The EU Cyber Resilience Act (CRA) is one of the most significant pieces of cybersecurity regulation to hit the connected products industry. With enforcement beginning in phases from 2026, manufacturers, importers, and distributors of products with digital elements need to understand their obligations — fast.
Today, we’re launching ScopeCheck: a free, independent CRA scope assessment tool that answers the questions product teams are asking right now.
Why we built ScopeCheck
We work with IoT product teams every day through the Bunkai platform. The most common question we hear isn’t about specific technical requirements — it’s more fundamental than that:
Does the CRA even apply to our product?
The regulation text runs over 100 pages. Existing guidance is scattered across legal blogs, consulting pitches, and EU publications. Most online tools require you to hand over your data, at least an email address, before you see anything useful.
We wanted something better: a clear, fast assessment that any product manager, compliance officer, or developer could run without navigating a sales funnel first.
What ScopeCheck does
ScopeCheck walks you through a short set of questions about your product’s characteristics and your role in the supply chain. In about 5 minutes, you get:
- CRA applicability — whether the regulation applies to your product
- Product classification — Default, Class I, Class II, Critical, or other categories
- Role-specific obligations — what manufacturers, importers, and distributors each need to do
- Key timelines — when compliance requirements take effect
- Guidance on next steps — applicable standards, documentation requirements, and conformity assessment procedures
Results appear instantly on screen. No waiting, no email follow-up.
Who it's for?
ScopeCheck is built for the teams making product and compliance decisions:
Product managers evaluating EU market entry or assessing the impact of the CRA on their roadmap. Compliance officers who need fast, evidence-based answers across a product portfolio. IoT developers who want to understand how the CRA affects their architecture and security requirements.
How it's different?
ScopeCheck is developed by IoT security practitioners at Bunkai — the same team that builds security testing tools for connected products. It’s informed by research from the EU-funded CRACoWi project.
A few things that set it apart:
- No registration required — use the full assessment without sharing your email or product details
- Runs in your browser — we don’t collect, store, or transmit your answers
- Built by practitioners — developed by security engineers who work with connected products, not legal consultants
- Research-backed — grounded in CRACoWi consortium research on CRA implementation
What's next?
ScopeCheck provides guidance, not legal advice. For any team that wants to go into the details, we offer CRA GAP analysis services that go deeper — reviewing your current security posture, identifying gaps, and providing a prioritized remediation roadmap.
We also plan to expand coverage in your CRA journey with both Bunkai and CRACoWi.
Try it now!
ScopeCheck is live and free to use here.. Run as many assessments as you need — there’s no limit and no catch.
If you have questions or feedback, get in touch.