Free tool

CRA Obligations Checker

Your CRA obligations depend on your role and your product class. Tell us a few things and see exactly what applies to you, what your conformity assessment route is, and when your key dates are. You get a plain-English verdict and a tailored checklist, all on this page.

Not sure you are even in scope? Start with the CRA Scope & Class Checker.

Step 1 of 2

What is your role for this product in the EU market?

The CRA assigns different obligation sets to each role. Manufacturers carry the fullest duties. Importers verify manufacturer compliance. Distributors check markings and documents. Open-source stewards have a lighter Article 24 path.

Roles in the CRA

What each role has to do

The CRA assigns a distinct obligation set to each supply-chain role. Here is each in plain English.

TL;DR

Manufacturers carry the fullest CRA obligations - risk assessment, essential requirements, SBOM, CVD, security updates, conformity assessment (route depends on product class), CE marking, EU Declaration of Conformity, technical documentation, and incident reporting. Importers verify the manufacturer has complied before placing on the EU market. Distributors verify CE marking and docs before making available. Open-source stewards have lighter Art. 24 duties and cannot be fined. Two dates for everyone: Art. 14 reporting from 11 Sep 2026; all other obligations from 11 Dec 2027.

Manufacturer

Designs, develops or produces the product and places it on the EU market under their own name or trademark.

Full obligations: risk assessment, essential requirements (Annex I), SBOM, vulnerability handling, CVD, security updates (min. 5 years), conformity assessment (route depends on product class), CE marking, EU Declaration of Conformity, technical documentation, and incident reporting to ENISA SRP from 11 Sep 2026.

Importer

Places on the EU market a product made by a non-EU manufacturer.

Verify the manufacturer has conducted the required conformity assessment, the product is CE marked with an EU DoC, and technical documentation is in place. Affix own contact details. Keep records for 10 years. Do not place non-conformant products on the market. Cooperate on non-compliance.

Distributor

Makes available a product with digital elements already placed on the EU market by a manufacturer or importer.

Verify CE marking and required documentation before making available. Act on known non-compliance: inform the manufacturer or importer, cooperate with authorities, withhold or recall if necessary. Lightest commercial duties.

Open-source software steward

Provides a non-commercial open-source project that manufacturers integrate into commercial products with digital elements.

Article 24 lighter duties: maintain a security policy; cooperate on coordinated vulnerability disclosure (CVD); provide documentation to downstream manufacturers. Cannot be fined under the CRA penalty regime. No conformity assessment, CE marking or EU DoC required.

Why the product class question matters

For manufacturers, the product class is the single biggest variable in your compliance workload. About 90% of products with digital elements fall in the Default class and can self-assess. Important Class I products (Annex III - web browsers, password managers, consumer VPNs, IAM tools, operating systems, container runtimes, PKI software, smart-home security hubs, connected toys, health wearables) may self-assess only if they fully apply the applicable harmonised standards. If those standards are not fully applied, a notified-body assessment is required. Regulation (EU) 2024/2847, Annex III

Important Class II products (Annex III - firewalls, IDS/IPS systems, tamper-resistant microprocessors and microcontrollers) always require a third-party notified body; self-assessment is never permitted. Critical products in Annex IV (hardware security modules, smartcards, secure elements, smart meter security gateways) face the strictest route: mandatory third-party assessment and a possible EU cybersecurity certificate under an ENISA scheme. European Commission, CRA summary

The SBOM obligation and the vulnerability and incident reporting duty (Art. 14) apply to all manufacturers regardless of class. The ENISA Single Reporting Platform (SRP) will be the submission point for Art. 14 notifications once reporting obligations start on 11 September 2026. Harmonised standards that define the technical detail of many obligations are still being developed by CEN/CENELEC and are expected before the December 2027 application date. European Commission, CRA policy page

Standards and implementing acts still in development

The European Commission and ENISA are finalising implementing acts, harmonised standards, and guidance covering SBOM formats, CVD procedures, and the precise technical criteria for product classes. Some boundaries may be clarified before the December 2027 full-application date. We will update this tool and tell subscribers of The CRA Brief when material guidance is published.

Obligations questions people ask

What does a manufacturer have to do under the CRA?

Manufacturers carry the fullest set of CRA obligations. They must: conduct a cybersecurity risk assessment; meet the essential security requirements in Annex I (no known exploitable vulnerabilities, minimal attack surface, authentication, secure defaults, secure update mechanism, and more); produce and maintain a Software Bill of Materials (SBOM); establish a vulnerability handling process and a coordinated vulnerability disclosure (CVD) policy; provide security updates for the product lifetime (at least five years); complete the required conformity assessment for their product class; affix the CE marking; issue an EU Declaration of Conformity; draw up technical documentation; and report actively exploited vulnerabilities and significant incidents to the ENISA Single Reporting Platform once Art. 14 applies from 11 Sep 2026.

What is a Software Bill of Materials (SBOM) and who needs one?

An SBOM is a formal, machine-readable list of all software components in a product - direct dependencies and transitive (indirect) ones - along with version numbers and origin information. All manufacturers of products with digital elements must produce and maintain an SBOM under the CRA. It must be available to market surveillance authorities on request. Common formats are SPDX (ISO/IEC 5962) and CycloneDX. The SBOM is closely linked to the vulnerability handling obligation: if a component appears in a known-vulnerability database (such as the NVD or OSV), the manufacturer must act.

Do importers and distributors have to do a conformity assessment?

No. Neither importers nor distributors conduct their own conformity assessment. The manufacturer is responsible for the conformity assessment, CE marking, and EU Declaration of Conformity. Importers must verify this work has been done before placing the product on the EU market - checking the CE marking, EU DoC, and that technical documentation is in place. Distributors must verify the CE marking and documentation before making the product available. If either role modifies the product substantially or markets it under their own name, they become the manufacturer and take on all manufacturer obligations.

What are the CRA deadlines?

Two key dates. The vulnerability and incident reporting obligations under Article 14 - requiring manufacturers to notify ENISA of actively exploited vulnerabilities and significant cybersecurity incidents - apply from 11 September 2026. All other CRA obligations, including the essential requirements, conformity assessment, CE marking, SBOM, and security update duties, apply from 11 December 2027. Unlike some other EU regulations, the CRA does not have a company-size-based deadline difference; both dates apply to all companies. Micro and small enterprises may access simplified conformity procedures under harmonised standards.

What are the penalties for non-compliance?

The CRA sets substantial fines. For failure to meet the essential cybersecurity requirements: up to €15 million or 2.5% of total worldwide annual turnover (whichever is higher). For other obligations (documentation, reporting, cooperation with market surveillance): up to €10 million or 2% of annual turnover. For providing incorrect or misleading information to authorities: up to €5 million or 1% of annual turnover. Open-source software stewards cannot be fined under this regime.

This is guidance to help you understand the CRA, not legal advice. For decisions specific to your business, confirm with the official sources we link or a qualified legal or cybersecurity adviser.

Sources

  1. [1]Regulation (EU) 2024/2847 (CRA), full text on EUR-Lexretrieved 8 Jun 2026
  2. [2]European Commission, CRA summaryretrieved 8 Jun 2026
  3. [3]European Commission, Cyber Resilience Act policy pageretrieved 8 Jun 2026
  4. [4]ENISA, Single Reporting Platform (SRP) for Art. 14 notificationsretrieved 8 Jun 2026