Cyber Resilience Act Compliance Checklist for Manufacturers

If your team builds, imports, or distributes connected hardware or software sold in the EU, the Cyber Resilience Act compliance checklist for manufacturers below is the operational map you need. Regulation (EU) 2024/2847 entered into force on 10 December 2024 and applies security obligations across the entire product lifecycle — design, development, market placement, and updates. Two deadlines matter right now: vulnerability and incident reporting under Articles 11 and 14 begins on 11 September 2026, and the general application of essential requirements plus conformity assessment lands on 11 December 2027. Treat this list as the working backlog for your product and security teams.

What the CRA expects of manufacturers

Manufacturers carry the primary obligation under the CRA. Before placing a product with digital elements on the EU market, you must design it securely, ship it free of known exploitable vulnerabilities, support it across its expected lifetime, document it, and report problems to ENISA’s Single Reporting Platform. Penalties reach up to €15 million or 2.5% of total worldwide annual turnover, whichever is higher. The checklist below turns those headline obligations into items you can assign, evidence, and sign off.

The CRA compliance checklist for manufacturers

Work through each block in order. Every item maps to a specific obligation in the regulation.

1. Confirm scope and classify your product

• Inventory every product with digital elements you place on the EU market, including standalone software, connected devices, and embedded components.
• Check exclusions — for example, commercially unsupported free and open-source software, and products already governed by sectoral rules with equivalent requirements.
• Classify each product: standard, or “critical” under Annex II or Annex III. This decides your conformity assessment route.

2. Security by design and by default (Annex I)

• Deliver products free of known exploitable vulnerabilities on market placement.
• Enable secure-by-default configuration out of the box.
• Protect against unauthorized access and minimise the attack surface.
• Document the design decisions that satisfy each Annex I essential requirement.

3. Vulnerability handling and security updates

• Stand up a vulnerability and security update process with named owners.
• Publish a contact route for vulnerability reports and define a disclosure policy.
• Issue security updates for the expected product lifetime, or at least 5 years, whichever is longer.

4. Software bill of materials (SBOM)

• Generate and maintain an SBOM for every product, including transitive dependencies.
• Version the SBOM with each release and store it alongside the technical file.

5. CRA conformity assessment

• For standard products: complete manufacturer self-assessment under Module A.
• For Annex II/III critical products: engage a notified body for third-party assessment.
• Draft and sign the EU declaration of conformity.
• Affix the CE marking before placing the product on the market.

6. CRA technical documentation requirements

• Assemble the technical documentation file: product description, design rationale, risk assessments, test evidence, SBOM, and the declaration of conformity.
• Keep it current across the support lifetime — this is living documentation, not a one-time deliverable.
• Make it available to market surveillance authorities on request.

7. Vulnerability and incident reporting (Article 14)

• Connect an internal triage pipeline to ENISA’s Single Reporting Platform before 11 September 2026.
• Report actively exploited vulnerabilities within 24 hours of becoming aware, including impact and mitigations.
• For significant security incidents: early warning at 24 hours, incident notification at 72 hours, final report within a reasonable time (typically around one month).
• Cross-reference NIS2 reporting where the same event triggers both regimes.

8. Post-market monitoring

• Operate a post-market monitoring plan proportional to product risk.
• Track field vulnerabilities, customer reports, and security telemetry.
• Feed findings back into design, the SBOM, and the technical file.

Timeline at a glance

• 11 June 2026 — Member States designate national cybersecurity authorities and CSIRTs.
• 11 September 2026 — Article 11/14 vulnerability and incident reporting begins.
• 11 December 2027 — Essential requirements and conformity assessment generally apply.

Turn the checklist into tracked risk

A static checklist will not survive a market surveillance audit. Convert each open item above into a tracked entry — owner, evidence, target date, residual risk — and review it against the CRA timeline. Our risk register gives manufacturers a structured place to log these obligations alongside their other cyber risks, and you can compare plans on the pricing page long before the September 2026 reporting deadline arrives.