← Back to Blogcompliance

CRA 2027 Readiness Checklist: Are You Prepared?

With December 2027 approaching, manufacturers need to assess their compliance readiness now. This checklist covers all major CRA obligations — from product classification and SBOM generation to conformity assessment and Article 14 readiness.

CRAReady Team·

How Much Time Do You Actually Have?

The CRA compliance deadline of 11 December 2027 sounds like it is two years away, but for manufacturers of Class II products requiring notified body assessment, the preparation timeline looks like this:

  • 3–6 months for gap analysis and remediation planning
  • 6–18 months to remediate identified security gaps
  • 3–6 months for notified body assessment
  • 1–2 months for DoC finalisation and CE marking

For complex products in the Class II category, 2025 is not too early to start. For Class I and default products, a 2026 start is feasible but leaves little slack.

The Full Readiness Checklist

1. Product Classification [ ]

  • Identified all products that are products with digital elements (PDEs)
  • Determined classification for each product (Default / Class I / Class II)
  • Documented classification rationale in the technical file
  • Identified products that are out of scope (pure SaaS, open source exception, etc.)

2. Article 14 Readiness (Deadline: September 2026) [ ]

  • Registered for EUVD account at euvdb.europa.eu
  • Identified national CSIRT contact details for your member state
  • Established vulnerability monitoring for all SBOM components
  • Defined escalation path and on-call rotation for 24h response
  • Prepared Article 14 report templates (early warning, detailed report, final report)
  • Run at least one Article 14 tabletop exercise

3. SBOM and Vulnerability Management [ ]

  • Generated SBOMs for all in-scope products (CycloneDX or SPDX)
  • SBOM generation integrated into CI/CD pipeline
  • Automated vulnerability matching against NVD, EUVD, and OSV
  • Defined patch management SLAs by severity
  • Process for monitoring third-party component end-of-life dates

4. Coordinated Vulnerability Disclosure [ ]

  • CVD policy written and published
  • Dedicated security reporting channel established (email / web form)
  • security.txt file published at /.well-known/security.txt
  • Defined internal triage and response SLAs
  • CSAF advisory publishing infrastructure set up

5. Annex I Gap Analysis [ ]

  • Conducted gap analysis against all Part I requirements
  • Conducted gap analysis against all Part II requirements
  • Remediation plan with owner and deadline for each gap
  • All high-severity gaps remediated

6. Technical File [ ]

  • Product description written
  • Cybersecurity risk assessment completed
  • Security requirements traceability matrix completed
  • Penetration test report dated and version-specific
  • SBOM included (current version)
  • Version control applied to the technical file

7. Conformity Assessment [ ]

  • Conformity assessment module identified for each product
  • For Class II: notified body selected and engagement begun
  • Assessment scheduled with sufficient runway before December 2027

8. EU Declaration of Conformity and CE Marking [ ]

  • DoC template drafted with all nine Article 30 fields
  • Authorised signatory identified and trained
  • CE marking affixation process defined for product and packaging
  • 10-year retention process established

Priority Actions for 2026

If you are starting your CRA programme in 2026, focus first on the September 2026 Article 14 deadline — this requires:

  1. EUVD registration
  2. SBOM generation and vulnerability monitoring
  3. Internal escalation and reporting process

Once Article 14 is covered, work backward from December 2027 to plan the conformity assessment timeline.

Ready to assess your CRA compliance obligations?

Try the Free Applicability Checker