EU Cyber Resilience Act · In force

Find out if your product is in scope for the CRA.

Answer a few questions about your product and get a free, indicative EU Cyber Resilience Act classification — emailed to you within the hour.

Free~5 minutesNo account required

Know your CRA class

See whether your product is Default, Important (I/II) or Critical, and the conformity route that follows.

Grounded in the regulation

Mapped to the category definitions of Implementing Regulation (EU) 2025/2392 — not guesswork.

Free, no strings

No account, no payment, no sales call. Just answer the questionnaire.

PDF in your inbox

A clear, shareable assessment lands in your email within the hour.

How it works

Three steps to clarity

1

Tell us about your product

Name, version, connectivity, category and a little context — about five minutes.

2

Optionally add documents

A datasheet or manual sharpens the result, but the form alone is enough.

3

Get your assessment by email

We generate an indicative CRA classification PDF and send it to you within the hour.

Why start here

A head start on the CRA, in minutes

~5 min
to complete
€0
free, no account
2027
compliance deadline — start now

Built by Nord CS GmbH. Based on Regulation (EU) 2024/2847 (Cyber Resilience Act) and Implementing Regulation (EU) 2025/2392.

FAQ

EU Cyber Resilience Act, in plain terms

What is the EU Cyber Resilience Act (CRA)?
The Cyber Resilience Act (Regulation (EU) 2024/2847) is an EU law setting mandatory cybersecurity requirements for products with digital elements — any hardware or software that can connect to a device or network — placed on the EU market. It entered into force in December 2024, with most obligations applying from 11 December 2027.
Which products are in scope of the CRA?
Almost any product with digital elements sold in the EU: connected hardware, embedded software, standalone software and their remote data-processing solutions. Narrow exceptions apply to products already covered by sectoral rules such as medical devices, motor vehicles and aviation, and to certain non-commercial open-source software.
What are the CRA product classes?
The CRA sorts products into four risk tiers: Default (the majority, eligible for self-assessment), Important class I and Important class II (listed in Annex III), and Critical (Annex IV). Higher tiers require stricter conformity assessment, up to mandatory third-party assessment for critical products.
When do I need to comply with the CRA?
The main obligations apply from 11 December 2027. Vulnerability and incident reporting obligations start earlier, from 11 September 2026. Products placed on the EU market from those dates must meet the applicable requirements.
How is my CRA class determined?
It depends on the product’s function and cybersecurity risk — for example whether it performs a security function, processes sensitive data, or could give access to other devices. The important and critical categories are defined in Annex III and IV of the CRA and detailed in Implementing Regulation (EU) 2025/2392.
Is this CRA assessment free and legally binding?
The assessment is free, with no account, payment or sales call. It provides an indicative classification to help you understand your likely obligations. It is not legal advice — a binding classification requires a formal conformity assessment.
Free CRA classifier

Get your assessment

Answer a few questions about your product and get a free, indicative CRA classification emailed to you within the hour.

AITIGRITY

This tool provides an indicative CRA classification only — not legal advice and not a formal conformity assessment.

Reg (EU) 2024/2847 · Impl. Reg (EU) 2025/2392 · © Nord CS GmbH