The CRA Readiness Checklist
The EU Cyber Resilience Act has two enforcement dates: Article 14 reporting from September 11, 2026, and full applicability from December 11, 2027. This is the working list of what your team has to ship for each.
20 items across five themes. Filter by deadline, track progress, and share a link that keeps your filters and checks. Read the long-form analysis for the context behind each theme.
Free checklist. PDF download requires email.
Pick a deadline
Filter the checklist to show what is required by Sept 11, 2026 or by Dec 11, 2027.
Work the five themes
Scoping, vulnerability handling, Article 14 reporting, SBOM, and conformity.
Share with leadership
The share link preserves your selected deadline, category, and checked items.
Deadline phases
Pick a deadline
The filter is cumulative. The later deadline view includes everything from the earlier one.
Scoping and accountability
0/4 completeVulnerability handling
0/4 completeReporting readiness
0/4 completeSBOM and dependency hygiene
0/4 completeConformity and customer-facing duties
0/4 completeHow Konvu helps
Article 14 is an evidence problem. Konvu produces the evidence.
CRA codifies what AppSec teams already know. Detection is solved. The gap is what you do with what you find. Article 14 asks whether a vulnerability is actively exploited in your product, on a 24-hour clock. Konvu sits on top of your existing scanners (Snyk, Black Duck, Checkmarx) and turns each finding into a defensible exploitability decision with a code-level evidence trail. Ready to drop into a CSIRT notification.
Defensible exploitability
Code-level evidence per finding. The "actively exploited" call has a trail.
No scanner change
Konvu plugs in alongside your existing stack. No rip-and-replace.
Auditable verdict
Every decision lands back in Jira or the scanner with the reasoning attached.
Konvu does not generate SBOMs, run your conformity assessment, replace your scanners, or write your CVD policy. For the scope of what Konvu covers end-to-end, see the compliance solution page.
FAQ
When does the CRA come into effect?
The CRA entered into force on December 10, 2024. Article 14 reporting obligations apply from September 11, 2026. Essential cybersecurity requirements, conformity assessment, and CE marking obligations apply from December 11, 2027.
Who does the CRA apply to?
Manufacturers, importers, and distributors of products with digital elements placed on the EU market. This covers hardware, software, firmware, and anything that connects to a network or processes digital data. SaaS-only services are generally covered separately under NIS2.
What are the penalties for CRA non-compliance?
Up to €15 million or 2.5% of worldwide annual turnover for breaches of essential requirements and Article 14 reporting. Lesser breaches cap at €10 million or 2% of turnover. Microenterprises and small enterprises cannot be fined for missing the 24-hour reporting deadline, though the obligation still applies.
Is open source software covered by the CRA?
Maintainers of unpaid open-source projects are largely out of scope. "Open-source software stewards" (legal entities providing sustained support) carry lighter obligations and no penalties. Commercial distributors of open-source components are treated as manufacturers.
How are the deadline phases used to filter the checklist?
The phase filter is cumulative. Selecting "Sept 11, 2026" shows only the items you need in place before Article 14 reporting kicks in. Selecting "Dec 11, 2027" shows every item, including the work tied to full applicability.