With the December 2027 deadline approaching, it’s crucial to act now. Here’s a concise checklist to guide your readiness.

1. Classify Your Products

Identify which products are “default” or “critical.” Critical ones need third-party conformity assessments. Keep an updated product inventory.

2. Maintain Technical Documentation

Create risk assessments, threat models, and secure design records. Continuously update Software Bill of Materials (SBOMs), track patches, and securely store all documentation for 10 years.

3. Set Up Vulnerability Handling

Implement workflows to manage vulnerabilities, set patch timelines, log disclosures and fixes, and notify ENISA within 24 hours if exploitation occurs.

4. Update User Documentation

Provide clear, localized secure usage instructions and clarify customer security responsibilities.

5. Revise Contracts and Supply Chains

Add CRA-aligned cybersecurity clauses, require supplier SBOMs and vulnerability disclosures, and audit high-risk vendors.

6. Prepare for CE Marking

Align development and security processes with CE requirements and budget time and resources for conformity assessments.

7. Leverage Existing Compliance Efforts

Extend GDPR, DORA, and NIS 2 risk assessments and share cross-functional responsibilities where possible.

8. Build Continuous Monitoring

Use tools to track threats, keep SBOMs current, and assign post-market monitoring duties.

Why Many Struggle

Unfinalized standards, immature security practices, limited CE assessment capacity, unclear national rules, underestimated costs, and M&A complexities create hurdles for many organizations.

What CRA Means for Teams

• Security must be integrated from design through delivery.

• SBOMs are mandatory and require ongoing updates.

• Vulnerability management is continuous, with strict reporting timelines.

• Supply chain security is your responsibility.

• Product lifecycle security, including end-of-life planning, is essential.