Stack Canary
← All tools

CRA Annex I Compliance Checklist

All 14 essential requirements from Annex I of the EU Cyber Resilience Act, broken down into 39 actionable checks.

0/39 checks completed Getting Started · 0%
14 critical checks remaining

Part I: Security Requirements

Security by Design

Annex I, Part I, (1)

0/3

Products shall be designed, developed, and produced to ensure an appropriate level of cybersecurity based on the risks.

No Known Exploitable Vulnerabilities

Annex I, Part I, (2)

0/3

Products shall be delivered without known exploitable vulnerabilities.

Secure Default Configuration

Annex I, Part I, (3)

0/3

Products shall be delivered with a secure-by-default configuration, including the possibility to reset to the original state.

Protection Against Unauthorized Access

Annex I, Part I, (4)

0/3

Products shall protect the confidentiality and integrity of data, including personal data, and allow only authorized access.

Minimize Attack Surface

Annex I, Part I, (5)

0/3

Products shall minimize their attack surfaces, including external interfaces.

Mitigate Exploitation Impact

Annex I, Part I, (6)

0/3

Products shall be designed to mitigate the impact of a successful exploitation of a vulnerability.

Logging & Monitoring

Annex I, Part I, (7)

0/2

Products shall record and/or monitor relevant internal activity, including access to data and security-relevant events.

Secure Update Mechanism

Annex I, Part I, (8)

0/4

Products shall ensure that vulnerabilities can be addressed through security updates, including automatic updates where feasible.

Part II: Vulnerability Handling Requirements

Identify and Document Vulnerabilities

Annex I, Part II, (1)

0/3

Manufacturers shall identify and document vulnerabilities and components contained in the product, including by drawing up an SBOM.

Address and Remediate Vulnerabilities

Annex I, Part II, (2)

0/3

Manufacturers shall address and remediate vulnerabilities without delay, including by providing security updates.

Regular Testing and Review

Annex I, Part II, (3)

0/2

Manufacturers shall apply effective and regular tests and reviews of the security of the product.

Public Disclosure of Fixed Vulnerabilities

Annex I, Part II, (4)

0/2

Once a security update is available, manufacturers shall share information about fixed vulnerabilities publicly.

Coordinated Vulnerability Disclosure Policy

Annex I, Part II, (5)

0/2

Manufacturers shall put in place and enforce a policy on coordinated vulnerability disclosure.

Vulnerability Reporting to Authorities

Article 14

0/3

Manufacturers shall report actively exploited vulnerabilities and severe incidents to ENISA within 24 hours, with follow-up within 72 hours.

Export your checklist progress

Get a summary of your current compliance status, remaining gaps, and recommended next steps sent to your inbox.

No spam. Unsubscribe anytime.

Disclaimer: This checklist is based on the published text of the CRA (Regulation EU 2024/2847). Harmonized standards are still being finalized. It does not constitute legal advice — consult qualified legal counsel for definitive compliance guidance.