EU CRA Audit Checklist — 60 Controls Across 8 Sections
An auditor-grade EU Cyber Resilience Act checklist covering scope, Annex I essential requirements, vulnerability handling, conformity assessment, technical documentation, and incident reporting — every row tagged with the controlling CRA article and answered Yes / No / N/A.
The EU Cyber Resilience Act (Regulation (EU) 2024/2847, the "CRA") sets binding cybersecurity requirements for products with digital elements placed on the EU market. Most obligations apply from December 2027, with the vulnerability and incident reporting obligations under Article 14 applying earlier (September 2026).
This checklist is designed to be filled in cell-by-cell during an internal pre-audit. Each row maps to a specific CRA article or annex so the resulting evidence pack lines up directly with what a notified body or market-surveillance authority will ask for.
Marking convention: ☐ Yes (control in place with evidence), ☐ No (control missing or incomplete), ☐ N/A (control demonstrably out of scope). Every No or N/A must carry a written justification linked to the underlying technical documentation.
Section 1 — Scope & Applicability
| # | Control question | CRA ref | Yes / No / N/A |
|---|---|---|---|
| 1.1 | Have we confirmed that our product is a "product with digital elements" within the meaning of Article 3(1)? | Art. 3(1) | ☐ Yes ☐ No ☐ N/A |
| 1.2 | Have we identified whether the product falls in the default, Important Class I, Important Class II, or Critical category (Annex III / IV)? | Annex III, IV | ☐ Yes ☐ No ☐ N/A |
| 1.3 | Have we documented our role (manufacturer, importer, distributor) per Article 3(13)–(15)? | Art. 3(13)–(15) | ☐ Yes ☐ No ☐ N/A |
| 1.4 | If we are an importer or distributor, have we verified that the manufacturer has met its obligations under Articles 13 and 19? | Art. 19, 20 | ☐ Yes ☐ No ☐ N/A |
| 1.5 | Have we confirmed the product is not exclusively covered by another sectoral EU regulation that disapplies the CRA (e.g. medical devices, motor vehicles, civil aviation)? | Art. 2 | ☐ Yes ☐ No ☐ N/A |
| 1.6 | Is the support period for the product defined and at least five years (or the expected use period if shorter), per Article 13(8)? | Art. 13(8) | ☐ Yes ☐ No ☐ N/A |
| 1.7 | Are free and open-source software components correctly classified under the CRA's open-source steward regime where applicable? | Art. 24, Recital 18 | ☐ Yes ☐ No ☐ N/A |
Section 2 — Essential Cybersecurity Requirements (Annex I, Part I)
| # | Control question | CRA ref | Yes / No / N/A |
|---|---|---|---|
| 2.1 | Is the product designed, developed and produced to ensure an appropriate level of cybersecurity based on a risk assessment? | Annex I §1(1) | ☐ Yes ☐ No ☐ N/A |
| 2.2 | Is the product placed on the market without any known exploitable vulnerabilities? | Annex I §1(2)(a) | ☐ Yes ☐ No ☐ N/A |
| 2.3 | Is the product placed on the market with a secure-by-default configuration? | Annex I §1(2)(b) | ☐ Yes ☐ No ☐ N/A |
| 2.4 | Is there a mechanism for security updates to be installed in an automatic and verifiable manner? | Annex I §1(2)(c) | ☐ Yes ☐ No ☐ N/A |
| 2.5 | Is unauthorised access protected by appropriate control mechanisms (authentication, identity, access management)? | Annex I §1(2)(d) | ☐ Yes ☐ No ☐ N/A |
| 2.6 | Is the confidentiality of stored, transmitted and processed data protected (e.g. encryption at rest and in transit)? | Annex I §1(2)(e) | ☐ Yes ☐ No ☐ N/A |
| 2.7 | Is the integrity of stored, transmitted and processed data, commands and configuration protected against unauthorised manipulation? | Annex I §1(2)(f) | ☐ Yes ☐ No ☐ N/A |
| 2.8 | Are personal and other data minimised to what is adequate, relevant and limited to the intended use? | Annex I §1(2)(g) | ☐ Yes ☐ No ☐ N/A |
| 2.9 | Is the availability of essential and basic functions protected (including resilience and mitigation against DoS)? | Annex I §1(2)(h) | ☐ Yes ☐ No ☐ N/A |
