A targeted assessment that determines whether your products fall under the CRA — and exactly what obligations that triggers.
Assess Your CRA ScopeThe EU Cyber Resilience Act introduces mandatory cybersecurity requirements for all products with digital elements — from firmware to SaaS, from IoT devices to developer libraries.
The first question every product team needs to answer: are we in scope? And if so, under which category — default, Class I, or Class II? The answer determines your obligations for vulnerability handling, documentation, incident reporting, and CE marking.
Our CRA Scope Assessment gives you a definitive answer — not an opinion — backed by article-level analysis of the regulation.
A clear determination of your CRA obligations, specific to your product portfolio.
Each product mapped to its CRA category — default, Class I, or Class II — with the regulatory rationale documented.
A product-by-product breakdown of required security properties, documentation, and conformity assessment paths.
Assessment of your current vulnerability disclosure and patch management processes against CRA Article 11 requirements.
A phased roadmap aligned to CRA transition periods, so your team knows what to deliver and when.
Focused on your product portfolio. No generic checklists.
We catalog your products with digital elements — hardware, software, firmware, SaaS — and their intended use cases.
Each product is analyzed against CRA annexes and classification criteria to determine its category and obligations.
We compare your current development, documentation, and vulnerability handling processes to CRA requirements.
You receive the Classification Report, Obligation Matrix, and a phased Action Plan — with a live briefing for your product and engineering leads.
Don't wait for enforcement to find out if your products are in scope. Get clarity now.
Assess Your CRA Scope