CRA Compliance Checklist for IoT Manufacturers

Create a Software Bill of Materials for every product you currently sell in the EU. Use CycloneDX or SPDX format. Include all software components: libraries, frameworks, OS packages, and third-party code.

Implement continuous monitoring against CVE databases (NVD, OSV, CISA KEV). Monitor at least every 24 hours — ideally every 2 hours. Manual CVE tracking will not meet the 24-hour reporting deadline.

Define who is responsible for ENISA reports, what the approval process is, and how the three-stage chain (24h/72h/14d) is managed. Document this process.

Determine which national CSIRT is your primary contact based on where your organization is established. For Finland: NCSC-FI. Register with ENISA's Single Reporting Platform when available.

Establish a way to notify affected users about vulnerabilities and corrective measures (email, security advisory page, in-app notice). CRA Article 14(8) requires this.

Run a tabletop exercise: a critical CVE is published at 3 AM on a Saturday. Can your team detect it, assess impact, draft the ENISA report, and submit — all within 24 hours?

Document how cybersecurity is integrated into your product development lifecycle. This includes threat modeling, secure coding practices, and security testing before release.

Publish a CVD policy on your website with a security contact email. Follow ISO/IEC 29147 guidelines. Make it easy for security researchers to report vulnerabilities to you.

Determine and document the security support period for each product. CRA requires a minimum of 5 years from market placement. Free security updates must be provided throughout this period.

Create and maintain technical documentation including: general product description, risk assessment, applied standards, design and development documentation, vulnerability handling process, and SBOM.

For Default category products: self-assessment against Annex I requirements. For Important Class I: apply harmonised standards or third-party assessment. For Class II and Critical: mandatory third-party assessment.

Prepare and sign the EU Declaration of Conformity (DoC) stating that your product meets all applicable CRA requirements. This document must reference the applied standards and conformity assessment procedures.

Affix the CE mark to your product or its packaging only after all CRA requirements are met and the Declaration of Conformity is signed. CE marking now includes cybersecurity compliance.

Identify all third-party component suppliers. Document their security practices and vulnerability disclosure policies. Maintain records for regulatory audit.

Maintain records of all compliance-relevant activities: vulnerability detections, triage decisions, patches applied, ENISA reports submitted, user notifications sent. Retain for at least 5 years.

Ensure product development, security, and management teams understand CRA obligations. Document training records.

Throughout the product support period, monitor for new vulnerabilities in all components. This is not a one-time activity — it runs for the entire supported lifetime of every product.

Release security patches promptly when vulnerabilities are discovered. Free of charge for the duration of the support period. Document each update and which CVEs it addresses.

Submit Article 14 reports whenever an actively exploited vulnerability is discovered in your products. Maintain the 24h/72h/14d reporting chain.

Re-generate and publish updated SBOMs whenever you release a firmware or software update. Track version history.

Continue logging all compliance activities. The audit trail is your primary evidence in case of a market surveillance authority audit.