CRA software checklist
Cyber Resilience Act software checklist for SMEs: product scope, secure development, vulnerability handling, support period, user instructions and technical file.
Direct answer
A CRA software checklist should cover product scope, secure-by-design controls, dependency management, vulnerability handling, incident reporting, support period, security updates, user instructions, conformity route and technical documentation. The checklist should connect engineering work to audit-ready product evidence.
What should be on a CRA software checklist?
A CRA software checklist should cover product scope, secure-by-design controls, dependency management, vulnerability handling, incident reporting, support period, security updates, user instructions, conformity route and technical documentation. The checklist should connect engineering work to audit-ready product evidence.
- SBOM and dependencies
- Secure release process
- Patch support
| Product type | Software product with digital elements |
| Main evidence | Secure development and vulnerability handling file |
| Deadline | Full application from 2027-12-11 |
A CRA software checklist should cover product scope, secure-by-design controls, dependency management, vulnerability handling, incident reporting, support period, security updates, user instructions, conformity route and technical documentation. The checklist should connect engineering work to audit-ready product evidence.
Software products in scope should have CRA evidence before full application.
CRA software checklist checklist
Action checklistTrack components, versions, licences and vulnerability exposure.
Document testing, code review, security checks and release approval.
Define support period, update mechanism and customer communication.
Key deadlines
| Date | Requirement | Source |
|---|---|---|
| 2027-12-11 | CRA full applicationSoftware products in scope should have CRA evidence before full application. | European Commission Cyber Resilience Act summary |
30/60/90-day action plan
First 30 days
Confirm scope and assign an owner
Evidence needed: Applicability note, business owner, systems or product list, and source links.
CRA software checklist
Days 31-60
Close the evidence gaps
Evidence needed: Policies, supplier records, data maps, technical notes, training records, or process owners.
CRA software checklist
Days 61-90
Prepare for audit or customer review
Evidence needed: Versioned compliance file, action log, exception register, and next review date.
CRA software checklist
Evidence to retain
Applicability decision
Shows whether CRA software readiness applies and why the SME made that decision.
Retain: Scope memo, trigger criteria, country notes, owner approval, and review date.
Action owner list
Regulators and enterprise customers expect named accountability, not generic intent.
Retain: Owner, backup owner, due date, status, and unresolved blocker notes.
Evidence folder
The fastest way to answer customer due diligence is a single audit-ready evidence file.
Retain: Policies, screenshots, registers, exports, supplier responses, and training records.
SME questions answered
Does SaaS count as CRA software?
CRA scope can be fact-specific for SaaS and remote data processing. SMEs should document the classification instead of assuming exclusion.
What engineering evidence supports CRA readiness?
SBOM, secure SDLC, vulnerability workflow, test evidence, release notes, support policy and user security instructions.
Turn this guide into a tracked action plan
Start with the Regulation Checker, save the result, and import the action plan into your EuroComply dashboard when you are ready to assign owners.
Informational only. This page is not legal advice and does not replace a qualified legal review of your business, systems, products or employment practices.