disclosure policy, software bill of materials, contact address for the reporting of vulnerabilities and how updates are securily distributed.Annex V, Section 2 §b and Section 7self-written
55The technical description must contain complete information and specifications of the production and monitoring processes of the product, including validation of these processesAnnex V, Section 2 §cself-written
56The technical description must contain an assessment of cybersecurity risks against which the product is designed, developed, produced, delivered and maintainAnnex V, Section 3 and Article 10 of the Regulationself-written
57If the product also falls under the purview of other EU regulations of harmonised standards, the technical description must contain a reference to them, how they have been applied to the product, if they have not been applied, what other solutions and measures have been implemented to meet the CRA's own standards and if they have been partly applied, which parts of these standards or regulations have been appliedAnnex V, Section 4 and Article 19 and Article 18(3) of the Regulationself-written
58The technical description should contain a description and reports of the tests carried out to verify the conformity of the product and vulnerability handling processes, in reference to Sections 1 and 2 of Annex I. If an essential requirement does not apply to a particular product, the manufacturer must include a justification in the cybersecurity risk assessment in the technical documentationAnnex V, Section 5 and Annex I, Sections 1 and 2 and Swedish Updateself-written
59The technical description must contain a copy of the EU declaration of conformityAnnex V, Section 6 and Annex IV-
60The technical description must be created for each product and kept for 10 years after it has been placed on the marketAnnex VI, Section 4.2-
Communication with the Authorities
IDRequirementReferenceCommentCheck
61The manufacturer shall notify any actively exploited vulnerability that they become aware of to the CSIRTsArticle 11(1) of the Regulation-
62The manufacturer must design and implement a policy for the reporting, wihtout undue delay, of vulnerabilities and breaches to products users, including corrective measuresArticle 11(4) of the Regulation-
63The manufacturer must design and implement a policy to force a product that is no longer in conformity to become such (including through updates) or withdraw or recall the product, if appropriateArticle 10(12) of the Regulation-
65The manufacturer shall design and implement a policy that enables him to alert relevant market authorities and by any means available, the product's users in the event that he ceases its operations Article 10(14) of the Regulation-
65The manufacturer shall designated an authorised representative with a mandate enabling them to fulfull the requirements set out in point 4Annex VI, Module A, Section 5-
Manufacturers of critical products

Manufacturers of critical products need to go through an external assessment process conducted by a notified body responsible for verifying the compliance of the products with the requirements of the CRA.

You can check the Annex III of the regulation for a list of Critical Products.

Manufacturers of critical products can freely choose among two paths for the assessment of their products: module B (or module B + module C) and module H.

Module H is a relatively more rigorous assessment path wherein a quality system made of a written record of processes and procedures undertaken by the manufacturer to ensure that the product meets the requirements of the CRA is assessed by the notified body.

Module B does not mandate the creation of a quality system but instead, requires that a specimen of the product be examined by a notified body during the assessment process. Further, once a product is certified under module B, other products of the same type can be certified through module C, which is a certification path that does not require for a new assessment by a notified body.

Hence, while module B focuses on the hardware itself, module H looks at the manufacturer’s processes (i.e: the quality system) as the basis for compliance with the CRA.

