-
Notifications
You must be signed in to change notification settings - Fork 0
Getting Started
GitHub Action edited this page Jul 24, 2025
·
2 revisions
This guide provides a structured approach to beginning your CRA compliance journey, regardless of your organization size or current security maturity.
Answer these questions to determine if CRA applies to your products:
- Does your product have digital elements?
- Is it connected to networks or other devices?
- Do you place it on the EU market?
- Is it intended for commercial use?
- Is your product already covered by specific EU cybersecurity legislation?
- Is it open-source software developed outside commercial activity?
- Is it for R&D purposes only?
- Is it a custom product for a single customer?
If you answered "Yes" to product characteristics and "No" to exemptions, CRA likely applies.
- Most consumer IoT devices
- Basic software products
- Standard network equipment
- Simple connected devices
- Critical infrastructure components
- Identity management systems
- Advanced cybersecurity products
- High-risk network equipment
📋 Use our detailed assessment tool for definitive classification.
Document your current security posture:
-
Security Controls
- Authentication mechanisms
- Data encryption practices
- Access control systems
- Vulnerability management processes
-
Development Practices
- Secure coding standards
- Security testing procedures
- Code review processes
- Third-party component management
-
Operational Security
- Incident response procedures
- Security monitoring capabilities
- Update and patch management
- Security documentation
- Download our gap analysis template
- Compare current practices with CRA requirements
- Prioritize gaps by risk and implementation effort
- Estimate resources needed for remediation
- Establish CRA compliance team
- Complete detailed applicability assessment
- Conduct comprehensive gap analysis
- Develop implementation budget and timeline
- Engage management support and resources
- Implement secure by design practices
- Establish vulnerability management program
- Create incident response procedures
- Develop security documentation framework
- Begin conformity assessment preparation
- Complete technical documentation
- Prepare EU declaration of conformity
- Engage notified body (if Class II)
- Conduct final security testing
- Implement CE marking process
- Finalize all compliance documentation
- Train support and sales teams
- Establish ongoing compliance monitoring
- Prepare for market surveillance
- Launch compliant products
- Compliance Manager: Overall program coordination
- Legal Counsel: Regulatory interpretation and risk
- Security Architect: Technical implementation
- Product Manager: Product integration and timeline
- Quality Assurance: Testing and documentation
- External Consultant: Specialized expertise (optional)
- Internal resources: Staff time and training
- External services: Legal, consulting, assessment
- Technology investments: Security tools and systems
- Compliance costs: Notified body fees, testing
- Ongoing costs: Monitoring, updates, maintenance
-
Security Defaults
- Review and strengthen default configurations
- Disable unnecessary services and features
- Implement secure authentication requirements
-
Vulnerability Management
- Establish vulnerability disclosure policy
- Set up security contact information
- Begin tracking and documenting vulnerabilities
-
Documentation
- Start security documentation repository
- Document current security features
- Create compliance tracking system
-
Secure Development
- Implement security code review process
- Establish security testing procedures
- Train development team on secure coding
-
Incident Response
- Create basic incident response plan
- Establish incident reporting procedures
- Set up security monitoring alerts
-
Supply Chain Security
- Inventory third-party components
- Assess supplier security practices
- Implement component vulnerability tracking
- Compliance Checklist - Track your progress
- Gap Analysis Worksheet - Identify requirements gaps
- Implementation Plan Template - Structure your approach
- Hardware Security Guide - Embedded systems compliance
- Software Security Standards - Development requirements
- Testing Frameworks - Security assessment methods
- IoT Devices - Consumer product requirements
- Industrial Systems - OT/ICS compliance
- Software Products - Application security requirements
- Management: CRA overview and business impact
- Legal: Regulatory requirements and obligations
- Technical: Security implementation and testing
- Quality: Documentation and assessment procedures
- Sales/Marketing: Customer communication and positioning
- CRA Training Programs - Structured learning paths
- Industry conferences and workshops
- Professional certification programs
- Vendor-specific security training
- Establish clear escalation paths
- Create cross-functional working groups
- Regular progress reviews and updates
- Legal counsel for regulatory interpretation
- Security consultants for technical implementation
- Notified bodies for conformity assessment
- Industry associations for peer guidance
- GitHub Discussions - Ask questions and share experiences
- Latest News - Stay informed of regulatory updates
- Best Practices - Learn from implementation experiences
- Compliance readiness percentage
- Security control implementation status
- Documentation completion rate
- Team training completion
- Budget and timeline adherence
- Applicability determination complete
- Gap analysis finalized
- Implementation plan approved
- Essential requirements implemented
- Documentation package complete
- Conformity assessment passed
- Market launch ready
Ready for the next step? Choose your path based on your primary focus:
- Technical Implementation → Technical Implementation Guide
- Legal Compliance → Legal Requirements
- Management Planning → Management Overview
- Industry-Specific → Select your industry from the Home page