CRAReadiness Reg. (EU) 2024/2847
About

An independent read on where you stand under the CRA

CRA Readiness is a screening tool for the EU Cyber Resilience Act — Regulation (EU) 2024/2847. You describe your products; we return a dated position report: whether each product is in scope, its product class, the conformity route it points to, and the incident-reporting duty that starts on 11 September 2026 — with a ready-to-adopt reporting runbook.

What CRA Readiness is

The Cyber Resilience Act is long, cross-referenced, and still settling — the Commission only published draft scope guidance in March 2026, and the harmonised standards that will define "how" won't land until late 2026. Most software and device makers know the CRA exists but can't answer the three questions their customers are starting to ask: Are we in scope? What class are we? And can we actually report a vulnerability in 24 hours?

CRA Readiness answers those three questions for your specific products. It maps your answers against the regulation's text and the Commission's non-binding draft guidance, and produces a position report you can forward — including a section written to answer a customer's procurement questionnaire, and a 24/72/14-hour reporting runbook you can adopt as an internal document.

Who it's for

  • Indie and SME software vendors shipping on-prem, downloadable, or licensed software into the EU.
  • IoT and connected-hardware makers — anything that talks to a network or another device.
  • Development shops and component vendors selling commercial libraries, SDKs, or embedded software that ends up inside someone else's product.
  • Non-EU makers — including UK and US companies — that sell into the EU. The CRA follows the market, not your address; if your product is made available in the EU, it applies, and you may need an authorised representative.

Screening, not a conformity assessment

This is the most important thing to understand about the product. CRA Readiness is a screening. It is not legal advice, and it is not a conformity assessment.

  • It does not audit your product's security, run a technical evaluation, or issue a CE marking.
  • It does not create a lawyer-client or notified-body relationship.
  • The SaaS/RDPS scope boundary and the class edges are genuinely contested and rest on draft guidance that can change. Where your answer sits near one of those edges, the report says so and tells you to verify with counsel or a notified body before you rely on it for a market-access decision.

Think of it as the map you use before you commit to the route — it tells you which questions matter and where you stand today, so the expert conversation you have next is faster and cheaper.

Out of the CRA's scope is not a clean bill of health

If the report says a product is out of scope, that means it is out of scope of the Cyber Resilience Act — and nothing more. It does not mean the product is unregulated, and it never means the product needs no security measures.

Standalone SaaS, for instance, is out of the CRA under the March 2026 guidance — but it can still fall under NIS2, GDPR's security-of-processing duties, sector-specific rules, or a customer's own contractual security requirements. We say this plainly on the report so an out-of-scope result is never mistaken for "you're done."

How we keep it honest

Every position in the report is tied to a citation — the article of Regulation 2024/2847 or the specific point in the Commission's draft guidance it rests on — so you (or your lawyer) can check it in minutes. We date every report and flag the parts of the regime that are still moving: the harmonised standards expected in 2026, and the Single Reporting Platform that the 24-hour clock depends on. When the underlying law or guidance changes, the screening logic changes with it. See the methodology and sources for exactly what we rely on.

Contact

Questions, corrections, or a screening result that doesn't look right? Email [email protected].