← Back to Blogcompliance

The CRA Compliance Checklist: 12 Steps Before September 2026

Article 14 incident reporting begins September 2026 -- well before the December 2027 full deadline. These are the 12 steps every manufacturer must complete first.

CRAReady Team·

Why September 2026 Is the First Real Deadline

Most CRA commentary focuses on December 2027 when CE marking and the full Annex I compliance requirement kicks in. But Article 14 incident reporting obligations begin on 11 September 2026. If your product has an actively exploited vulnerability and you miss the 24-hour ENISA notification, you are already non-compliant regardless of your CE marking progress.

Steps 1-4: Scope and Classify (Complete by Q2 2026)

Step 1 -- Inventory your products: List every hardware and software product you sell and identify which have a data connection to another device or network (your PDEs).

Step 2 -- Exclude non-PDEs and genuine open source: Pure SaaS without a client component is generally out of scope. Volunteer-maintained open source with no commercial activity is also exempt. Document your exclusion rationale.

Step 3 -- Classify each PDE: Work through the Annex III decision tree -- Default, Class I Important, or Class II Important. Document your rationale for each decision.

Step 4 -- Identify your conformity assessment route: Default uses Module A self-assessment. Class I requires enhanced self-assessment or third-party review. Class II requires mandatory notified body assessment. For Class II, begin engaging notified bodies now.

Steps 5-8: Article 14 Readiness (Complete by August 2026)

Step 5 -- Generate SBOMs: For every in-scope product, generate a machine-readable SBOM in CycloneDX or SPDX format. Automate generation in your CI/CD pipeline.

Step 6 -- Set up vulnerability monitoring: Continuously match SBOM components against NVD, OSV, and EUVD. Tools like Dependency-Track and Grype automate this.

Step 7 -- Register on EUVD: Register at euvdb.europa.eu and test the submission workflow before an incident forces you to do it under time pressure.

Step 8 -- Build your Article 14 response process: Define the internal escalation path, prepare report templates for all three stages, and run at least one tabletop exercise before September 2026.

Steps 9-12: Full Compliance (Complete by Q3 2027)

Step 9 -- Publish a CVD policy and reporting channel: Write and publish a coordinated vulnerability disclosure policy, set up a security reporting channel, and publish security.txt at /.well-known/security.txt.

Step 10 -- Conduct an Annex I gap analysis: Map every Annex I requirement against your current product, document gaps, assign owners, and set remediation deadlines.

Step 11 -- Compile the technical file: Include product description, cybersecurity risk assessment, design documentation, Annex I traceability matrix, penetration test results, and current SBOM.

Step 12 -- Complete conformity assessment and affix CE marking: Sign the EU DoC and retain it for at least 10 years.

Ready to assess your CRA compliance obligations?

Try the Free Applicability Checker