| 2.10 | Is the negative impact of the product on the availability of services provided by other devices or networks minimised? | Annex I §1(2)(i) | ☐ Yes ☐ No ☐ N/A |
| 2.11 | Is the attack surface (including external interfaces) limited? | Annex I §1(2)(j) | ☐ Yes ☐ No ☐ N/A |
| 2.12 | Is the impact of an incident reduced through appropriate exploitation-mitigation mechanisms and techniques? | Annex I §1(2)(k) | ☐ Yes ☐ No ☐ N/A |
| 2.13 | Does the product provide security-related information by recording and monitoring relevant internal activity (logging)? | Annex I §1(2)(l) | ☐ Yes ☐ No ☐ N/A |
| 2.14 | Are users able to securely and easily remove all data and settings (decommissioning), and to transfer those securely to another product where applicable? | Annex I §1(2)(m) | ☐ Yes ☐ No ☐ N/A |
Section 3 — Vulnerability Handling Requirements (Annex I, Part II)
| # | Control question | CRA ref | Yes / No / N/A |
|---|---|---|---|
| 3.1 | Is there an SBOM (Software Bill of Materials) for the product, in a commonly-used machine-readable format, covering at least top-level dependencies? | Annex I Part II §(1) | ☐ Yes ☐ No ☐ N/A |
| 3.2 | Are vulnerabilities and components addressed and remediated without delay, including through security updates? | Annex I Part II §(2) | ☐ Yes ☐ No ☐ N/A |
| 3.3 | Are regular security tests and reviews of the product carried out? | Annex I Part II §(3) | ☐ Yes ☐ No ☐ N/A |
| 3.4 | Is there a Coordinated Vulnerability Disclosure (CVD) policy publicly available? | Annex I Part II §(5) | ☐ Yes ☐ No ☐ N/A |
| 3.5 | Is there a contact address for reporting vulnerabilities discovered in the product, and is response time tracked? | Annex I Part II §(5) | ☐ Yes ☐ No ☐ N/A |
| 3.6 | Are mechanisms in place to securely distribute updates to users, including verification of update authenticity? | Annex I Part II §(7) | ☐ Yes ☐ No ☐ N/A |
| 3.7 | Are security patches or updates provided free of charge for the duration of the support period? | Annex I Part II §(8) | ☐ Yes ☐ No ☐ N/A |
| 3.8 | Is information about fixed vulnerabilities published in an advisory, including description, impact, and remediation? | Annex I Part II §(8) | ☐ Yes ☐ No ☐ N/A |
Section 4 — Conformity Assessment
| # | Control question | CRA ref | Yes / No / N/A |
|---|---|---|---|
| 4.1 | Has the appropriate conformity-assessment procedure (Module A self-assessment, Module B+C, Module H, or European cybersecurity certification scheme) been selected for the product class? | Art. 32, Annex VIII | ☐ Yes ☐ No ☐ N/A |
| 4.2 | For Important Class II / Critical products, has a Notified Body been engaged where mandatory third-party assessment applies? | Art. 32(2)–(3) | ☐ Yes ☐ No ☐ N/A |
| 4.3 | Has an EU Declaration of Conformity been drawn up per Article 28 and Annex V? | Art. 28, Annex V | ☐ Yes ☐ No ☐ N/A |
| 4.4 | Has the CE marking been affixed visibly, legibly and indelibly per Article 30? | Art. 30 | ☐ Yes ☐ No ☐ N/A |
| 4.5 | Are harmonised standards (or common specifications / European certification schemes) used to give presumption of conformity? | Art. 27 | ☐ Yes ☐ No ☐ N/A |
| 4.6 | Is the conformity assessment re-performed when a substantial modification is made to the product? | Art. 13(3) | ☐ Yes ☐ No ☐ N/A |
Section 5 — Technical Documentation (Annex VII)
| # | Control question | CRA ref | Yes / No / N/A |
|---|---|---|---|
| 5.1 | Does the technical documentation contain a general description of the product, its intended purpose, and the categories of users? | Annex VII §(1) | ☐ Yes ☐ No ☐ N/A |
| 5.2 | Does it contain the design, development and production process descriptions, including architecture diagrams? | Annex VII §(2) | ☐ Yes ☐ No ☐ N/A |
| 5.3 | Is the cybersecurity risk assessment documented, including identified risks and how they are addressed? | Annex VII §(3), Art. 13(2) | ☐ Yes ☐ No ☐ N/A |