Choose a path

General requirements
IDRequirementReferenceCommentCheck
1Cyber-resilience should be taken into account when designing, developing and producing products with digital elementsAnnex I, Section 1 §1Assessed by notified body
3Manufacturers shall exercise due diligence when integrating components sourced from third partiesArticle 10(4) of the regulationAssessed by notified body
4Secure by default configurationAnnex I, Section 1 §3aAssessed by notified body
5Implement factory reset featuresAnnex I, Section 1 §3aAssessed by notified body
6Implement strong authentication protocols (such as N-factor auth) to protect against unauthorized accessAnnex I, Section 1 §3bAssessed by notified body
7Protect the confidentiality and integrity of users data (including personal data) using tools such as encryption mechanisms, access control protocols, etc.Annex I, Section 1 §3c and Annex 1, Section 1 §3d Assessed by notified body
8Process only data that is necessary for the intended use of the product or software (similar to GDPR requirement)Annex I, Section 1 §3eAssessed by notified body
9Create resilience against and mitigation of denial of service attacksAnnex I, Section 1 §3fAssessed by notified body
10Minimize your own impact on the availability of services provided by other devices or networks. In other words, ensure that your systems cannot be used in a DooS attackAnnex I, Section 1 §3gAssessed by notified body
11Design products to limit attack surfaces including external interface. For example: close open ports that should not be open, protect USB portsAnnex I, Section 1 §3hAssessed by notified body
12Design products to limit impact of attacks and incidents. For example: auth protocols, user roles with different priviledges, incident response plansAnnex I, Section 1 §3iAssessed by notified body
13Record and/or monitor relevant users and network activity. For example: activity/user logAnnex I, Section 1 §3jAssessed by notified body
14Automatic security updates for at least 5 years (or lifetime of the product, whichever is shorter), except for products primarily intended to be integrated into components of other products, nor to devices for which users would not ‘reasonably expect’ automatic updatesAnnex I, Section 1 §3k and article 10(5) of the Regulation and Swedish updateAssessed by notified body
15Automatic user notification of vulnerabilities and security updatesAnnex I, Section 1 §3kAssessed by notified body
16Creation of a Software Bill of MaterialsAnnex I, Section 2 §1Assessed by notified body
17Identification of vulnerabilities and documentation writing (including through the SBOM)Annex I, Section 2 §1Assessed by notified body
18Ability to provide free automatic security updates and alert the end-user that a security update is available/was executed on their deviceAnnex I, Section 2 §2, Section 2 §7 and Section 2 §8Assessed by notified body
19Design an implement a policy for regular testing and reviews of the security of the productAnnex I, Section 2 §3Assessed by notified body
20Design and implement a policy for the creation of security update release notes that will be issued every time a security update is releasedAnnex I, Section 2 §4 and Section 2 §8Assessed by notified body
21Put in place and enforce a policy on coordinated vulnerability disclosure;Annex I, Section 2 §5Assessed by notified body
22Create a contact address for the third-party reporting of vulnerabilities discovered in your productAnnex I, Section 2 §6Assessed by notified body
23Design and implement a policy for the third-party sharing of information about vulnerabilities in your product, including the contact addressAnnex I, Section 2 §6Assessed by notified body
24Manufacturers shall ensure that procedures are in place for products with digital elements that are part of a series of production to remain in conformity.Article 10(9) of the Regulation-
General documentation
IDRequirementReferenceCommentCheck
26A contact information specifically for the reporting and communication of cybersecurity vulnerabilities must be provided in the accompanying documentationAnnex II, Section 2self-written
27The product must be delivered with a name and type and any additional information enabling the uniqueness of the productAnnex II, Section 3self-written
28The intended purpose, essential functionalities and security features/properties provided by the manufacturer must be detailed in the accompanying documentationAnnex II, Section 4self-written
29Any intended use of the product which may lead to a significant cybersecurity risk must be detailed in the accompanying documentationAnnex II, Section 5self-written
32The type of technical and security support and time limit for support must be detailed in the accompanying documentationAnnex II, Section 8self-written
33Detailed instructions or a link to the detailed instructions on necessary measures during initial commissionning and throughout the lifetime of the product to ensure its secure use must be provided.Annex II, Section 9 §aself-written
34Detailed instructions or a link to the detailed instructions on how changes to the product can affect the security of the data must be providedAnnex II, Section 9 §bself-written
35Detailed instructions or a link to the detailed instructions on how changes to install security updates must be providedAnnex II, Section 9 §cself-written
36Detailed instructions or a link to the detailed instructions on secure decommissioning and user data erasure must be providedAnnex II, Section 9 §dself-written
37How the default setting of automatically installed updates can be turned off.Annex II, Section 9§e
38The CE marking should be affixed to the productAnnex VI, Section 4.1
EU declaration of conformity
IDRequirementReferenceCommentCheck
38The EU declaration of conformity must contain the name, type and any unique identifying information of the product (including a photograph if appropriate) allowing its traceabilityAnnex IV, Section 1 and Annex IV, Section 4self-written
39The EU declaration of conformity must contain the name and address of the manufacturer or his authorised representativeAnnex IV, Section 2self-written
40The declaration must contain a statement that it is issued under the sole responsibility of the providerAnnex IV, Section 3self-written
41The declaration must contain a statement that it is in conformity with the relevant Union harmonisation legislationAnnex IV, Section 5self-written
42The declaration must reference any relevant harmonised standards used or related certification to which conformity is declared.Annex IV, Section 6self-written
43Where applicable (such as Class I and II products), the name and number of the notified body, description of the conformity assessment procedure performed and id of the issued certificated must be referenced.Annex IV, Section 7if applicable
44The declaration can contain additional information if relevant.Annex IV, Section 8-
45The declaration must be signed for and on behalfed of the manufacturer, designated by its trademark, dated at (location) and dated on.Annex IV-
46The declaration must be signed by an authorised representative, designated by name and functionAnnex IV and article 12(1) of the Regulation-
47The EU declaration of conformity must be created for each product and kept for 10 years after it has been placed on the marketAnnex VI, Section 4.2-
Technical documentation
IDRequirementReferenceCommentCheck
48The technical documentation must contain a general description of the product.Annex V, Section 1assessed by notified body
49The general description must include the product's intended purposeAnnex V, Section 1 §aassessed by notified body
50The general description must include the versions of software affecting compliance with the essential requirements of the CRAAnnex V, Section 1 §bassessed by notified body
51For hardware products, the general description must include photographs or illustrations detailing external features, marking and internal layoutAnnex V, Section 1 §cassessed by notified body
52The general description must include the information described in Annex II (manufacturer's name, registered trademark, contact info - general and for cybersecurity risk reporting -, type, bash, version or serial number of the product, technical and security support provided, how to safely commission and decommission the product, how to install security updates)Annex V, Section 1 §d and the whole of Annex IIassessed by notified body
53The technical documentation must contain a description of the design and development of the product, including drawings and diagrams (if applicable), and/or a description of the system architecture.Annex V, Section 2 §aassessed by notified body
54The technical description must contain complete information on vulnerabilities handling processes and disclosure policy, software bill of materials, contact address for the reporting of vulnerabilities and how updates are securily distributed.Annex V, Section 2 §b and Section 7assessed by notified body
55The technical description must contain complete information and specifications of the production and monitoring processes of the product, including validation of these processesAnnex V, Section 2 §cassessed by notified body
56The technical description must contain an assessment of cybersecurity risks against which the product is designed, developed, produced, delivered and maintainedAnnex V, Section 3 and Article 10 of the Regulationassessed by notified body
57If the product also falls under the purview of other EU regulations of harmonised standards, the technical description must contain a reference to them, how they have been applied to the product, if they have not been applied, what other solutions and measures have been implemented to meet the CRA's own standards and if they have been partly applied, which parts of these standards or regulations have been appliedAnnex V, Section 4 and Article 19 and Article 18(3) of the Regulationassessed by notified body
58The technical description should contain a description and reports of the tests carried out to verify the conformity of the product and vulnerability handling processes, in reference to Sections 1 and 2 of Annex I. If an essential requirement does not apply to a particular product, the manufacturer must include a justification in the cybersecurity risk assessment in the technical documentationAnnex V, Section 5 and Annex I, Sections 1 and 2 and Swedish updateassessed by notified body
