CRAdarCheck

Guides

The CRA compliance checklist for indie developers and small teams

Every obligation of the EU Cyber Resilience Act translated into concrete engineering tasks, ordered by effort-to-impact. What to do this quarter, before Sept 2026, and before Dec 2027.

Updated 2026-07-02

Why this list exists

The CRA is 100+ pages of regulation. For a small software team, the actionable core fits on one page. This is that page — each item mapped to the article that requires it, ordered so the cheap, high-value work happens first.

Time budget honesty: a default-class product with a modern build pipeline can get from zero to 'defensible' in roughly one to two weeks of part-time work. The items below add up to that.

Do this week (each under an hour)

  • Publish a security.txt at /.well-known/security.txt with a working contact (Annex I Part II(6)). Use our free generator.
  • Publish a coordinated vulnerability disclosure policy — SECURITY.md in the repo plus a page on your site (Annex I Part II(5)). Also generatable in minutes.
  • Add SBOM generation to your CI: syft or cdxgen emitting CycloneDX JSON on every release, stored as a build artifact (Annex I Part II(1)).
  • Turn on dependency vulnerability alerts (GitHub Dependabot/OSV-Scanner in CI) so 'we didn't know' never happens (Annex I Part II(2)).

Do this quarter

  • Write down your incident reporting process: who detects, who decides it's 'actively exploited', who files, who is backup. One page. Rehearse it once — the 24-hour clock is unforgiving (Art. 14).
  • Run a lightweight threat model of your product and write the outcome into a risk assessment doc (Art. 13(2)-(3)).
  • Start a technical documentation file: architecture overview, risk assessment, test evidence, SBOM references (Art. 31 + Annex VII). A well-kept folder beats a fancy tool.
  • Define and publish your support period per product — the default expectation is at least 5 years (Art. 13(8)).
  • Audit your update channel: are updates signed? Can you ship a security-only fix without bundling features? Free of charge? (Annex I Part I(2)(c), Part II(7)-(8)).

Before 11 September 2026

The reporting obligations apply from this date regardless of when the rest of the CRA bites. If an actively exploited vulnerability in your product or a severe incident hits after this date, you must file an early warning within 24 hours via the ENISA Single Reporting Platform, a notification within 72 hours, and a final report after remediation.

  • Register on the ENISA Single Reporting Platform as soon as onboarding opens (ENISA is publishing instructions and dry-run support).
  • Wire your vulnerability monitoring to an alerting channel someone actually reads on weekends.
  • Pre-draft your early-warning template so a 3 a.m. incident starts from 80% done. Our deadline calculator generates one.

Before 11 December 2027

Full application: you may not place non-conforming products on the EU market after this date. For default-class products (most apps, games, plugins, tools) the conformity route is internal control — you self-assess against Annex I, complete the technical file, sign the EU Declaration of Conformity, and affix the CE marking.

  • Complete the Annex I self-assessment and close the gaps it finds.
  • Finalize the technical documentation (Annex VII) — 10-year retention.
  • Issue the EU Declaration of Conformity (Annex V) and apply CE marking rules to your product listing/packaging.
  • Important/critical class (Annex III/IV) products: book a notified body early — capacity in 2027 will be the bottleneck.

What you can safely ignore

Enterprise GRC suites, ISO 27001 certification (helpful, not required), consultants selling 'CRA gap analyses' that produce a PDF of what this page already told you. The CRA asks for engineering hygiene plus paperwork discipline — both automatable, neither requiring a compliance department.

Where do you stand today?

Run the free 3-minute Risk Check: scope verdict, risk class, readiness score, prioritized fixes.

Or get compliance on autopilot at launch:

Educational guidance on Regulation (EU) 2024/2847 — not legal advice.