CRAdarCheck

Guides

The CRA, translated from regulation-speak into engineering tasks. No fluff, no fear-selling.

The CRA compliance checklist for indie developers and small teams

Every obligation of the EU Cyber Resilience Act translated into concrete engineering tasks, ordered by effort-to-impact. What to do this quarter, before Sept 2026, and before Dec 2027.

Updated 2026-07-02

The minimum viable SBOM for CRA compliance

What the CRA actually requires in an SBOM (less than you fear), which format to pick, and the exact CI commands to generate one per release for npm, Python, Go, Rust, and containers.

Updated 2026-07-02

ENISA reporting: what to have ready before 11 September 2026

From that date, an actively exploited vulnerability starts a 24-hour reporting clock. What triggers it, what each submission contains, and the one-page process that keeps you out of trouble.

Updated 2026-07-02

Who the CRA actually covers: scope, exclusions and edge cases in plain language

Products with digital elements, 'making available on the market', the SaaS boundary, the open-source exemption, bespoke software — the whole scope question, without the legalese.

Updated 2026-07-02

CRA vs NIS2: which EU cybersecurity law applies to you?

The two regimes get confused constantly. One regulates products, the other regulates organizations. Plain-language decision guide with the four cases that trip everyone up.

Updated 2026-07-03

CRA fines explained: what you actually risk, article by article

€15 million headlines are marketing. Here is the actual penalty structure of the Cyber Resilience Act, how market surveillance really escalates, and what gets small vendors in trouble first.

Updated 2026-07-03