59The technical description must contain a copy of the EU declaration of conformityAnnex V, Section 6 and Annex IVassessed by notified body
60The technical description must be created for each product and kept for 10 years after it has been placed on the marketAnnex VI, Section 4.2-
Communication with the authorities
IDRequirementReferenceCommentCheck
61The manufacturer shall notify any actively exploited vulnerability that they become aware of to the CSIRTsArticle 11(1) of the Regulation-
62The manufacturer must design and implement a policy for the reporting, wihtout undue delay, of vulnerabilities and breaches to products users, including corrective measuresArticle 11(4) of the Regulation-
63The manufacturer must design and implement a policy to force a product that is no longer in conformity to become such (including through updates) or withdraw or recall the product, if appropriateArticle 10(12) of the Regulation-
65The manufacturer shall design and implement a policy that enables him to alert relevant market authorities and by any means available, the product's users in the event that he ceases its operations Article 10(14) of the Regulation-
65The manufacturer shall designated an authorised representative with a mandate enabling them to fulfull the requirements set out in point 4Annex VI, Module A, Section 5-
Lodging an application for certification
IDRequirementReferenceCommentCheck
66The manufacturer shall lodge an application for EU-type examination with a single notified bodyAnnex VI, module B, Section 3-
67The application shall include name and address of manufacturer and, if applicable, of the authorised representative Annex VI, module B, Section 3-
68The application shall include a declaration that the same application has not been made for another bodyAnnex VI, module B, Section 3-
69The application shall include the technical descriptionAnnex VI, module B, Section 3-
70The application shall include the supporting evidence for adequacy, including testings if applicableAnnex VI, module B, Section 3-
71The application must include specimens of the product for further testings by the notified bodyAnnex VI, module B, section 2-
72The manufacturer shall informed the notified body of all modifications to the approved product and vulnerability handling processes that may affect the conditions for validaty of the certificatedAnnex VI, module B, section 7-
73The manufacturer shall keep a copy of the examination certificate, annexes and additions provided by the notified body for 10 years after the product has been placed on the market.Annex VI, module B, section 9-
74The authorised representative may lodge the application provided that they are specified in the mandate.Annex VI, module B, section 10-
General requirements
IDRequirementReferenceCommentCheck
1Cyber-resilience should be taken into account when designing, developing and producing products with digital elementsAnnex I, Section 1 §1Self-assessed, based on a previously received EU-type examination certificate for the same type of product (module B)
2The product should have no known exploitable vulnerabilityAnnex I, Section 1 §2Self-assessed, based on a previously received EU-type examination certificate for the same type of product (module B)
3Manufacturers shall exercise due diligence when integrating components sourced from third partiesArticle 10(4) of the regulationSelf-assessed, based on a previously received EU-type examination certificate for the same type of product (module B)
4Secure by default configurationAnnex I, Section 1 §3aSelf-assessed, based on a previously received EU-type examination certificate for the same type of product (module B)
5Implement factory reset featuresAnnex I, Section 1 §3aSelf-assessed, based on a previously received EU-type examination certificate for the same type of product (module B)
6Implement strong authentication protocols (such as N-factor auth) to protect against unauthorised accessAnnex I, Section 1 §3bSelf-assessed, based on a previously received EU-type examination certificate for the same type of product (module B)
7Protect the confidentiality and integrity of users data (including personal data) using tools such as encryption mechanisms, access control protocols, etc.Annex I, Section 1 §3c and Annex 1, Section 1 §3d Self-assessed, based on a previously received EU-type examination certificate for the same type of product (module B)
8Process only data that is necessary for the intended use of the product or software (similar to GDPR requirement)Annex I, Section 1 §3eSelf-assessed, based on a previously received EU-type examination certificate for the same type of product (module B)
9Create resilience against and mitigation of denial of service attacksAnnex I, Section 1 §3fSelf-assessed, based on a previously received EU-type examination certificate for the same type of product (module B)
10Minimize your own impact on the availability of services provided by other devices or networks. In other words, ensure that your systems cannot be used in a DooS attackAnnex I, Section 1 §3gSelf-assessed, based on a previously received EU-type examination certificate for the same type of product (module B)
11Design products to limit attack surfaces including external interface. For example: close open ports that should not be open, protect USB portsAnnex I, Section 1 §3hSelf-assessed, based on a previously received EU-type examination certificate for the same type of product (module B)
12Design products to limit impact of attacks and incidents. For example: auth protocols, user roles with different privileges, incident response plansAnnex I, Section 1 §3iSelf-assessed, based on a previously received EU-type examination certificate for the same type of product (module B)
13Record and/or monitor relevant users and network activity. For example: activity/user logAnnex I, Section 1 §3jSelf-assessed, based on a previously received EU-type examination certificate for the same type of product (module B)
14Automatic security updates for at least 5 years (or lifetime of the product, whichever is shorter), except for products primarily intended to be integrated into components of other products, nor to devices for which users would not ‘reasonably expect’ automatic updatesAnnex I, Section 1 §3k and article 10(5) of the RegulationSelf-assessed, based on a previously received EU-type examination certificate for the same type of product (module B)
15Automatic user notification of vulnerabilities and security updatesAnnex I, Section 1 §3kSelf-assessed, based on a previously received EU-type examination certificate for the same type of product (module B)
16Creation of a Software Bill of MaterialsAnnex I, Section 2 §1Assessed by notified body
17Identification of vulnerabilities and documentation writing (including through the SBOM)Annex I, Section 2 §1Assessed by notified body
18Ability to provide free automatic security updates and alert the end-user that a security update is available/was executed on their deviceAnnex I, Section 2 §2, Section 2 §7 and Section 2 §8Assessed by notified body
19Design an implement a policy for regular testing and reviews of the security of the productAnnex I, Section 2 §3Assessed by notified body
20Design and implement a policy for the creation of security update release notes that will be issued every time a security update is releasedAnnex I, Section 2 §4 and Section 2 §8Assessed by notified body
21Put in place and enforce a policy on coordinated vulnerability disclosure;Annex I, Section 2 §5Assessed by notified body
22Create a contact address for the third-party reporting of vulnerabilities discovered in your productAnnex I, Section 2 §6Assessed by notified body
23Design and implement a policy for the third-party sharing of information about vulnerabilities in your product, including the contact addressAnnex I, Section 2 §6Assessed by notified body
24Manufacturers shall ensure that procedures are in place for products with digital elements that are part of a series of production to remain in conformity.Article 10(9) of the Regulation-
General Documentation
IDRequirementReferenceCommentCheck
26A contact information specifically for the reporting and communication of cybersecurity vulnerabilities must be provided in the accompanying documentationAnnex II, Section 2self-written
27The product must be delivered with a name and type and any additional information enabling the uniqueness of the productAnnex II, Section 3self-written
28The intended purpose, essential functionalities and security features/properties provided by the manufacturer must be detailed in the accompanying documentationAnnex II, Section 4self-written
29Any intended use of the product which may lead to a significant cybersecurity risk must be detailed in the accompanying documentationAnnex II, Section 5self-written
32The type of technical and security support and time limit for support must be detailed in the accompanying documentationAnnex II, Section 8self-written
33Detailed instructions or a link to the detailed instructions on necessary measures during initial commissionning and throughout the lifetime of the product to ensure its secure use must be provided.Annex II, Section 9 §aself-written
34Detailed instructions or a link to the detailed instructions on how changes to the product can affect the security of the data must be providedAnnex II, Section 9 §bself-written
35Detailed instructions or a link to the detailed instructions on how changes to install security updates must be providedAnnex II, Section 9 §cself-written
36Detailed instructions or a link to the detailed instructions on secure decommissioning and user data erasure must be providedAnnex II, Section 9 §dself-written
37How the default setting of automatically installed updates can be turned off.Annex II, Section 9§e
38The CE marking should be affixed to the productAnnex VI, Section 4.1
EU declaration of conformity
IDRequirementReferenceCommentCheck
38The EU declaration of conformity must contain the name, type and any unique identifying information of the product (including a photograph if appropriate) allowing its traceability. It must also include the specific product model for which it has been drawn.Annex IV, Section 1 and Annex IV, Section 4 and Annex VI, module C, section 3.2Self-written
39The EU declaration of conformity must contain the name and address of the manufacturer or his authorised representativeAnnex IV, Section 2self-written
40The declaration must contain a statement that it is issued under the sole responsibility of the providerAnnex IV, Section 3self-written
