Free self-assessment tool for the EU Cyber Resilience Act. Check if your product needs compliance, get your risk score, and generate required documentation β instantly.
Regulation (EU) 2024/2847 officially applies across all EU member states.
Manufacturers must report actively exploited vulnerabilities to ENISA within 24 hours.
All essential cybersecurity requirements must be met. Products without CE marking pulled from market.
From classification to documentation β our free tool guides you through the entire process.
Determine if your product is Default, Important (Class I/II), or Critical under CRA β and what that means for your obligations.
Get a 0β100% compliance score based on your current security posture. See exactly where you stand and what needs work.
Generate 4 essential CRA documents instantly: Technical Documentation, Security Policy, Vulnerability Disclosure, and EU Declaration of Conformity.
Receive a prioritized list of actions with deadlines to achieve full compliance β tailored to your product's classification.
Everything runs in your browser. No data leaves your device. No accounts, no tracking, no cloud storage. Your data stays yours.
Complete the 7-step wizard in under 5 minutes and get your classification, score, and documents immediately. No waiting, no callbacks.
Three simple steps from uncertainty to clarity.
Tell us about your product, its connectivity, data handling, and current security measures in our guided 7-step assessment.
Receive your CRA classification, compliance score, gap analysis, and a prioritized action roadmap tailored to your product.
Download pre-filled compliance document templates ready for your legal team to review and finalize.
"Finally a clear, no-nonsense tool that helped us understand where we stand with CRA. The document generator saved us weeks of work."
"We used CRA-Check to quickly classify 12 products. The prioritized action roadmap made it easy to present a compliance plan to our board."
"Great starting point for CRA compliance. The fact that it's completely client-side was a must-have for us. Looking forward to PDF export!"
Start for free. Upgrade when you need more.
The CRA (Regulation EU 2024/2847) is an EU regulation that sets mandatory cybersecurity requirements for all products with digital elements sold in the European single market. This includes hardware, software, IoT devices, and connected systems. It requires manufacturers to implement security-by-design, provide security updates, handle vulnerabilities, and maintain proper documentation.
If your product contains or connects to any digital component and is sold (or made available) in the EU, the CRA almost certainly applies. This includes desktop software, mobile apps, IoT devices, network equipment, embedded firmware, and even open-source projects under certain conditions. Our assessment wizard will help you determine the exact classification.
Non-compliance with essential cybersecurity requirements can result in fines of up to β¬15,000,000 or 2.5% of worldwide annual turnover, whichever is higher. Non-compliance with other CRA obligations can result in fines up to β¬10M or 2%. Even providing incorrect or incomplete information can lead to fines of up to β¬5M or 1%.
No. CRA-Check is an educational and guidance tool designed to help you understand your CRA obligations and get started with compliance. The generated documents are templates that should be reviewed and finalized by your legal and security teams. Always consult with legal professionals for binding compliance decisions.
Absolutely. CRA-Check runs entirely in your browser. No data is sent to any server, no accounts are created, and nothing is stored in the cloud. Your assessment data exists only in your browser session and is gone when you close the tab. You can verify this β the tool works fully offline.
Default: Most products with digital elements fall here β self-assessment is sufficient.
Important Class I: Operating systems, routers, VPNs, firewalls, password managers β self-assessment using harmonized standards or third-party assessment.
Important Class II: Hypervisors, industrial firewalls, tamper-resistant chips β mandatory third-party assessment.
Critical: Smart meter gateways, HSMs, smartcard readers for critical infrastructure β EU cybersecurity certification required.
Free assessment. No registration. Takes under 5 minutes.
Answer 7 sections about your product to determine your CRA classification, compliance score, and required actions.
Complete the assessment wizard first to see your CRA compliance results.
Create the required documentation based on your assessment results.
Product description, security features, architecture, and specifications
Security objectives, risk assessment, measures, and incident response
Reporting process, response timeline, safe harbor, and contacts
Official declaration template for CE marking under CRA
The EU Cyber Resilience Act (Regulation 2024/2847) sets mandatory cybersecurity requirements for products with digital elements sold in the European single market. It requires security-by-design, vulnerability handling, security updates, and proper documentation throughout a product's lifecycle.
Any manufacturer, importer, or distributor of products with digital elements β including hardware, software, firmware, IoT devices, and connected systems β that are made available on the EU market.
Essential requirements: Up to β¬15,000,000 or 2.5% of global annual turnover
Other obligations: Up to β¬10,000,000 or 2% of global annual turnover
Incorrect information: Up to β¬5,000,000 or 1% of global annual turnover