| 5.4 | Are the harmonised standards / common specifications applied (in full or in part) listed? | Annex VII §(4) | ☐ Yes ☐ No ☐ N/A |
| 5.5 | Are the test reports demonstrating conformity with Annex I requirements included? | Annex VII §(5) | ☐ Yes ☐ No ☐ N/A |
| 5.6 | Is the EU Declaration of Conformity attached to the technical documentation? | Annex VII §(6) | ☐ Yes ☐ No ☐ N/A |
| 5.7 | Is the technical documentation kept for at least ten years after placing on the market and made available to authorities on request? | Art. 13(11) | ☐ Yes ☐ No ☐ N/A |
Section 6 — Incident & Vulnerability Reporting (Article 14)
| # | Control question | CRA ref | Yes / No / N/A |
|---|---|---|---|
| 6.1 | Is there a process to notify ENISA / the CSIRT of any actively-exploited vulnerability within 24 hours of becoming aware (early warning)? | Art. 14(1)(a) | ☐ Yes ☐ No ☐ N/A |
| 6.2 | Is a vulnerability notification submitted within 72 hours, including information on corrective or mitigating measures? | Art. 14(1)(b) | ☐ Yes ☐ No ☐ N/A |
| 6.3 | Is a final report submitted no later than 14 days after a corrective or mitigating measure is available? | Art. 14(1)(c) | ☐ Yes ☐ No ☐ N/A |
| 6.4 | Is there an analogous process for notifying severe incidents having an impact on the security of the product within 24 / 72 hours / 14 days? | Art. 14(3) | ☐ Yes ☐ No ☐ N/A |
| 6.5 | Are users without undue delay informed of severe incidents and any corrective measures they should take? | Art. 14(8) | ☐ Yes ☐ No ☐ N/A |
| 6.6 | Is the single reporting platform (per Article 16) used, and notifications kept on file? | Art. 16 | ☐ Yes ☐ No ☐ N/A |
Section 7 — Post-Market Obligations
| # | Control question | CRA ref | Yes / No / N/A |
|---|---|---|---|
| 7.1 | Are corrective measures taken without undue delay where the product is suspected not to comply with the CRA? | Art. 13(5) | ☐ Yes ☐ No ☐ N/A |
| 7.2 | Are competent authorities of the Member States in which the product is made available informed of any non-compliance and corrective action? | Art. 13(5) | ☐ Yes ☐ No ☐ N/A |
| 7.3 | Is a register of complaints, non-conforming products and recalls maintained, and shared with importers / distributors as required? | Art. 13(7) | ☐ Yes ☐ No ☐ N/A |
| 7.4 | Is the EU Declaration of Conformity, instructions, and information per Annex II made available with the product? | Annex II | ☐ Yes ☐ No ☐ N/A |
| 7.5 | When the support period ends, are users notified clearly and in advance? | Art. 13(8) | ☐ Yes ☐ No ☐ N/A |
Section 8 — Governance & Records
| # | Control question | CRA ref | Yes / No / N/A |
|---|---|---|---|
| 8.1 | Is there a designated CRA accountable owner (e.g. Head of Product Security) with documented responsibilities? | Art. 13 (general) | ☐ Yes ☐ No ☐ N/A |
| 8.2 | Does the secure-development lifecycle integrate threat modelling, code review, SAST, DAST and dependency scanning at defined gates? | Annex I Part II §(3) | ☐ Yes ☐ No ☐ N/A |
| 8.3 | Are penetration tests performed at least annually and after substantial modifications, with findings tracked to closure? | Annex I Part II §(3) | ☐ Yes ☐ No ☐ N/A |
| 8.4 | Is supplier and component security assessed (incl. provenance, signing, vulnerability monitoring of upstream)? | Annex I §1(1), Recital 32 | ☐ Yes ☐ No ☐ N/A |
| 8.5 | Are training and awareness records maintained for staff involved in development, vulnerability handling, and incident response? | Annex I §1(1) | ☐ Yes ☐ No ☐ N/A |
| 8.6 | Is the CRA evidence pack version-controlled and reviewable end-to-end (one click from a control to the underlying artefacts)? | Art. 13(11) | ☐ Yes ☐ No ☐ N/A |
Total: 60 controls across 8 sections. A passing audit requires every row to be answered with documented evidence — "No" answers must come with a remediation owner and target date; "N/A" answers must come with a written justification.