Free Diagnostic Β· No Obligation

Are you ready for the
Cyber Resilience Act?

4 steps, 5 minutes. Identify your obligations, measure your maturity, and get a personalized action plan β€” instantly.

⏱ ~5 min
πŸ“‹ 4 steps
πŸ”’ Local data
πŸ‡ͺπŸ‡Ί EU Reg. 2024/2847
βœ… 100% free
01
Step 1 of 4

Your market role

What is your role for this product? Art. 3 Β§13-15
The CRA distinguishes 3 roles with very different obligations. Choose the role that matches this specific product β€” the same company may have multiple roles across its product lines.

Tip: if you have the product designed and sell it under your brand, you are a Manufacturer, even without a factory.
⚠️ Please select your role to continue.
1 / 4
02
Step 2 of 4

Product scope

Can the product connect to a network or device? Art. 3 Β§1
A "Product with Digital Elements" (PDE) is any software or hardware capable of connecting β€” even occasionally β€” via Wi-Fi, Bluetooth, Ethernet, USB, cloud API, etc.

βœ… YES: smartwatch, IP camera, mobile app with back-end, IoT sensor, SaaS API
❌ NO: static PDF document, 100% offline software with no network interface
Does the product fall under sectoral regulation? Art. 2 Β§2
Certain sectors are fully or partially excluded from the CRA in favour of sector-specific rules.
Examples: MDR / IVDR (medical) Β· EASA (aviation) Β· Vehicle type-approval Β· Defence equipment
What is the risk class of the product? Art. 7 & Ann. III-IV
The class determines the required certification level. If in doubt, choose "Default class".

Class I: residential gateways, web browsers, antivirus, password managers, VPNs, wearables
Class II: industrial OS, secure microprocessors, smart cards, TPMs, critical industrial routers
Default: all others β€” smart TVs, connected toys, consumer applications…
⚠️ Please answer all questions above.
2 / 4
03
Step 3 of 4

Life cycle & support

Is the software non-commercial open source? Art. 3 Β§14a
Open source software developed entirely outside any commercial activity (volunteer contributions, hobby projects) is excluded from the CRA.
Caution: paid support, SaaS, or a component embedded in a sold product = CRA applies.
Planned support duration Art. 13 Β§8
The CRA requires a defined and published support duration. 5 years minimum is the recommendation for manufacturers. It must be communicated to users before purchase.
1 year 10+ years
3 years
⚠️ Duration less than 5 years β€” justification required.
How are updates deployed? Art. 13 Β§3
The CRA requires that security patches are offered automatically by default, unless the user explicitly opts out.
⚠️ Please answer all questions.
3 / 4
04
Step 4 of 4 β€” Last step!

Your security maturity

Honestly evaluate your current level on each of the 10 key CRA requirements.

Legend: βœ… Done ⚠️ Partial ❌ Not done β€” N/A
⚠️ Please evaluate all requirements.
4 / 4
βœ“
Diagnostic result

Product out of CRA scope

βœ… Not connected β€” CRA not applicable

Your product has no digital connectivity and therefore does not fall within the scope of the Cyber Resilience Act (Art. 2 Β§1 & Art. 3 Β§1).

ℹ️ Monitor over time If the product evolves and gains connectivity (software update, Bluetooth module, cloud API…), it will enter the CRA scope and a compliance programme must be initiated.
Consult our experts β†’
β„Ή
Diagnostic result

Total sectoral exclusion

ℹ️ Full sectoral coverage β€” CRA not applicable

Your product is fully covered by a specific EU sectoral regulation (MDR, EASA, vehicle type-approval…) β€” total exclusion from the CRA (Art. 2 Β§2).

⚠️ Exclusion does not mean no obligations The applicable sectoral regulation may impose equivalent or stricter cybersecurity requirements. A sector-specific analysis remains essential.
Sectoral analysis by our experts β†’
βœ“
Diagnostic result

Non-commercial Open Source

βœ… Non-commercial OSS β€” Outside CRA scope

Open source software developed entirely outside any commercial activity is excluded from the Cyber Resilience Act scope (Art. 3 Β§14a).

⚠️ The commercial boundary is often blurry Paid support, SaaS, or a component embedded in a sold product β€” as soon as any commercial activity is linked to the software, the qualification changes and the CRA may apply. Our experts can clarify your situation.
Clarify your situation β†’