41The declaration must contain a statement that it is in conformity with the relevant Union harmonisation legislationAnnex IV, Section 5self-written
42The declaration must reference any relevant harmonised standards used or related certification to which conformity is declared.Annex IV, Section 6self-written
43Where applicable (such as Class I and II products), the name and number of the notified body, description of the conformity assessment procedure performed and id of the issued certificated must be referenced.Annex IV, Section 7self-written
44The declaration can contain additional information if relevantAnnex IV, Section 8self-written
45The declaration must be signed for and on behalfed of the manufacturer, designated by its trademark, done at (location) and dated on.Annex IVself-written
46The declaration must be signed by an authorised representative, designated by name and functionAnnex IV and article 12(1) of the Regulationself-written
47The EU declaration of conformity must be created for each product and kept for 10 years after it has been placed on the marketAnnex VI, Section 4.2self-written
Technical documentation
IDRequirementReferenceCommentCheck
48The technical documentation must contain a general description of the product.Annex V, Section 1self-written
49The general description must include the product's intended purposeAnnex V, Section 1 §aself-written
50The general description must include the versions of software affecting compliance with the essential requirements of the CRAAnnex V, Section 1 §bself-written
51For hardware products, the general description must include photographs or illustrations detailing external features, marking and internal layoutAnnex V, Section 1 §cself-written
52The general description must include the information described in Annex II (manufacturer's name, registered trademark, contact info - general and for cybersecurity risk reporting -, type, bash, version or serial number of the product, technical and security support provided, how to safely commission and decommission the product, how to install securiy updates)Annex V, Section 1 §d and the whole of Annex IIself-written
53The technical documentation must contain a description on the design and development of the product including drawings and schemes (if applicable) and/or description of the system architectureAnnex V, Section 2 §aself-written
54The technical description must contain complete information on vulnerabilities handling processes and disclosure policy, software bill of materials, contact address for the reporting of vulnerabilities and how updates are securily distributed.Annex V, Section 2 §b and Section 7self-written
55The technical description must contain complete information and specifications of the production and monitoring processes of the product, including validation of these processesAnnex V, Section 2 §cself-written
56The technical description must contain an assessment of cybersecurity risks against which the product is designed, developed, produced, delivered and maintainAnnex V, Section 3 and Article 10 of the Regulationself-written
57If the product also falls under the purview of other EU regulations of harmonised standards, the technical description must contain a reference to them, how they have been applied to the product, if they have not been applied, what other solutions and measures have been implemented to meet the CRA's own standards and if they have been partly applied, which parts of these standards or regulations have been appliedAnnex V, Section 4 and Article 19 and Article 18(3) of the Regulationself-written
58The technical description should contain a description and reports of the tests carried out to verify the conformity of the product and vulnerability handling processes, in reference to Sections 1 and 2 of Annex I. If an essential requirement does not apply to a particular product, the manufacturer must include a justification in the cybersecurity risk assessment in the technical documentationAnnex V, Section 5 and Annex I, Sections 1 and 2 and Swedish Updateself-written
59The technical description must contain a copy of the EU declaration of conformityAnnex V, Section 6 and Annex IV-
60The technical description must be created for each product and kept for 10 years after it has been placed on the marketAnnex VI, Section 4.2-
Communication with the authorities
IDRequirementReferenceCommentCheck
61The manufacturer shall notify any actively exploited vulnerability that they become aware of to the CSIRTsArticle 11(1) of the Regulation-
62The manufacturer must design and implement a policy for the reporting, wihtout undue delay, of vulnerabilities and breaches to products users, including corrective measuresArticle 11(4) of the Regulation-
63The manufacturer must design and implement a policy to force a product that is no longer in conformity to become such (including through updates) or withdraw or recall the product, if appropriateArticle 10(12) of the Regulation-
65The manufacturer shall design and implement a policy that enables him to alert relevant market authorities and by any means available, the product's users in the event that he ceases its operations Article 10(14) of the Regulation-
65The manufacturer shall designated an authorised representative with a mandate enabling them to fulfull the requirements set out in point 4Annex VI, Module A, Section 5-
General requirements
IDRequirementReferenceCommentCheck
1Cyber-resilience should be taken into account when designing, developing and producing products with digital elements. Annex I, Section 1 §1Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system.
2The product should have no known exploitable vulnerabilityAnnex I, Section 1 §2Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system.
3Manufacturers shall exercise due diligence when integrating components sourced from third partiesArticle 10(4) of the regulationAssessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system.
4Secure by default configurationAnnex I, Section 1 §3aAssessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system.
5Implement factory reset featuresAnnex I, Section 1 §3aAssessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system.
6Implement strong authentication protocols (such as N-factor auth) to protect against unauthorized accessAnnex I, Section 1 §3bAssessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system.
7Protect the confidentiality and integrity of users data (including personal data) using tools such as encryption mechanisms, access control protocols, etc.Annex I, Section 1 §3c and Annex 1, Section 1 §3d Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system.
8Process only data that is necessary for the intended use of the product or software (similar to GDPR requirement)Annex I, Section 1 §3eAssessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system.
9Create resilience against and mitigation of denial of service attacksAnnex I, Section 1 §3fAssessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system.
10Minimize your own impact on the availability of services provided by other devices or networks. In other words, ensure that your systems cannot be used in a DooS attackAnnex I, Section 1 §3gAssessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system.
11Design products to limit attack surfaces including external interface. For example: close open ports that should not be open, protect USB portsAnnex I, Section 1 §3hAssessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system.
12Design products to limit impact of attacks and incidents. For example: auth protocols, user roles with different privileges, incident response plansAnnex I, Section 1 §3iAssessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system.
13Record and/or monitor relevant users and network activity. For example: activity/user logAnnex I, Section 1 §3jAssessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system.
14Automatic security updates for at least 5 years (or lifetime of the product, whichever is shorter), except for products primarily intended to be integrated into components of other products, nor to devices for which users would not ‘reasonably expect’ automatic updatesAnnex I, Section 1 §3k and article 10(5) of the Regulation and Swedish updateAssessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system.
15Automatic user notification of vulnerabilities and security updatesAnnex I, Section 1 §3kAssessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system.
16Creation of a Software Bill of MaterialsAnnex I, Section 2 §1Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system.
17Identification of vulnerabilities and documentation writing (including through the SBOM)Annex I, Section 2 §1Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system.
18Ability to provide free automatic security updates and alert the end-user that a security update is available/was executed on their deviceAnnex I, Section 2 §2, Section 2 §7 and Section 2 §8Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system.
19Design and implement a policy for regular testing and reviews of the security of the productAnnex I, Section 2 §3Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system.
20Design and implement a policy for the creation of security update release notes that will be issued every time a security update is releasedAnnex I, Section 2 §4 and Section 2 §8Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system.
21Put in place and enforce a policy on coordinated vulnerability disclosure;Annex I, Section 2 §5Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system.
22Create a contact address for the third-party reporting of vulnerabilities discovered in your productAnnex I, Section 2 §6Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system.
23Design and implement a policy for the third-party sharing of information about vulnerabilities in your product, including the contact addressAnnex I, Section 2 §6Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system.
24Manufacturers shall ensure that procedures are in place for products with digital elements that are part of a series of production to remain in conformity.Article 10(9) of the RegulationAssessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system.
General documentation
IDRequirementReferenceCommentCheck
25The name, registered trade mark (or trade name), a contact postal address and email address must be printed on the product or, if not possible, on its packaging or accompanying document Annex II, Section 1self-written
