top of page

Become Compliant

This page offers a structured work plan, essential documents and expert recommendations to support compliance with the Cyber Resilience Act. It includes sample templates, forms to streamline adherence to regulatory requirements.

Documents

CRA TO DO List

Manage CRA compliance as a project, define milestones, owners, and schedule. Here you can download a file that contains a list of action items for planning and managing CRA compliance program.

Declaration of Conformity (DoC)

1. Product Identification

  • Product Name:

  • Model/Version Number:

  • Category:

  • Batch/Serial Number:

2. Manufacturer Information

  • Manufacturer Name:

  • Registered Address:

  • Contact Information:

3. Regulatory Reference
    This declaration of conformity is issued under the sole responsibility of <> in accordance with:
    Regulation (EU) YYYY/N on the Cyber Resilience Act (CRA)
4. Standards and Compliance Measures
    The <> complies with essential CRA requirements through alignment with the following standards:
    ETSI EN 303 645: Cybersecurity for Consumer Internet of Things.
    Compliance is further validated through internal security testing and third-party assessments.
5. Product Testing and Assessment
This product has been tested for compliance by the following organization:

  • Testing Body:

  • Reference Number:
    The evaluation included:
    - Secure by Design principles validation.
    - Risk-based assessment of cybersecurity controls.

6. Supply Chain Assurance
    < Fill the name of supplier >affirms the product supply chain meets CRA requirements by:

  • Conducting third-party vendor security assessments.

  • Incorporating CRA-compliant clauses in supply agreements.

  • Maintaining an active vulnerability disclosure program, accessible at <>/disclosure-policy.

7. Declaration
We, <name >, declare that the <> meets all essential cybersecurity and data protection requirements outlined in the CRA. This declaration is supported by the appropriate technical documentation.

8. Signature

  • Authorized Signatory:

  • Position:

  • Date:

  • Place:

  • Signature: (Insert Manual or Digital Signature Here)

Additional notes

  • Attach a Technical Documentation File (TDF), including a risk assessment summary and mitigation measures.

  • Ensure the DoC and TDF remain accessible for a minimum of 10 years post-market release.

A Declaration of Conformity (DoC) helps organizations demonstrate compliance with the Cyber Resilience Act (CRA) by serving as official proof that their product meets cybersecurity requirements. If the product falls into the category of non-critical products, you are responsible for conducting this mandatory conformity assessment. This includes identifying and documenting any potential risks associated with its use. You can download the official EU document here

For your convenience, we have developed a more comprehensive version to support you throughout the process.

CRA Essentials for Supply Chain Partners

1. General Compliance

  • The Partner shall adhere to all applicable laws, regulations, and standards, including the Cyber Resilience Act (CRA) and associated harmonized standards, such as ETSI EN 303 645.

  • The Partner shall demonstrate ongoing compliance through documented evidence and certifications as required by regulatory authorities.

2. Secure Development and Production

  • The Partner agrees to adopt secure-by-design principles throughout the development and production processes, including:

    • Ensuring unique, non-default credentials for components.

    • Applying encryption to protect sensitive data in transit and at rest.

    • Reducing unnecessary functionality to minimize attack surfaces.

3. Cybersecurity Risk Management

  • The Partner shall implement a cybersecurity risk management framework, including regular assessments of potential threats and vulnerabilities within the supply chain.

  • The Partner agrees to report identified risks and collaborate with the Buyer to mitigate them effectively.

4. Vulnerability Management

  • The Partner shall:

    • Conduct regular vulnerability testing on supplied components or software.

    • Notify the Buyer within 48 hours of identifying vulnerabilities that could impact compliance or security.

    • Address critical vulnerabilities within an agreed timeframe (e.g., 15 business days).

5. Software Bill of Materials (SBOM)

  • The Partner shall provide an SBOM for each supplied component, detailing:

    • A list of software components, versions, and origins.

    • Known vulnerabilities linked to any component or library included.

  • The SBOM must be updated as components are modified or updated during the lifecycle of the product.

6. Incident Reporting and Response

  • The Partner agrees to notify the Buyer of any actual or suspected cybersecurity incidents within 24 hours of detection.

  • A root cause analysis and remediation plan must be submitted within five (5) business days of the incident notification.

7. Third-Party Compliance

  • The Partner shall ensure that any subcontractors or third parties engaged comply with CRA-aligned security requirements.

  • The Partner agrees to flow down these security obligations to all relevant third parties and provide proof of compliance upon request.

8. Documentation and Technical Files

  • The Partner shall maintain and provide the following documentation:

    • Evidence of compliance with harmonized standards and CRA requirements.

    • Certificates from accredited testing laboratories as applicable.

    • Vulnerability reports, testing results, and declarations of conformity.

9. Audit and Assessment Rights

  • The Buyer reserves the right to perform cybersecurity audits and assessments of the Partner’s processes and components to verify compliance with CRA requirements.

  • The Partner agrees to accommodate such audits within reasonable notice and provide all necessary records.

10. Security Training

  • The Partner shall ensure that all personnel involved in the design, production, or maintenance of components receive adequate training on cybersecurity practices and CRA requirements.

11. Termination for Non-Compliance

  • The Buyer may terminate the agreement if the Partner fails to meet the CRA-aligned security requirements and does not resolve identified issues within 30 business days of notice.

