Getting Started with CRA Compliance

This guide provides a structured approach to beginning your CRA compliance journey, regardless of your organization size or current security maturity.

Step 1: Determine Applicability

Quick Assessment

Answer these questions to determine if CRA applies to your products:

Product Characteristics

• Does your product have digital elements?
• Is it connected to networks or other devices?
• Do you place it on the EU market?
• Is it intended for commercial use?

Exemption Check

• Is your product already covered by specific EU cybersecurity legislation?
• Is it open-source software developed outside commercial activity?
• Is it for R&D purposes only?
• Is it a custom product for a single customer?

If you answered "Yes" to product characteristics and "No" to exemptions, CRA likely applies.

Product Classification

Class I Products (Standard Risk)

• Most consumer IoT devices
• Basic software products
• Standard network equipment
• Simple connected devices

Class II Products (Important Risk)

• Critical infrastructure components
• Identity management systems
• Advanced cybersecurity products
• High-risk network equipment

📋 Use our detailed assessment tool for definitive classification.

Step 2: Current State Analysis

Security Inventory

Document your current security posture:

Technical Assessment

1. Security Controls

   • Authentication mechanisms
   • Data encryption practices
   • Access control systems
   • Vulnerability management processes

2. Development Practices

   • Secure coding standards
   • Security testing procedures
   • Code review processes
   • Third-party component management

3. Operational Security

   • Incident response procedures
   • Security monitoring capabilities
   • Update and patch management
   • Security documentation

Gap Analysis

• Download our gap analysis template
• Compare current practices with CRA requirements
• Prioritize gaps by risk and implementation effort
• Estimate resources needed for remediation

Step 3: Compliance Planning

Implementation Roadmap

Phase 1: Foundation (Months 1-3)

• Establish CRA compliance team
• Complete detailed applicability assessment
• Conduct comprehensive gap analysis
• Develop implementation budget and timeline
• Engage management support and resources

Phase 2: Essential Requirements (Months 4-12)

• Implement secure by design practices
• Establish vulnerability management program
• Create incident response procedures
• Develop security documentation framework
• Begin conformity assessment preparation

Phase 3: Documentation & Assessment (Months 13-18)

• Complete technical documentation
• Prepare EU declaration of conformity
• Engage notified body (if Class II)
• Conduct final security testing
• Implement CE marking process

Phase 4: Market Readiness (Months 19-24)

• Finalize all compliance documentation
• Train support and sales teams
• Establish ongoing compliance monitoring
• Prepare for market surveillance
• Launch compliant products

Resource Planning

Team Structure

• Compliance Manager: Overall program coordination
• Legal Counsel: Regulatory interpretation and risk
• Security Architect: Technical implementation
• Product Manager: Product integration and timeline
• Quality Assurance: Testing and documentation
• External Consultant: Specialized expertise (optional)

Budget Considerations

• Internal resources: Staff time and training
• External services: Legal, consulting, assessment
• Technology investments: Security tools and systems
• Compliance costs: Notified body fees, testing
• Ongoing costs: Monitoring, updates, maintenance

Step 4: Quick Wins & Early Actions

Immediate Improvements (30 days)

1. Security Defaults

   • Review and strengthen default configurations
   • Disable unnecessary services and features
   • Implement secure authentication requirements

2. Vulnerability Management

   • Establish vulnerability disclosure policy
   • Set up security contact information
   • Begin tracking and documenting vulnerabilities

3. Documentation

   • Start security documentation repository
   • Document current security features
   • Create compliance tracking system

Short-term Goals (90 days)

1. Secure Development

   • Implement security code review process
   • Establish security testing procedures
   • Train development team on secure coding

2. Incident Response

   • Create basic incident response plan
   • Establish incident reporting procedures
   • Set up security monitoring alerts

3. Supply Chain Security

   • Inventory third-party components
   • Assess supplier security practices
   • Implement component vulnerability tracking

Essential Resources

Documentation Templates

• Compliance Checklist - Track your progress
• Gap Analysis Worksheet - Identify requirements gaps
• Implementation Plan Template - Structure your approach

Technical Guidance

• Hardware Security Guide - Embedded systems compliance
• Software Security Standards - Development requirements
• Testing Frameworks - Security assessment methods

Industry-Specific Guidance

• IoT Devices - Consumer product requirements
• Industrial Systems - OT/ICS compliance
• Software Products - Application security requirements

Training & Education

Team Training Priorities

1. Management: CRA overview and business impact
2. Legal: Regulatory requirements and obligations
3. Technical: Security implementation and testing
4. Quality: Documentation and assessment procedures
5. Sales/Marketing: Customer communication and positioning

External Training Options

• CRA Training Programs - Structured learning paths
• Industry conferences and workshops
• Professional certification programs
• Vendor-specific security training

📞 Getting Help

Internal Resources

• Establish clear escalation paths
• Create cross-functional working groups
• Regular progress reviews and updates

External Support

• Legal counsel for regulatory interpretation
• Security consultants for technical implementation
• Notified bodies for conformity assessment
• Industry associations for peer guidance

Community Resources

• GitHub Discussions - Ask questions and share experiences
• Latest News - Stay informed of regulatory updates
• Best Practices - Learn from implementation experiences

Success Metrics

Track Your Progress

• Compliance readiness percentage
• Security control implementation status
• Documentation completion rate
• Team training completion
• Budget and timeline adherence

Key Milestones

• Applicability determination complete
• Gap analysis finalized
• Implementation plan approved
• Essential requirements implemented
• Documentation package complete
• Conformity assessment passed
• Market launch ready

---

Ready for the next step? Choose your path based on your primary focus:

• Technical Implementation → Technical Implementation Guide
• Legal Compliance → Legal Requirements
• Management Planning → Management Overview
• Industry-Specific → Select your industry from the Home page