CRA maturity self-assessment
Rate 25 practices across five domains to see how mature your product-security setup is under the Cyber Resilience Act, and get a tailored checklist of what to improve next. Everything runs in your browser and is saved locally.
Based on ENISA's SME Cyber Resilience Maturity Assessment Model ↗ (ENISA, July 2026), reproduced with acknowledgement of the source. This site is independent and not affiliated with ENISA or the EU.
Governance & documentation
1.1Do you have written and approved product security policies?
1.2Are roles and responsibilities clearly defined for product security activities (e.g. development, vulnerability management, updates)?
1.3Do you maintain product-level technical documentation describing implemented security features, risk assessments, design decisions and update procedures?
1.4Is there a process to regularly review product security and the quality of related documentation?
1.5Are you aware of the Market Surveillance Authority responsible for enforcing the CRA, the conformity assessment procedure applicable to your products, and how to interact with relevant authorities if needed?
Risk management & security by design
2.1Do you perform cybersecurity risk assessments and use the results to guide product design, development, configuration and component management decisions?
2.2Are products designed using security-by-design principles from the outset?
2.3Are products delivered with secure-by-default configurations and settings?
2.4Do you perform security checks and testing before releasing or updating a product, and to what extent are automated tools used?
2.5When risks change or new threats emerge, are risk assessments, configurations and third-party components reviewed and updated?
Vulnerability & patch management
3.1Do you have a process to receive, acknowledge, record and track vulnerabilities reported by customers, researchers or internal staff?
3.2Do you have a defined process for creating, testing, delivering and communicating security updates to customers for supported products?
3.3Do you maintain and use a SBOM to support vulnerability and dependency management?
3.4Are vulnerabilities and updates prioritized based on risk, potential impact?
3.5Do you verify that security updates effectively resolve reported vulnerabilities and maintain evidence of this verification?
Product lifecycle management
4.1Is there a defined approach to managing product security during the operational phase?
4.2Is the product lifecycle management actively managed, including defined support periods, update responsibilities, end-of-life arrangements and communication with customers?
4.3Is experience from product operation, post-incident reviews and customer input used to improve products over time?
4.4Is there a structured and tested way to address identified product security issues?
4.5Are products monitored during operation to identify security risks, vulnerabilities and emerging threats?
Awareness, competence & skills
5.1Are sufficient skills available to design, develop and maintain products in a secure way, including through external expertise where internal capacity is limited?
5.2Do relevant staff receive appropriate training on cybersecurity practices relevant to their roles, including product risk management, vulnerability management, and security-by-design?
5.3Does the organisation promote a culture of responsible product development, open reporting and awareness of product risks?
5.4Do you follow relevant external product security information (e.g. advisories, alerts)?
5.5Do you assess and validate that your team has the required skills and competence to maintain secure products?
Adapted from ENISA's SME Cyber Resilience Maturity Assessment Model ↗ (© ENISA, July 2026), reproduced with acknowledgement of the source under ENISA's legal notice. This interactive version is provided for information only and is not professional or legal advice; it does not replace a formal conformity assessment. cyberresilienceact.eu is independent and not affiliated with, or endorsed by, ENISA or the European Union.
