← All tools
Free Tool
CRA Readiness Assessment
A 20-question assessment of your organisation's readiness for the EU Cyber Resilience Act September 2026 deadline. Get a readiness score and a prioritised action list.
0 of 20 answered0% complete
1.
CVD Policy
Do you have a publicly accessible coordinated vulnerability disclosure (CVD) policy?
2.
CVD Policy
Does your CVD policy include a single, named point of contact (email or portal)?
3.
CVD Policy
Does your CVD policy include a safe harbour statement for good-faith researchers?
4.
CVD Policy
Is your CVD policy linked from your product documentation or website?
5.
48h Acknowledgment
Can your team acknowledge vulnerability reports within 48 hours?
6.
48h Acknowledgment
Do you have a process to receive and triage reports outside business hours?
7.
48h Acknowledgment
Do you maintain an audit trail of all received vulnerability reports?
8.
Article 14 Reporting
Does your team know what triggers an Article 14 notification to ENISA?
9.
Article 14 Reporting
Do you have a documented process for submitting early warnings within 24 hours?
10.
Article 14 Reporting
Do you know which national CSIRT or ENISA platform to submit Article 14 notifications to?
11.
Article 14 Reporting
Can you produce a CVSS severity score during triage?
12.
Supply Chain
Do you maintain a Software Bill of Materials (SBOM) for your products?
13.
Supply Chain
Do you monitor CVE feeds for vulnerabilities in components you use?
14.
Supply Chain
Do you have a process for coordinating with upstream vendors when a third-party component is affected?
15.
Advisories & CSAF
Do you publish security advisories when you release patches for vulnerabilities?
16.
Advisories & CSAF
Do your advisories include CVE identifiers?
17.
Advisories & CSAF
Are your advisories published in CSAF 2.0 format (machine-readable)?
18.
General Readiness
Has your security team reviewed the CRA Article 13 and 14 requirements?
19.
General Readiness
Do you have a security.txt file published at /.well-known/security.txt?
20.
General Readiness
Have you tested your vulnerability disclosure process with a mock report?
Frequently asked
What does this assessment cover?
The assessment covers the five core CRA vulnerability handling obligations: coordinated disclosure policy, single point of contact, 48-hour acknowledgment capability, Article 14 reporting process, and SBOM/supply chain tracking. Each maps to specific CRA articles.
How accurate is the readiness score?
The score gives a directional indication based on your self-reported answers. It is not a formal audit or legal compliance certification. Use it to identify gaps and prioritise remediation — not as evidence of compliance.
What happens after I complete the assessment?
You receive a score, a breakdown by CRA obligation area, and specific recommendations. You can sign up for CVD Portal to address the gaps identified — the free tier handles the September 2026 obligations.
How often should I re-run the assessment?
Run it quarterly as you build out your compliance programme, and again before the September 2026 deadline. The assessment takes about 5 minutes.
Ready to automate your CVD programme?
CVD Portal integrates all these tools and handles your Article 13 and 14 obligations automatically.
Start your free portal →