12. Indemnification and Liability

  • The Partner agrees to indemnify and hold the Buyer harmless for any losses, damages, or penalties resulting from non-compliance with CRA-aligned requirements or cybersecurity incidents originating from the Partner’s components.

Signature Section
By signing below, both parties agree to the terms and conditions set forth in this agreement:

Partner:
Name: ____________________
Title: ____________________
Date: ____________________

Buyer:
Name: ____________________
Title: ____________________
Date: ____________________

This document provides sample contractual clauses to help supply chain partners comply with the Cyber Resilience Act (CRA). These clauses are designed to promote shared responsibility for cybersecurity and support the creation of a secure and resilient digital product ecosystem. This document serves as guidance to support alignment with the requirements of the Cyber Resilience Act. Read more here.

Vulnerability Management

Vulnerability Disclosure Document

Overview

  • Brief Vulnerability Description: (try to keep it to 1-2 sentences)

Vulnerability ID

  • CVE ID for this Vulnerability:

  • Any other IDs (vendor tracking ID, bug tracker ID, CERT ID, etc.):

Description

  • Software/Product(s) containing the vulnerability:

  • Version number of vulnerable software/product:

  • Product Vendor:

  • Type of Vulnerability, if known: (see MITRE's CWE site for list of common types of vulnerabilities)

  • Vulnerability Description:

  • How may an attacker exploit this vulnerability? (Proof of Concept):

Impact

  • What is the impact of exploiting this vulnerability? (What does an attacker gain that the attacker didn't have before?)

CVSS Score

  • CVSS:3.0/AV:?/AC:?/PR:?/UI:?/S:?/C:?/I:?/A:? -- 0.0 (LOW/MEDIUM/HIGH/CRITICAL)

  • Provide the full CVSS vector, not only the score. If possible, provide guidance on the temporal and environmental metrics, not only the base metrics. See https://www.first.org/cvss/

Resolution

  • Version containing the fix:

  • URL or contact information to obtain the fix:

  • Alternately, if no fix is available, list workaround or mitigation advice below:

Reporter

This vulnerability was reported/discovered by _____________.

Author and/or Contact Info

For more information or questions, please contact:

  • Name:

  • Organization:

  • Email:

  • PGP Public Key (ASCII Armored or a URL):

Disclosure Timeline

  • Date of First Vendor Contact Attempt:

  • Date of Vendor Response:

  • Date of Patch Release:

  • Disclosure Date:

CRA demands manufacturers remain responsible for the cybersecurity of a product throughout its lifecycle; Manufacturer must maintain vulnerability management program including disclosure policy. Find below vulnerability disclosure policy template for handling internally the disclosure, and security advisory template that you publish for your customers. Read more here. 

Here you can find the basic vulnerability advisory for CERT Coordination Center (CERT/CC)

Gap Analysis 

Instructions

  1. Step 1: Answer each question with "Yes," "No," or "Partial."

  2. Step 2: Add details for any "No" or "Partial" responses, specifying the reason and potential actions.

  3. Step 3: Use the summary to prioritize corrective actions and prepare compliance documentation.

 

Section 1: Product Compliance

  1. Secure by Design

    • Have you implemented secure-by-design principles in the product development lifecycle?

    • Is encryption used to secure sensitive data in transit and at rest?

    • Are default credentials (e.g., passwords) prohibited?

  2. Vulnerability Management

    • Is there a process for identifying and patching vulnerabilities post-launch?

    • Do you maintain a vulnerability disclosure program?

  3. Data Protection

    • Does the product comply with GDPR or equivalent privacy requirements?

    • Are users clearly informed about data processing activities?

 Section 2: Processes

  1. Development Practices

    • Have your teams received training on secure coding and CRA compliance?

    • Do you perform regular security testing, including penetration tests?

  2. Risk Management

    • Is a risk assessment carried out for all product features and functionalities?

    • Are third-party software components monitored for risks?

Section 3: Supply Chain Security

  1. Vendor Agreements

    • Do your contracts with suppliers and third parties include cybersecurity requirements?

    • Are supply chain audits conducted regularly?

  2. Software Bill of Materials (SBOM)

    • Do you create and maintain SBOMs for your products?

    • Are SBOMs shared securely with relevant stakeholders?

Section 4: Documentation

  • Technical File Readiness

    • Have you compiled all required compliance documentation?

    • Does it include testing certificates, vulnerability reports, and a declaration of conformity?

Assessment Summary

  • Number of “Yes” Answers: ___

  • Number of “Partial” Answers: ___

  • Number of “No” Answers: ___

 Action Plan

  • For all "No" or "Partial" answers, list the specific gap, suggested resolution, and timeline:

  • Gap Identified

  • Proposed Action

  • Responsible Team

  • Timeline

Outcome and Reporting

Use this analysis to track progress and prepare for a compliance audit. Submit the completed assessment to your compliance lead for review and next steps.

This self-assessment tool helps IoT device manufacturers identify compliance gaps with the Cyber Resilience Act (CRA). The tool provides a structured evaluation of products, processes, and supply chain elements against CRA requirements, enabling targeted improvement actions. This document serves as guidance to support alignment with the requirements of the Cyber Resilience Act.

CRA Reference Links Directory

bottom of page