26A contact information specifically for the reporting and communication of cybersecurity vulnerabilities must be provided in the accompanying documentationAnnex II, Section 2self-written
27The product must be delivered with a type, batch, version or serial number (or other element allowing its identification)Annex II, Section 3self-written
28The intended use, essential functionalities and security features/properties provided by the manufacturer must be detailed in the accompanying documentationAnnex II, Section 4self-written
29Any intended use of the product which may lead to a significant cybersecurity risk must be detailed in the accompanying documentationAnnex II, Section 5self-written
30A link to the software bill or material must be provided in the accompanying documentation (if not directly provided) Annex II, Section 6self-written
31A link to the EU declaration of conformity must be provided in the accompanying documentation (if not directly provided) Annex II, Section 7self-written
32The type of technical and security support and time limit for support must be detailed in the accompanying documentationAnnex II, Section 8self-written
33Detailed instructions or a link to the detailed instructions on necessary measures during initial commissionning and throughout the lifetime of the product to ensure its secure use must be provided.Annex II, Section 9 §aself-written
34Detailed instructions or a link to the detailed instructions on how changes to the product can affect the security of the data must be providedAnnex II, Section 9 §bself-written
35Detailed instructions or a link to the detailed instructions on how to install security updates must be providedAnnex II, Section 9 §cself-written
36Detailed instructions or a link to the detailed instructions on secure decommissioning and user data erasure must be providedAnnex II, Section 9 §dself-written
37The manufacturer shall affix the CE marking, and, under the responsibility of the notified body referred to in point 3.1, the latter's identification numberAnnex VI, module H, section 5.1-
EU declaration of conformity
IDRequirementReferenceCommentCheck
38The EU declaration of conformity must contain the name, type and any unique identifying information of the product (including a photograph if appropriate) allowing its traceability. It must also include the specific product model for which it has been drawn.Annex IV, Section 1 and Annex IV, Section 4 and Annex VI, module H, section 5.2Self-written
39The EU declaration of conformity must contain the name and address of the manufacturer or his authorised representativeAnnex IV, Section 2self-written
40The declaration must contain a statement that it is issued under the sole responsibility of the providerAnnex IV, Section 3self-written
41The declaration must contain a statement that it is in conformity with the relevant Union harmonisation legislationAnnex IV, Section 5self-written
42The declaration must reference any relevant harmonised standards used or related certification to which conformity is declared.Annex IV, Section 6self-written
43Where applicable (such as Class I and II products), the name and number of the notified body, description of the conformity assessment procedure performed and id of the issued certificated must be referenced.Annex IV, Section 7self-written
44The declaration can contain additional information if relevantAnnex IV, Section 8self-written
45The declaration must be signed for and on behalfed of the manufacturer, designated by its trademark, done at (location) and dated on.Annex IVself-written
46The declaration must be signed by an authorised representative, designated by name and functionAnnex IV and article 12(1) of the Regulationself-written
47The EU declaration of conformity must be created for each product and kept for 10 years after it has been placed on the marketAnnex VI, Section 4.2self-written
Technical documentation
IDRequirementReferenceCommentCheck
48The technical documentation must contain a general description of the product.Annex V, Section 1assessed by notified body
49The general description must include the product's intended purposeAnnex V, Section 1 §aassessed by notified body
50The general description must include the versions of software affecting compliance with the essential requirements of the CRAAnnex V, Section 1 §bassessed by notified body
51For hardware products, the general description must include photographs or illustrations detailing external features, marking and internal layoutAnnex V, Section 1 §cassessed by notified body
52The general description must include the information described in Annex II (manufacturer's name, registered trademark, contact info - general and for cybersecurity risk reporting -, type, bash, version or serial number of the product, technical and security support provided, how to safely commission and decommission the product, how to install security updates)Annex V, Section 1 §d and the whole of Annex IIassessed by notified body
53The technical documentation must contain a description of the design and development of the product, including drawings and diagrams (if applicable), and/or a description of the system architecture.Annex V, Section 2 §aassessed by notified body
54The technical description must contain complete information on vulnerabilities handling processes and disclosure policy, software bill of materials, contact address for the reporting of vulnerabilities and how updates are securily distributed.Annex V, Section 2 §b and Section 7assessed by notified body
55The technical description must contain complete information and specifications of the production and monitoring processes of the product, including validation of these processesAnnex V, Section 2 §cassessed by notified body
56The technical description must contain an assessment of cybersecurity risks against which the product is designed, developed, produced, delivered and maintainedAnnex V, Section 3 and Article 10 of the Regulationassessed by notified body
57If the product also falls under the purview of other EU regulations of harmonised standards, the technical description must contain a reference to them, how they have been applied to the product, if they have not been applied, what other solutions and measures have been implemented to meet the CRA's own standards and if they have been partly applied, which parts of these standards or regulations have been appliedAnnex V, Section 4 and Article 19 and Article 18(3) of the Regulationassessed by notified body
58The technical description should contain a description and reports of the tests carried out to verify the conformity of the product and vulnerability handling processes, in reference to Sections 1 and 2 of Annex I. If an essential requirement does not apply to a particular product, the manufacturer must include a justification in the cybersecurity risk assessment in the technical documentationAnnex V, Section 5 and Annex I, Sections 1 and 2 and Swedish updateassessed by notified body
59The technical description must contain a copy of the EU declaration of conformityAnnex V, Section 6 and Annex IVassessed by notified body
60The technical description must be created for each product and kept for 10 years after it has been placed on the marketAnnex VI, Section 4.2-
Communication with the Authorities
IDRequirementReferenceCommentCheck
61The manufacturer shall notify any actively exploited vulnerability that they become aware of to the CSIRTsArticle 11(1) of the Regulation-
62The manufacturer must design and implement a policy for the reporting, wihtout undue delay, of vulnerabilities and breaches to products users, including corrective measuresArticle 11(4) of the Regulation-
63The manufacturer must design and implement a policy to force a product that is no longer in conformity to become such (including through updates) or withdraw or recall the product, if appropriateArticle 10(12) of the Regulation-
65The manufacturer shall design and implement a policy that enables him to alert relevant market authorities and by any means available, the product's users in the event that he ceases its operations Article 10(14) of the Regulation-
65The manufacturer shall designated an authorised representative with a mandate enabling them to fulfull the requirements set out in point 4Annex VI, Module A, Section 5-
Application for certification
IDRequirementReferenceCommentCheck
66The manufacturer shall lodge an application for assessment of his quality system with the notified body of his choice, for the products concerned.Annex VI, module H, section 3.1-
67The application shall include name and address of manufacturer and, if applicable, of the authorised representative Annex VI, module H, section 3.1-
68The application shall include the technical documentation (see annex V) for one model of each category of productsAnnex VI, module H, section 3.1 and Annex V-
69The application shall include a declaration that the same application has not been made to another bodyAnnex VI, module H, section 3.1-
70The self-assessed compliance with Annex I, Sections 1 and 2 shall be made with accompanying quality system describing policies, procedures, instructions and tests (including records of test results) set out to meet the requirements of Annex IAnnex VI, module H, section 3.2-
71The application shall included the quality system related to Annex VI, module H, section 3.2Annex VI, module H, sections 3.3 and 4.2-
72The quality system shall be maintened through the lifetime of the productAnnex VI, module H, section 3.4-
73The manufacturer shall inform the notified body if the quality system changes and may be re-evaluated on the new quality systemAnnex VI, module H, section 3.5-
74The manufacturer shall, for assessment purposes, allow the notified body access to the design, development, production, inspection, testing and storage sites, and shall provide it with all necessary information, in particular, the quality management systemAnnex VI, module H, section 4.2-
75The manufacturer shall keep for at least 10 years after the product has been placed on the market: the technical documentation referred in 3.1, quality system documentation (3.1) and modifications, as approved (3.5), decisions and reports of the notified bodyAnnex VI, module H, section 6-
76The authorised representative may lodge the application provided that they are specified in the mandate.Annex VI, module H, section 8-
Developers of non-critical software

