Skip to main content

Your Software's Journey to CRA Conformity: A Step-by-Step Overview

Navigating the Cyber Resilience Act for your software, app, or game might seem daunting, but it's a structured journey. Here’s a high-level roadmap to get your product compliant, focusing on products eligible for self-assessment:

  1. Determine Your Role: First, confirm you are a 'manufacturer' under the CRA (Article 3(13) of the CRA legal text). If you develop and market software commercially, you likely are.
  2. Scope Your Product: Ensure your software is a 'Product with Digital Elements' (PDE) as defined (Article 3(1) of the CRA legal text).
  3. Cybersecurity Risk Assessment: Conduct and document a thorough cybersecurity risk assessment specific to your software (Article 13(2), (3) of the CRA legal text).
  4. Meet Essential Requirements (Annex I of the CRA legal text):
    • Product Properties (Part I): Design and develop your software to meet these security standards (e.g., secure by default, data protection, no known exploitable vulnerabilities at launch).
    • Vulnerability Handling (Part II): Establish and document robust processes for ongoing vulnerability management (e.g., SBOM, coordinated disclosure policy, timely patching).
  5. Compile Technical Documentation (Annex VII of the CRA legal text): Gather all evidence of your risk assessment, design choices, how you meet Annex I, your vulnerability handling processes, test reports, etc. (Article 31 of the CRA legal text).
  6. Perform Conformity Assessment (Self-Assessment for most software): For non-critical software, conduct an internal control procedure (Module A, Annex VIII of the CRA legal text) to verify compliance (Article 32(1) of the CRA legal text).
  7. Draw up EU Declaration of Conformity (DoC) (Annex V of the CRA legal text): Formally declare that your software product meets the CRA requirements (Article 28 of the CRA legal text).
  8. Affix CE Marking: Apply the CE marking as per CRA rules (e.g., on your DoC, website) (Article 30 of the CRA legal text).
  9. Ongoing Obligations:
    • Vulnerability Management: Actively manage vulnerabilities throughout the defined support period (Article 13(8) of the CRA legal text).
    • Reporting: Notify authorities of actively exploited vulnerabilities and severe incidents as required (Article 14 of the CRA legal text).
    • Documentation Upkeep: Keep your technical documentation and DoC updated and available for 10 years or the support period (Article 13(13) of the CRA legal text).
    • User Information: Provide clear user instructions and information on security and support (Annex II of the CRA legal text).

This journey ensures your software is secure by design and remains secure throughout its lifecycle.

Key Takeaway

CRA compliance for your software is a clear, multi-step process: define your role, assess risks, meet essential requirements (product and vulnerability handling), document everything, self-assess, declare conformity, CE mark, and then maintain ongoing vigilance and reporting.