Free CRA tool

SME Cyber Resilience Maturity Assessment

A structured self-check for SMEs that make products with digital elements. Rate your current practice across 25 questions in five domains, and see a maturity score, a domain-by-domain breakdown and a tailored improvement checklist aligned to the EU Cyber Resilience Act. No signup. Nothing is stored on our servers.

Just need to check your vulnerability disclosure and Article 14 reporting process? Take the CVD readiness check.

  • Governance & documentation
  • Risk management, security-by-design & default
  • Vulnerability & patch management
  • Product lifecycle management
  • Awareness, competence & skills
Progress
0 / 25 answered
Overall

1.Governance & Documentation

0 / 5
1.1Do you have written and approved product security policies?

Supported by CRA Portal· Free

1.2Are roles and responsibilities clearly defined for product security activities (e.g. development, vulnerability management, updates)?

Supported by CRA Portal· Reporting

1.3Do you maintain product-level technical documentation describing implemented security features, risk assessments, design decisions and update procedures?

Supported by CRA Portal· Compliance

1.4Is there a process to regularly review product security and the quality of related documentation?

Supported by CRA Portal· Reporting

1.5Are you aware of the Market Surveillance Authority responsible for enforcing the CRA, the conformity assessment procedure applicable to your products, and how to interact with relevant authorities if needed?

Supported by CRA Portal· Free

2.Risk Management & Security-by-Design & Default

0 / 5
2.1Do you perform cybersecurity risk assessments and use the results to guide product design, development, configuration and component management decisions?

Supported by CRA Portal· Compliance

2.2Are products designed using security-by-design principles from the outset?

Supported by CRA Portal· Compliance

2.3Are products delivered with secure-by-default configurations and settings?

Supported by CRA Portal· Compliance

2.4Do you perform security checks and testing before releasing or updating a product, and to what extent are automated tools used?

Supported by CRA Portal· Free

2.5When risks change or new threats emerge, are risk assessments, configurations and third-party components reviewed and updated?

Supported by CRA Portal· Reporting

3.Vulnerability & Patch Management

0 / 5
3.1Do you have a process to receive, acknowledge, record and track vulnerabilities reported by customers, researchers or internal staff?

Supported by CRA Portal· Free

3.2Do you have a defined process for creating, testing, delivering and communicating security updates to customers for supported products?

Supported by CRA Portal· Reporting

3.3Do you maintain and use a SBOM to support vulnerability and dependency management?

Supported by CRA Portal· Reporting

3.4Are vulnerabilities and updates prioritized based on risk, potential impact?

Supported by CRA Portal· Reporting

3.5Do you verify that security updates effectively resolve reported vulnerabilities and maintain evidence of this verification?

Supported by CRA Portal· Reporting

4.Product Lifecycle Management

0 / 5
4.1Is there a defined approach to managing product security during the operational phase?

Supported by CRA Portal· Reporting

4.2Is the product lifecycle management actively managed, including defined support periods, update responsibilities, end-of-life arrangements and communication with customers?

Supported by CRA Portal· Compliance

4.3Is experience from product operation, post-incident reviews and customer input used to improve products over time?

Supported by CRA Portal· Reporting

4.4Is there a structured and tested way to address identified product security issues?

Supported by CRA Portal· Reporting

4.5Are products monitored during operation to identify security risks, vulnerabilities and emerging threats?

Supported by CRA Portal· Reporting

5.Awareness, Competence & Skills

0 / 5
5.1Are sufficient skills available to design, develop and maintain products in a secure way, including through external expertise where internal capacity is limited?

Organisational practice, not covered by the platform

5.2Do relevant staff receive appropriate training on cybersecurity practices relevant to their roles, including product risk management, vulnerability management, and security-by-design?

Organisational practice, not covered by the platform

5.3Does the organisation promote a culture of responsible product development, open reporting and awareness of product risks?

Organisational practice, not covered by the platform

5.4Do you follow relevant external product security information (e.g. advisories, alerts)?

Supported by CRA Portal· Reporting

5.5Do you assess and validate that your team has the required skills and competence to maintain secure products?

Organisational practice, not covered by the platform

Questions

What is the SME Cyber Resilience Maturity Assessment?

It is a structured self-check for micro, small and medium-sized enterprises to evaluate their product cybersecurity practices against the expectations of the EU Cyber Resilience Act. You rate 25 practices across five domains on a five-level maturity scale, from Initial to Optimised, and receive an overall score, a per-domain breakdown and a prioritised improvement checklist.

Who is this tool for?

It is primarily aimed at organisations that manufacture and place products with digital elements on the EU market, since those are directly subject to CRA requirements. Integrators, distributors and service providers involved in the product lifecycle can also use it to assess and improve their product security practices.

How is the maturity score calculated?

Each of the 25 questions is scored from 1 (Initial) to 5 (Optimised) based on the description that best matches your current practice. Each domain average is the mean of its five questions, and the overall score is the mean across all answered questions. Scores of 1 or 2 are flagged as needing work, 3 as moderate and 4 or 5 as good. The overall score maps to a Basic, Intermediate or Advanced maturity band.

Is my data stored?

No. The assessment runs entirely in your browser. Your answers are saved to your own browser's local storage so you can return to them, and nothing is sent to or stored on our servers. Use Copy summary or Print / PDF to keep a record.

Does completing this make my products CRA compliant?

No. This is an indicative maturity check to orient your improvement work. CRA conformity requires documented evidence: a per-product risk assessment, closure of the Annex I essential requirements, the Annex VII technical documentation, vulnerability handling, an EU Declaration of Conformity and CE marking. The assessment helps you see where your practices stand before you build that evidence.

Based on the SME Cyber Resilience Maturity Assessment Model (published July 2026). This tool is provided for guidance only and does not constitute legal advice or a determination of CRA conformity.