Companies developing non-critical software can self-assess their compliance with the CRA’s requirements.

You can check the Annex III of the regulation for a list of Critical Products (what the CRA names “critical products with digital elements” encompasses both hardware products and software). 

Developers of non-critical software may nonetheless choose to undergo the same assessment process as critical software, wherein compliance with the CRA is assessed by a notified body.

Check the Critical software tab to know more.

General requirements
IDRequirementReferenceCommentCheck
1The software is not released for testing purpose (such as alpha versions, beta versions or release candidates).¶21 of the Regulationsoftware release for testing does not fall under the scope of the CRA - but should be released after a risk assessment has been conducted
2Cyber-resilience should be taken into account when designing, developping and producing the softwareAnnex I, Section 1 §1self-assessed
3The software should have no known exploitable vulnerabilityAnnex I, Section 1 §2self-assessed
4Developers shall exercise due diligence when integrating components sourced from third partiesArticle 10(4) of the regulationself-assessed
5Secure by default configurationAnnex I, Section 1 §3aself-assessed
6Implement factory reset featuresAnnex I, Section 1 §3aself-assessed
7Implement strong authentication protocols (such as N-factor auth) to protect against unauthorized accessAnnex I, Section 1 §3bself-assessed
8Protect the confidentiality and integrity of users data (including personal data) using tools such as encryption mechanisms, access control protocols, etc.Annex I, Section 1 §3c and Annex 1, Section 1 §3d self-assessed
9Process only data that is necessary for the intended use of the software (similar to GDPR requirement)Annex I, Section 1 §3eself-assessed
10Create resilience against and mitigation of denial of service attacksAnnex I, Section 1 §3fself-assessed
11Minimize your own impact on the availability of services provided by other devices or networks. In other words, ensure that your systems cannot be used in a DooS attackAnnex I, Section 1 §3gself-assessed
12Design software to limit impact of attacks and incidents. For example: auth protocols, user roles with different privileges, incident response plansAnnex I, Section 1 §3iself-assessed
13Record and/or monitor relevant users and network activity. For example: activity/user logAnnex I, Section 1 §3jself-assessed
14Automatic security updates for at least 5 years (or lifetime of the software, whichever is shorter)Annex I, Section 1 §3k and article 10(5) of the Regulationself-assessed
15Automatic user notification of vulnerabilities and security updatesAnnex I, Section 1 §3kself-assessed
16Creation of a Software Bill of MaterialsAnnex I, Section 2 §1self-assessed
17Identification of vulnerabilities and documentation writing (including through the SBOM)Annex I, Section 2 §1self-assessed
18Ability to provide free automatic security updates and alert the end-user that a security update is available/was executed on their deviceAnnex I, Section 2 §2, Section 2 §7 and Section 2 §8self-assessed
19Design and implement a policy for regular testing and reviews of the security of the softwareAnnex I, Section 2 §3self-assessed
20Design and implement a policy for the creation of security update release notes that will be issued every time a security update is releasedAnnex I, Section 2 §4 and Section 2 §8self-assessed
21Put in place and enforce a policy on coordinated vulnerability disclosure;Annex I, Section 2 §5self-assessed
22Create a contact address for the third-party reporting of vulnerabilities discovered in your softwareAnnex I, Section 2 §6self-assessed
23Design and implement a policy for the third-party sharing of information about vulnerabilities in your software, including the contact addressAnnex I, Section 2 §6self-assessed
24The CE marking should be affixed to the softwareAnnex VI, Section 4.1if applicable
General documentation
IDRequirementReferenceCommentCheck
25A contact information specifically for the reporting and communication of cybersecurity vulnerabilities must be provided in the software developing documentationAnnex II, Section 2self-written
26The software must be delivered with a name, a type and any additional information enabling its identificationAnnex II, Section 3self-written
27The intended purpose, essential functionalities and security features/properties provided by the software must be detailed in the accompanying documentationAnnex II, Section 4self-written
28Any intended use of the software which may lead to a significant cybersecurity risk must be detailed in the accompanying documentationAnnex II, Section 5self-written
31The type of technical and security support and time limit for support must be detailed in the accompanying documentationAnnex II, Section 8self-written
32Detailed instructions or a link to the detailed instructions on necessary measures during initial commissioning and throughout the lifetime of the software to ensure its secure use must be provided.Annex II, Section 9 §aself-written
33Detailed instructions or a link to the detailed instructions on how changes to the software can affect the security of the data must be providedAnnex II, Section 9 §bself-written
34Detailed instructions or a link to the detailed instructions on how to install security updates must be providedAnnex II, Section 9 §cself-written
35Detailed instructions or a link to the detailed instructions on secure decommissioning and user data erasure must be providedAnnex II, Section 9 §dself-written
EU declaration of conformity
IDRequirementReferenceCommentCheck
36The EU declaration of conformity must contain the name, type and any unique identifying information of the software allowing its traceabilityAnnex IV, Section 1 and Annex IV, Section 4self-written
37The EU declaration of conformity must contain the name and address of the software developer or his authorised representativeAnnex IV, Section 2self-written
38The declaration must contain a statement that it is issued under the sole responsibility of the providerAnnex IV, Section 3self-written
39The declaration must contain a statement that it is in conformity with the relevant Union harmonization legislationAnnex IV, Section 5self-written
40The declaration must reference any relevant harmonized standards used or related certification to which conformity is declared.Annex IV, Section 6self-written
41Where applicable (such as Class I and II software), the name and number of the notified body, description of the conformity assessment procedure performed and id of the issued certificated must be referenced.Annex IV, Section 7self-written
42The declaration can contain additional information if relevantAnnex IV, Section 8self-written
43The declaration must be signed for and on behalf of the software developer, designated by its trademark, done at (location) and dated on.Annex IVself-written
44The declaration must be signed by an authorized representative, designated by name and functionAnnex IV and article 12(1) of the Regulationself-written
45The EU declaration of conformity and technical description must be created for each software version (provided that a new version introduces substantial changes) and kept for 10 years after it has been placed on the marketAnnex VI, Section 4.2self-written
Technical documentation
IDRequirementReferenceCommentCheck
46The technical documentation must contain a general description of the software.Annex V, Section 1self-written
47The general description must include the software's intended purposeAnnex V, Section 1 §aself-written
48The general description must include the versions of software affecting compliance with the essential requirements of the CRAAnnex V, Section 1 §bself-written
49The general description must include the information described in Annex II (software developer's name, registered trademark, contact info - general and for cybersecurity risk reporting -, type, bash, version or serial number of the software, technical and security support provided, how to safely commission and decommission the software, how to install securiy updates)Annex V, Section 1 §d and the whole of Annex IIself-written
50The technical documentation must contain a description on the design and development of the software including drawings and schemes (if applicable) and/or description of the system architectureAnnex V, Section 2 §aself-written
51The technical description must contain complete information on vulnerabilities handling processes and disclosure policy, software bill of materials, contact address for the reporting of vulnerabilities and how updates are securily distributed.Annex V, Section 2 §b and Section 7self-written
52The technical description must contain complete information and specifications of the development and monitoring processes of the software, including validation of these processesAnnex V, Section 2 §cself-written
53The technical description must contain an assessment of cybersecurity risks against which the software is designed, developed, produced, delivered and maintainedAnnex V, Section 3 and Article 10 of the Regulationself-written
54If the software also falls under the purview of other EU regulations of harmonised standards, the technical description must contain a reference to them, how they have been applied to the software, if they have not been applied, what other solutions and measures have been implemented to meet the CRA's own standards and if they have been partly applied, which parts of these standards or regulations have been appliedAnnex V, Section 4 and Article 19 and Article 18(3) of the Regulationself-written
55The technical description should contain a description and reports of the tests carried out to verify the conformity of the software and vulnerability handling processes, in reference to Sections 1 and 2 of Annex IAnnex V, Section 5 and Annex I, Sections 1 and 2self-written
56The technical description must contain a copy of the EU declaration of conformityAnnex V, Section 6 and Annex IVself-written
57The technical description must be created for each software version (provided that a new version introduces substantial changes) and kept for 10 years after it has been placed on the marketAnnex VI, Section 4.2self-written
Communication with the Authorities
IDRequirementReferenceCommentCheck
58The software developer must design and implement a policy for the reporting of vulnerabilities and breaches to the relevant authorities within 24 hours of their discoveryArticle 11(1) of the Regulationself-written
59The software developer must design and implement a policy for the reporting, without undue delay, of vulnerabilities and breaches to software users, including corrective measuresArticle 11(4) of the Regulationself-written
60The software developer must design and implement a policy to force a software that is no longer in conformity to become such (including through updates) or withdraw the software from the market, if appropriateArticle 10(12) of the Regulationself-written
61The software developer shall design and implement a policy that enables him to alert relevant market authorities and by any means available, the software users in the event that he ceases its operations Article 10(14) of the Regulationself-written
62The software developer shall designate an authorized representative with a mandate enabling them to fulfil the requirements set out in point 4Annex VI, Module A, Section 5-
Developers of critical software.

Software companies developing critical software need to go through an external assessment process conducted by a notified body responsible for verifying the compliance of the products with the requirements of the CRA.

You can check the Annex III of the regulation for a list of Critical Products (what the CRA names “critical products with digital elements” encompasses both hardware products and software). 

These software companies will need to go through Module H, which is a CRA assessment path wherein a quality system made of a written record of processes and procedures undertaken by the software company to ensure that the software meets the requirements of the CRA is assessed by the notified body.

