The Cyber Resilience Act, handled.
If you place a product with digital elements on the EU market, the CRA applies to you. Reglyze self-assesses your conformity in plain language and generates your Annex VII technical file and EU Declaration of Conformity — most products self-certify under Module A.
Watch it work — from product to signed Declaration
A two-minute walkthrough: scope a product, run the plain-language self-assessment, and generate the Annex VII technical file and EU Declaration of Conformity.
From “does this apply?” to a signed Declaration
1 · Scope & classify
Four questions tell you whether the CRA applies, your Annex III/IV class, and your conformity route. Free, no account.
2 · Self-assess
Answer ~20 plain questions about your product. The assistant proposes a 0–3 maturity per essential requirement (Annex I), anchored on IEC 62443.
3 · Generate the dossier
Annex VII technical documentation and your EU Declaration of Conformity — assembled from your answers, SBOM-aware, in your language.
What you get
- Annex VII technical documentation
- EU Declaration of Conformity (gated until every requirement is met)
- Annex I gap report with the open items to close
- SBOM ingest (CycloneDX / SPDX) listed in the technical file
Substrate: IEC 62443-4-1 (secure development) and 62443-4-2 (component requirements). The CRA text is public EU law; the IEC references are paraphrased, never reproduced verbatim.
Cyber Resilience Act — frequently asked questions
Does the EU Cyber Resilience Act (CRA) apply to my product?
The CRA applies to any product with digital elements — hardware with software or firmware, and standalone software — made available on the EU market. If you place a connected device, an IoT product, or installable software on the EU market, you are in scope. Reglyze's free scope-checker confirms it in four questions.
When does the Cyber Resilience Act take effect?
Two dates matter: vulnerability and incident reporting obligations apply from 11 September 2026, and full conformity including CE marking is required from 11 December 2027. The CRA is Regulation (EU) 2024/2847.
What is Module A self-assessment under the CRA?
Module A is the conformity route where the manufacturer self-assesses the product against the essential requirements and issues its own EU Declaration of Conformity, with no notified body involved. About 90% of products — the 'default' class — qualify for Module A.
Do I need a notified body for the CRA?
Only for 'important' Class II and 'critical' products (CRA Annex III Class II and Annex IV). Default products and most 'important' Class I products can self-certify under Module A, particularly when harmonised standards are applied.
What is the Annex VII technical documentation?
Annex VII lists the technical documentation a manufacturer must compile and keep available for market-surveillance authorities: product description, risk assessment, evidence against the essential requirements, and the software bill of materials (SBOM). Reglyze assembles it from your self-assessment.
What is an EU Declaration of Conformity under the CRA?
It is the signed statement that your product meets the CRA's essential cybersecurity requirements. It is mandatory before CE marking and placing the product on the market. Reglyze issues it once every essential requirement is met.
Which products are 'important' or 'critical' under the CRA?
CRA Annex III lists 'important' products (Class I and II) such as password managers, VPNs, firewalls and operating systems; Annex IV lists 'critical' products such as smart-meter gateways and secure elements. Everything not listed is 'default' and self-certifies under Module A.
What are the penalties for CRA non-compliance?
Breaches of the essential cybersecurity requirements and core manufacturer obligations can be fined up to €15 million or 2.5% of total worldwide annual turnover, whichever is higher, alongside possible market-withdrawal orders. Lower tiers apply to other infringements.
How is the CRA different from NIS2?
NIS2 governs the cybersecurity of organisations (essential and important entities); the CRA governs the cybersecurity of products with digital elements placed on the EU market. A manufacturer can be subject to both — NIS2 for how it operates, the CRA for what it ships.
Does the CRA cover software and open source?
Yes. Standalone software is a product with digital elements. Open-source software supplied in the course of a commercial activity is in scope, with lighter obligations for non-commercial open-source stewards. Standalone hosted SaaS is generally outside the CRA unless it is a remote-data-processing solution integral to a product.