Work through the CRA, step by step

The CRA Portal takes you across the whole Cyber Resilience Act, from classifying a product to CE marking, and keeps vulnerability handling in the same place. Here is how the compliance journey fits together.

1

Classify your product

Answer the Annex III and Annex IV classification questions to place your product in the right class and derive its Article 32 conformity assessment route.

  • Default, Important (Class I / II), or Critical
  • Self-assessment (Module A) vs a notified-body route
  • The decision and its basis are recorded for your technical file
2

Run the cybersecurity risk assessment

Work through a structured STRIDE assessment across your assets and data flows, then score and treat each risk.

  • Extract assets and threats from your product description
  • Likelihood and impact scoring with a defined risk criteria scale
  • Residual risk and treatment decisions captured as evidence
3

Close the Annex I gaps

Track your position against the Annex I essential requirements and drive the gap analysis to remediation.

  • The essential cybersecurity requirements and the vulnerability-handling requirements
  • Per-requirement applicability, status, owner and evidence
  • A live gap panel shows what is still outstanding
4

Produce the technical file and Declaration of Conformity

Generate the technical documentation index and a draft EU Declaration of Conformity from the work you have done, ready for CE marking.

  • Annex VII technical documentation index
  • Annex V EU Declaration of Conformity draft
  • CE marking guidance, including the notified-body step where your route requires it
  • Point-of-record snapshots retained for the product support period
5

Handle vulnerabilities and Article 14 reporting

Your disclosure portal and the CRA reporting obligations run in the same workspace, so the operational duty is covered alongside the conformity work.

  • Branded vulnerability disclosure portal for researchers
  • 24h early warning, 72h notification and the final report to ENISA and your CSIRT
  • Enterprise gets pre-filled ENISA reports, Free and Reporting use the guided workflow

Why the CRA Portal?

The EU Cyber Resilience Act asks manufacturers of products with digital elements to classify their products, assess cybersecurity risk, meet the Annex I requirements and document conformity. The CRA Portal turns that into a guided workflow so small and medium manufacturers can get there without building their own tooling.

22
Annex I requirements tracked
Sep 2026
Article 14 reporting duty
Dec 2027
Full conformity and CE marking