Module H

General requirements
IDRequirementReferenceCommentCheck
1The software is not released for testing purpose (such as alpha versions, beta versions or release candidates).¶21 of the Regulationsoftware release for testing does not fall under the scope of the CRA - but should be released after a risk assessment has been conducted
2Cyber-resilience should be taken into account when designing, developping and producing the softwareAnnex I, Section 1 §1assessed by notified body, clear written policies, procedures and instructions shall be written, with regards to quality system - see Annex VI, module H, section 3.2
3The software should have no known exploitable vulnerabilityAnnex I, Section 1 §2assessed by notified body, clear written policies, procedures and instructions shall be written, with regards to quality system - see Annex VI, module H, section 3.2
4Developers shall exercise due diligence when integrating components sourced from third partiesArticle 10(4) of the regulationassessed by notified body, clear written policies, procedures and instructions shall be written, with regards to quality system - see Annex VI, module H, section 3.3
5Secure by default configurationAnnex I, Section 1 §3aassessed by notified body, clear written policies, procedures and instructions shall be written, with regards to quality system - see Annex VI, module H, section 3.2
6Implement a possibility to reset the product to its original stateAnnex I, Section 1 §3aassessed by notified body, clear written policies, procedures and instructions shall be written, with regards to quality system - see Annex VI, module H, section 3.2
7Implement strong authentication protocols (such as N-factor auth) to protect against unauthorised accessAnnex I, Section 1 §3bassessed by notified body, clear written policies, procedures and instructions shall be written, with regards to quality system - see Annex VI, module H, section 3.2
8Protect the confidentiality and integrity of users data (including personal data) using tools such as encryption mechanisms, access control protocols, etc.Annex I, Section 1 §3c and Annex 1, Section 1 §3d assessed by notified body, clear written policies, procedures and instructions shall be written, with regards to quality system - see Annex VI, module H, section 3.2
9Process only data that is necessary for the intended use of the software (similar to GDPR requirement)Annex I, Section 1 §3eassessed by notified body, clear written policies, procedures and instructions shall be written, with regards to quality system - see Annex VI, module H, section 3.2
10Create resilience against and mitigation of denial of service attacksAnnex I, Section 1 §3fassessed by notified body, clear written policies, procedures and instructions shall be written, with regards to quality system - see Annex VI, module H, section 3.2
11Minimize your own impact on the availability of services provided by other devices or networks. In other words, ensure that your systems cannot be used in a DooS attackAnnex I, Section 1 §3gassessed by notified body, clear written policies, procedures and instructions shall be written, with regards to quality system - see Annex VI, module H, section 3.2
12Design software to limit impact of attacks and incidents. For example: auth protocols, user roles with different privileges, incident response plansAnnex I, Section 1 §3iassessed by notified body, clear written policies, procedures and instructions shall be written, with regards to quality system - see Annex VI, module H, section 3.2
13Record and/or monitor relevant users and network activity. For example: activity/user logAnnex I, Section 1 §3jassessed by notified body, clear written policies, procedures and instructions shall be written, with regards to quality system - see Annex VI, module H, section 3.2
14Automatic security updates for at least 5 years (or lifetime of the software, whichever is shorter)Annex I, Section 1 §3k and article 10(5) of the Regulationassessed by notified body, clear written policies, procedures and instructions shall be written, with regards to quality system - see Annex VI, module H, section 3.2
15Automatic user notification of vulnerabilities and security updatesAnnex I, Section 1 §3kassessed by notified body, clear written policies, procedures and instructions shall be written, with regards to quality system - see Annex VI, module H, section 3.2
16Creation of a Software Bill of MaterialsAnnex I, Section 2 §1assessed by notified body, clear written policies, procedures and instructions shall be written, with regards to quality system - see Annex VI, module H, section 3.2
17Identification of vulnerabilities and documentation writing (including through the SBOM)Annex I, Section 2 §1assessed by notified body, clear written policies, procedures and instructions shall be written, with regards to quality system - see Annex VI, module H, section 3.2
18Ability to provide free automatic security updates and alert the end-user that a security update is available/was executed on their deviceAnnex I, Section 2 §2, Section 2 §7 and Section 2 §8assessed by notified body, clear written policies, procedures and instructions shall be written, with regards to quality system - see Annex VI, module H, section 3.2
19Design and implement a policy for regular testing and reviews of the security of the softwareAnnex I, Section 2 §3assessed by notified body, clear written policies, procedures and instructions shall be written, with regards to quality system - see Annex VI, module H, section 3.2
20Design and implement a policy for the creation of security update release notes that will be issued every time a security update is releasedAnnex I, Section 2 §4 and Section 2 §8assessed by notified body, clear written policies, procedures and instructions shall be written, with regards to quality system - see Annex VI, module H, section 3.2
21Put in place and enforce a policy on coordinated vulnerability disclosure;Annex I, Section 2 §5assessed by notified body, clear written policies, procedures and instructions shall be written, with regards to quality system - see Annex VI, module H, section 3.2
22Create a contact address for the third-party reporting of vulnerabilities discovered in your softwareAnnex I, Section 2 §6assessed by notified body, clear written policies, procedures and instructions shall be written, with regards to quality system - see Annex VI, module H, section 3.2
23Design and implement a policy for the third-party sharing of information about vulnerabilities in your software, including the contact addressAnnex I, Section 2 §6assessed by notified body, clear written policies, procedures and instructions shall be written, with regards to quality system - see Annex VI, module H, section 3.2
24The CE marking and notified body ID number (module H) should be affixed to the softwareAnnex VI, Section 4.1if applicable
General documentation
IDRequirementReferenceCommentCheck
25A contact information specifically for the reporting and communication of cybersecurity vulnerabilities must be provided in the software developing documentationAnnex II, Section 2self-written
26The software must be delivered with a name, a type and any additional information enabling its identificationAnnex II, Section 3self-written
27The intended purpose, essential functionalities and security features/properties provided by the software must be detailed in the accompanying documentationAnnex II, Section 4self-written
28Any intended use of the software which may lead to a significant cybersecurity risk must be detailed in the accompanying documentationAnnex II, Section 5self-written
31The type of technical and security support and time limit for support must be detailed in the accompanying documentationAnnex II, Section 8self-written
32Detailed instructions or a link to the detailed instructions on necessary measures during initial commissioning and throughout the lifetime of the software to ensure its secure use must be provided.Annex II, Section 9 §aself-written
33Detailed instructions or a link to the detailed instructions on how changes to the software can affect the security of the data must be providedAnnex II, Section 9 §bself-written
34Detailed instructions or a link to the detailed instructions on how to install security updates must be providedAnnex II, Section 9 §cself-written
35Detailed instructions or a link to the detailed instructions on secure decommissioning and user data erasure must be providedAnnex II, Section 9 §dself-written
EU declaration of conformity
IDRequirementReferenceCommentCheck
36The EU declaration of conformity must contain the name, type and any unique identifying information of the software allowing its traceabilityAnnex IV, Section 1 and Annex IV, Section 4self-written
37The EU declaration of conformity must contain the name and address of the software developer or his authorised representativeAnnex IV, Section 2self-written
38The declaration must contain a statement that it is issued under the sole responsibility of the providerAnnex IV, Section 3self-written
39The declaration must contain a statement that it is in conformity with the relevant Union harmonization legislationAnnex IV, Section 5self-written
40The declaration must reference any relevant harmonized standards used or related certification to which conformity is declared.Annex IV, Section 6self-written
41Where applicable (such as Class I and II software), the name and number of the notified body, description of the conformity assessment procedure performed and id of the issued certificated must be referenced.Annex IV, Section 7self-written
42The declaration can contain additional information if relevantAnnex IV, Section 8self-written
43The declaration must be signed for and on behalf of the software developer, designated by its trademark, done at (location) and dated on.Annex IVself-written
44The declaration must be signed by an authorized representative, designated by name and functionAnnex IV and article 12(1) of the Regulationself-written
45The EU declaration of conformity and technical description must be created for each software version (provided that a new version introduces substantial changes) and kept for 10 years after it has been placed on the marketAnnex VI, Section 4.2self-written
Technical documentation
IDRequirementReferenceCommentCheck
46The technical documentation must contain a general description of the software.Annex V, Section 1self-written, assessed by notified body
47The general description must include the software's intended purposeAnnex V, Section 1 §aself-written, assessed by notified body
48The general description must include the versions of software affecting compliance with the essential requirements of the CRAAnnex V, Section 1 §bself-written, assessed by notified body
49The general description must include the information described in Annex II (software developer's name, registered trademark, contact info - general and for cybersecurity risk reporting -, type, bash, version or serial number of the software, technical and security support provided, how to safely commission and decommission the software, how to install security updates)Annex V, Section 1 §d and the whole of Annex IIself-written, assessed by notified body
50The technical documentation must contain a description on the design and development of the software including drawings and schemes (if applicable) and/or description of the system architectureAnnex V, Section 2 §aself-written, assessed by notified body
51The technical description must contain complete information on vulnerabilities handling processes and disclosure policy, software bill of materials, contact address for the reporting of vulnerabilities and how updates are securely distributed.Annex V, Section 2 §b and Section 7self-written, assessed by notified body
52The technical description must contain complete information and specifications of the development and monitoring processes of the software, including validation of these processesAnnex V, Section 2 §cself-written, assessed by notified body
53The technical description must contain an assessment of cybersecurity risks against which the software is designed, developed, produced, delivered and maintainedAnnex V, Section 3 and Article 10 of the Regulationself-written, assessed by notified body
