Check your product with digital elements against the EU Cyber Resilience Act (Regulation (EU) 2024/2847) — scope it, classify it (default, important class I/II or critical), audit the essential cybersecurity and vulnerability-handling requirements, pick a conformity-assessment route, and plan the 24-hour / 72-hour / 14-day ENISA vulnerability-reporting timeline. Word + CSV.
Answer each question to determine whether the product falls under the CRA and which class applies. The CRA covers products with digital elements (hardware or software) whose intended or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network (Art. 2, Art. 3(1)).
Score each requirement: Met = in place and evidenced (100%), Partial = started or undocumented (50%), Not met = absent (0%), N/A = not applicable to this product (excluded from the score). Readiness % is the mean of scored items.
⚠️ Educational estimate only — this is a self-assessment aid based on Regulation (EU) 2024/2847 (Cyber Resilience Act), not legal advice and not a conformity assessment. Checklist items are representative summaries of the Articles and Annex I, not the full legal text. Classification (default / important class I & II / critical) ultimately depends on the implementing acts and Annexes III–IV; reporting goes to the ENISA single reporting platform via your CSIRT. Consult a licensed legal / cybersecurity professional and a notified body where required. Read the consolidated Regulation on EUR-Lex.