Free CRA tool
SME Cyber Resilience Maturity Assessment
A structured self-check for SMEs that make products with digital elements. Rate your current practice across 25 questions in five domains, and see a maturity score, a domain-by-domain breakdown and a tailored improvement checklist aligned to the EU Cyber Resilience Act. No signup. Nothing is stored on our servers.
Just need to check your vulnerability disclosure and Article 14 reporting process? Take the CVD readiness check.
- Governance & documentation
- Risk management, security-by-design & default
- Vulnerability & patch management
- Product lifecycle management
- Awareness, competence & skills
1.Governance & Documentation
0 / 52.Risk Management & Security-by-Design & Default
0 / 53.Vulnerability & Patch Management
0 / 54.Product Lifecycle Management
0 / 55.Awareness, Competence & Skills
0 / 5Questions
What is the SME Cyber Resilience Maturity Assessment?
It is a structured self-check for micro, small and medium-sized enterprises to evaluate their product cybersecurity practices against the expectations of the EU Cyber Resilience Act. You rate 25 practices across five domains on a five-level maturity scale, from Initial to Optimised, and receive an overall score, a per-domain breakdown and a prioritised improvement checklist.
Who is this tool for?
It is primarily aimed at organisations that manufacture and place products with digital elements on the EU market, since those are directly subject to CRA requirements. Integrators, distributors and service providers involved in the product lifecycle can also use it to assess and improve their product security practices.
How is the maturity score calculated?
Each of the 25 questions is scored from 1 (Initial) to 5 (Optimised) based on the description that best matches your current practice. Each domain average is the mean of its five questions, and the overall score is the mean across all answered questions. Scores of 1 or 2 are flagged as needing work, 3 as moderate and 4 or 5 as good. The overall score maps to a Basic, Intermediate or Advanced maturity band.
Is my data stored?
No. The assessment runs entirely in your browser. Your answers are saved to your own browser's local storage so you can return to them, and nothing is sent to or stored on our servers. Use Copy summary or Print / PDF to keep a record.
Does completing this make my products CRA compliant?
No. This is an indicative maturity check to orient your improvement work. CRA conformity requires documented evidence: a per-product risk assessment, closure of the Annex I essential requirements, the Annex VII technical documentation, vulnerability handling, an EU Declaration of Conformity and CE marking. The assessment helps you see where your practices stand before you build that evidence.
Based on the SME Cyber Resilience Maturity Assessment Model (published July 2026). This tool is provided for guidance only and does not constitute legal advice or a determination of CRA conformity.