54If the software also falls under the purview of other EU regulations of harmonised standards, the technical description must contain a reference to them, how they have been applied to the software, if they have not been applied, what other solutions and measures have been implemented to meet the CRA's own standards and if they have been partly applied, which parts of these standards or regulations have been appliedAnnex V, Section 4 and Article 19 and Article 18(3) of the Regulationself-written, assessed by notified body
55The technical description should contain a description and reports of the tests carried out to verify the conformity of the software and vulnerability handling processes, in reference to Sections 1 and 2 of Annex IAnnex V, Section 5 and Annex I, Sections 1 and 2self-written, assessed by notified body
56The technical description must contain a copy of the EU declaration of conformityAnnex V, Section 6 and Annex IVself-written, assessed by notified body
57The CE marking and notified body ID number (module H) should be affixed to the softwareAnnex VI, Section 4.1if applicable, assessed by notified body
Communication with the Authorities
IDRequirementReferenceCommentCheck
58The software developer must design and implement a policy for the reporting of vulnerabilities and breaches to the relevant authorities within 24 hours of their discoveryArticle 11(1) of the Regulationself-written
59The software developer must design and implement a policy for the reporting, without undue delay, of vulnerabilities and breaches to software users, including corrective measuresArticle 11(4) of the Regulationself-written
60The software developer must design and implement a policy to force a software that is no longer in conformity to become such (including through updates) or withdraw the software from the market, if appropriateArticle 10(12) of the Regulationself-written
61The software developer shall design and implement a policy that enables him to alert relevant market authorities and by any means available, the software users in the event that he ceases its operations Article 10(14) of the Regulationself-written
62The software developer shall designate an authorized representative with a mandate enabling them to fulfil the requirements set out in point 4Annex VI, Module A, Section 5-
Lodging an application for certification
IDRequirementReferenceCommentCheck
63The software developer shall lodge an application for assessment of his quality system with the notified body of his choice, for the softwares concerned.Annex VI, module H, section 3.1-
64The application shall include name and address of software developer and, if applicable, of the authorised representative Annex VI, module H, section 3.1-
65The application shall include the technical documentation (see annex V) for each software version.Annex VI, module H, section 3.1 and Annex V-
66The application shall include a declaration that the same application has not been made to another bodyAnnex VI, module H, section 3.1-
67The self-assessed compliance with Annex I, Sections 1 and 2 shall be made with accompanying quality system describing policies, procedures, instructions and tests (including records of test results) set out to meet the requirements of Annex IAnnex VI, module H, section 3.2-
68The application shall include the quality system related to Annex VI, module H, section 3.2Annex VI, module H, sections 3.3 and 4.2-
69The quality system shall be maintained through the lifetime of the softwareAnnex VI, module H, section 3.4-
70The software developer shall inform the notified body if the quality system changes and may be re-evaluated on the new quality systemAnnex VI, module H, section 3.5-
71The software developer shall keep for at least 10 years after the software has been placed on the market: the technical documentation referred in 3.1, quality system documentation (3.1) and modifications, as approved (3.5), decisions and reports of the notified bodyAnnex VI, module H, section 6-
72The authorized representative may lodge the application provided that they are specified in the mandate.Annex VI, module H, section 8-
Importers of products with digital elements
General requirements
IDRequirementReferenceCheck
1When placing a product on the EU market, distributors shall neither use their own name or trademark, nor substantially modify the CRA-compliant product. Doing either would have them considered as "manufacturers" under the CRA, with corresponding requirements.article 15 of the Regulation
2Importers shall only place on the market products with digital elements that comply with the essential requirements set out in Section 1 of Annex I and where the processes put in place by the manufacturer are compliant with the essential requirements set out in Section 2 of Annex I (i.e: CRA compliant)article 13(1) of the Regulation
Product Requirements
IDRequirementReferenceCheck
3Before placing a product with digital elements on the market, importers shall ensure that:article 13(2) of the Regulation
4the appropriate conformity assessment procedures referred to in Article 24 have been carried out by the manufacturer;article 13(2)a of the Regulation
5the manufacturer has drawn up the technical documentation;article 13(2)b of the Regulation
6the product with digital elements bears the CE marking referred to in Article 22 and is accompanied by the information and instructions for use as set out in Annex II.article 13(2)c of the Regulation
7Importers shall indicate their name, registered trade name or registered trademark, the postal address and the email address at which they can be contacted on the product with digital elements or, where that is not possible, on its packaging or in a document accompanying the product with digital elements.article 13(4) of the Regulation
8Importers shall ensure that the product with digital elements is accompanied by the instructions and information set out in Annex II in a language which can be easily understood by users and market surveillance authorities.article 13(5) of the Regulation
Reporting Requirements
IDRequirementReferenceCheck
9Importers must be willing to fully cooperate with market surveillance authorities and other competent authorities.¶ 55 of the Regulation
10Where an importer has reason to believe that a product is not in conformity with the essential requirements of the CRA, the importer shall not place the product on the market until that product has been brought into conformity. article 13(3) of the Regulation
11Furthermore, where the product with digital elements presents a significant cybersecurity risk, the importer shall inform the manufacturer and the market surveillance authorities to that effect.article 13(3) of the Regulation
12Importers who have reason to believe that a product which they have placed on the market, is not in conformity with the CRA shall immediately take the corrective measures necessary to bring that product into conformity, or to withdraw or recall the product, if appropriate.article 13(6) of the Regulation
13Importers shall, for ten years after the product has been placed on the market, keep a copy of the EU declaration of conformity and technical documentation at the disposal of the market surveillance authorities.article 13(7) of the Regulation
14Importers shall, further to a reasoned request from a market surveillance authority, provide it with all the information and documentation, in paper or electronic form, necessary to demonstrate the conformity of the product with the CRA in a language that can be easily understood by that authority.article 13(8) of the Regulation
15When the importer of a product with digital elements becomes aware that the manufacturer of that product ceased its operations, it shall inform the relevant market surveillance authorities about this situation,article 13(9) of the Regulation
Distributors of products with digital elements
General requirements
IDRequirementReferenceCheck
1When placing a product on the EU market, distributors shall neither use their own name or trademark, nor substantially modify the CRA-compliant product. Doing either would have them considered as "manufacturers" under the CRA, with corresponding requirements.article 15 of the Regulation
2When making a product with digital elements available on the market, distributors shall act with due care in relation to the requirements of this Regulation.article 14(1) of the Regulation
Product Requirements
IDRequirementReferenceCheck
3Before making a product with digital elements available on the market, distributors shall verify that:article 14(2) of the Regulation
4the product with digital elements bears the CE marking;article 14(2)a of the Regulation
5the manufacturer and the importer have complied with the obligations set out respectively in Articles 10(10), 10(11) and 13(4) (i.e: general documentation - see checklist of manufacturers - EU declaration of conformity checklists and contact information of the importer shall be distributed with the product).article 14(2)b of the Regulation
Reporting Requirements
IDRequirementReferenceCheck
6Distributors must be willing to fully cooperate with market surveillance authorities and other competent authorities.¶ 55 of the Regulation
7When an distributor has reason to believe that a product is not in conformity with the essential requirements of the CRA, it shall not place the product on the market until that product has been brought into conformity. article 14(3) of the Regulation
8Furthermore, when the product with digital elements presents a significant cybersecurity risk, the distributor shall inform the manufacturer.article 14(3) of the Regulation
9Distributors who have reason to believe that a product which they have placed on the market, is not in conformity with the CRA shall immediately take the corrective measures necessary to bring that product into conformity, or to withdraw or recall the product, if appropriate.article 14(4) of the Regulation
10Distributors shall, further to a reasoned request from a market surveillance authority, provide it with all the information and documentation, in paper or electronic form, necessary to demonstrate the conformity of the product with the CRA in a language that can be easily understood by that authority.Core proposal - article 14(5)
11When the distributor becomes aware that the manufacturer ceased its operations, it shall inform the relevant market surveillance authorities about this situation.Core proposal - article 14(6)
12When the distributor becomes aware that the manufacturer ceased its operations, it shall inform, by any means available and to the extent possible, the users of the products placed on the market.Core proposal - article 14(6)
Resellers/ other economic actors
General requirements
IDRequirementReferenceCheck
1Resellers (or other economic actors that are neither the manufacturer, nor the importer or distributor), shall not substantially modify a CRA-compliant product.article 16 of the Regulation
2If they were to substantially modify a CRA-compliant product, they would be subjected to Articles 10 and 11(1), (1a), (2), (2a), (2b), 2(aaaa), (4) and (7), for the part of the product that is affected by the substantial modification or, if the substantial modification has an impact on the cybersecurity of the product with digital elements as a whole, for the entire product.article 16 of the Regulation
Reporting Requirements
IDRequirementReferenceCheck
3Resellers (or other economic actors that are neither the manufacturer, nor the importer or distributor) must be willing to fully cooperate with market surveillance authorities and other competent authorities.¶ 55 of the Regulation
4They shall be able to provide to the market surveillance authorities the name and address of any economic operator who has supplied them with a product with digital elements;article 17(1)a of the Regulation
5They shall be able to provide to the market surveillance authorities the name and address of any economic operator to whom they have supplied a product with digital elements;article 17(1)b of the Regulation
6They shall keep a record of the information referred to in paragraph 1 for ten years after they have been supplied with the product with digital elements.article 17(2) of the Regulation

Cyber Security News and Events

Check out the latest events on cyber security and the Cyber Resilience Act.

Sign up to the CRA weekly newsletter

X