CRA Self-Assessment – Applus+ Laboratories

1) Scope & Basic understanding0 pts

1. Do you manufacture products with digital elements with/without remote data processing?

2. Are you aware the CRA sets horizontal cybersecurity requirements for such products in the EU?

3. Have you confirmed your product is in scope (or identified any applicable exclusions)?

4. Have you determined whether your product is in any of the categories: default, “important” or “critical” under CRA?

2) Risk-management & lifecycle0 pts

5. Do you run a formal cybersecurity risk assessment across design→maintenance and regularly update?

6. Have you mapped applicable Essential Cybersecurity Requirements (ESRs) from CRA to your product security measures and risks assessment?

7. Do you have a Secure life cycle development implemented?

8. Is your product meeting all Essential Cybersecurity Requirements (ESRs)?

3) Vulnerability handling & updates0 pts

9. Do you have a documented vulnerability-handling policy/process for the full lifecycle?

10. Can you provide security updates (free of charge) during the support period?

11. Do you support automatic or user-approved delivery of security updates (where feasible)?

12. Do you notify users when the product is approaching end-of-support?

4) Support period & maintenance0 pts

13. Have you defined a product support period aligned to expected lifetime of use?

14. Is the support period at least 5 years (unless expected lifetime is shorter)?

15. If expected lifetime > 5 years, have you planned extended support accordingly?

5) Documentation, conformity & CE marking0 pts

16. Do you maintain technical documentation showing how ESRs are met?

17. Will the product bear CE marking indicating conformity when applicable?

18. Has the required conformity assessment (internal or third-party) been completed?

19. Do you provide users with user instructions and information covering secure use, update process, support period, and secure decommissioning?

6) Supply chain & third-party components0 pts

20. Do you perform due diligence on third-party components (conformity, vuln history, updates)?

21. Do you keep an SBOM with top-level dependencies of integrated software components?

22. For FOSS components, do you have a process to track and remediate vulnerabilities?

7) Incident reporting & transparency0 pts

23. Have you established a single point of contact for vulnerability/incident reports?

24. Are you prepared to notify the relevant CSIRT/designated coordinator/ENISA for actively exploited vulnerabilities or severe incidents?

25. Do you clearly inform users about support period, update policy, and reporting channel?

26. Do you have a process to comply with the reporting obligations and timelines stablished in Article 14?

Results0/26 answered

Total score: 0/52

Status: —

These Applus+ services are the ones recommended!