Cyber Resilience Act (CRA)
Article 13 – Obligations for Manufacturers
This checklist helps assess compliance with the Cyber Resilience Act manufacturer obligations and supporting cybersecurity requirements.
1. Secure by Design and Development
- Security requirements are considered during product design.
- Cybersecurity risks are assessed before release.
- Secure development procedures are documented.
- Security testing is performed before deployment.
- Default configurations are secure.
2. Risk Assessment
- A documented cybersecurity risk assessment exists.
- Threats and attack scenarios have been identified.
- Risk assessments are reviewed periodically.
- Third-party software risks are evaluated.
3. Vulnerability Management
- A Vulnerability Disclosure Policy (VDP) is published.
- A security reporting email address exists.
- Customer vulnerability reports are tracked.
- Vulnerabilities are assessed and prioritised.
- Security patches are developed and deployed.
- Evidence of remediation activities is retained.
4. Security Updates
- Security updates can be provided to customers.
- A defined support period exists.
- Customers are informed about available updates.
- Update procedures are documented.
5. Software Bill of Materials (SBOM)
- Third-party components are identified.
- Open-source dependencies are tracked.
- Component inventories are maintained.
- Known vulnerable components are monitored.
6. Incident and Vulnerability Reporting
- Procedures exist to identify active exploitation.
- 24-hour reporting process is documented.
- 72-hour reporting process is documented.
- Responsible personnel are identified.
- Evidence and logs are retained for investigations.
7. Customer Information
- Security contact details are publicly available.
- Users receive security guidance.
- Known limitations and risks are documented.
- Security update information is published.
8. Compliance Documentation
- Technical documentation is maintained.
- Compliance evidence is retained.
- Policies and procedures are approved.
- Records are available for regulatory review.
Management Review
Review Date: ______________________
Reviewed By: ______________________
Overall Compliance Status: ☐ Compliant ☐ Partially Compliant ☐ Not Compliant
