Does the EU Cyber Resilience Act (CRA) Apply to Your Product?

Get clarity on your CRA obligations in 5 minutes or less

The CRA Deadline is Approaching. Are You Ready?

The EU Cyber Resilience Act introduces mandatory cybersecurity requirements for products with digital elements. With enforcement beginning in phases from 2026, manufacturers, importers, and distributors need to understand:

• Does the CRA apply to my product?

• What is my product’s classification level?

• What are my specific compliance obligations?

• When do I need to be compliant?

Getting this wrong means delayed market access, costly redesigns, or regulatory penalties.

Know Your Timeline

Understand when compliance requirements take effect for your product category

Understand Req.

Get clear guidance on security by design, vulnerability handling, and documentation

Avoid Penalties

Get clear guidance on security by design, vulnerability handling, and documentation

Find Out in 3 Simple Steps

See Your Results

Instantly see your CRA applicability, product classification, and role-specific obligations
–right on screen

Built for Teams Navigating CRA Compliance

Product Managers

Make Informed Decisions

Understand CRA impact before committing to EU market entry or new product features.

Do we need CE marking?
Will this delay our launch?
What documentation is required?

Compliance Officers

Get Clarity Fast

No more parsing 100-page regulatory documents. Get role-specific guidance instantly.

What are our obligations?
Which standards apply?
Who is the responsible party?

IoT Developers

Built by Practitioners

Understand CRA impact before committing to EU market entry or new product features.

Will my architecture comply?
“What security features are needed?
How does this affect our tech stack?

The Independent CRA Assessment Tool

Unlike generic compliance calculators or vendor-biased tools, ScopeCheck provides objective, practitioner-built guidance backed by EU research.

No Registration

Use the full assessment without sharing your data or product details

Built by Experts

Developed by IoT security practitioners with deep CRA knowledge

Research-Backed

Informed by EU-funded CRACoWi research on CRA implementation.

Instant Results

Get your assessment in minutes. Save and share immediately.

Here's What You'll Learn

Your ScopeCheck Results

Class I Important

Class I Important Product

Your product is classified as a Class I "important product" under the CRA. This category covers 19 types of products including identity management systems, web browsers, password managers, VPN products, routers, operating systems, smart home devices, and more.

You have heightened obligations and can choose between self-assessment with harmonized standards or third-party assessment.

Key Deadlines

Vulnerability Reporting

Manufacturers must report actively exploited vulnerabilities and severe incidents to ENISA

Sep 11, 2026

Full Compliance

All CRA requirements become mandatory for products placed on the market

Dec 11, 2027

Your Obligations as Manufacturer

Conduct comprehensive cybersecurity risk assessment
Design products with security by default and by design
Implement vulnerability handling process
Provide security updates for at least 5 years (or product lifetime)
Report actively exploited vulnerabilities to ENISA within 24 hours
Create and maintain detailed technical documentation
Conformity assessment: Self-assessment IF applying harmonized standards, otherwise third-party assessment required
Affix CE marking
Provide Software Bill of Materials (SBOM)
Coordinate disclosure with vulnerability reporters

Plus detailed guidance on:

Need Help Achieving Compliance?

Get Your CRA GAP Analysis

Understand exactly what you need to do to achieve compliance.

Our experts will:

✓ Review your current security posture

✓ Identify gaps vs. CRA requirements

✓ Provide prioritized remediation roadmap

✓ Estimate timeline and resources needed

Automate CRA Security Testing

Bunkai provides continuous IoT security testing aligned with CRA requirements.

Platform features:

✓ Automated vulnerability scanning

✓ Firmware analysis & SBOM generation

✓ Compliance evidence collection

✓ Continuous monitoring & updates

Frequently Asked Questions (FAQ)

Is this really free? What's the catch?

Yes, completely free. No credit card, no email required. ScopeCheck is developed as part of EU-funded research (CRACoWi project, Grant Agreement No. 101158539) to help the industry understand CRA requirements. We offer paid services (GAP analysis, testing platform), and the Bunkai platform for companies that need implementation help, but the assessment tool is always free.

How accurate is this assessment?

ScopeCheck is based on the official CRA regulation text and informed by expert interpretation developed through the CRACoWi research consortium. However, it provides guidance, not legal advice. For definitive compliance decisions, consult with legal counsel or notified bodies.

Do you collect or store my product information?

No. Your assessment runs entirely in your browser. We don’t collect, store, or transmit your answers or results. You can save the results for your own records

What if my product is borderline--could go either way?

The tool will indicate uncertainty and provide guidance on both scenarios. We recommend booking a GAP analysis consultation for borderline cases where the stakes are high.

Does this cover the EU AI Act or other regulations?

Currently, ScopeCheck focuses exclusively on the Cyber Resilience Act. If your product involves AI, you may need a separate assessment for the AI Act. Contact us for multi-regulation compliance consulting.

Can I use this for multiple products?

Yes! Run as many assessments as you need. You can save each report to keep organized records for your product portfolio.

What happens after I complete the assessment?

You’ll see your results immediately. We’ll also show you optional next steps (GAP analysis, Bunkai demo) if you want professional support—but there’s no pressure or follow-up emails.

Ready to Understand Your CRA Obligations?

Get clarity in 5 minutes—no strings attached.

Co-funded by the European Union
The project funded under Grant Agreement No. 101158539 is supported by the European Cybersecurity Competence Centre.

The views and opinions expressed are, however, those of the author(s) only and do not necessarily reflect those of the European Union or the European Cybersecurity Competence Centre. Neither the European Union nor the granting authority can be held responsible for them.

SevenShift develops Bunkai and ScopeCheck as part of the CRACoWi project