CRA Compliance Score Calculator
GeneralScore your product's EU Cyber Resilience Act compliance across five mandatory domains in under a minute. Built for software vendors, manufacturers, and security leads preparing for CRA enforcement.
Last updated: April 2026
This calculator is designed for real-world usage based on typical engineering scenarios and publicly available documentation.
The CRA compliance score calculator helps you quantify where your product stands against the EU Cyber Resilience Act's five essential cybersecurity domains. The CRA (Regulation EU 2024/2847) applies to all manufacturers placing products with digital elements on the EU market, with obligations covering design, vulnerability management, documentation, patching, and incident reporting. Assessing compliance manually across these domains is time-consuming. This calculator uses a structured 0–4 maturity scale per domain — the same tiered model used in ISO 27001 gap analyses and NIST CSF assessments — to produce a single percentage score and a plain-language compliance tier. Software vendors shipping SaaS-adjacent hardware, IoT device makers, industrial control system suppliers, and enterprise software companies all fall within CRA scope. Use this tool early in your compliance programme to identify the weakest domains and prioritise remediation effort before audit. The CRA distinguishes between "important" and "critical" products, which face third-party audits. For default class products, self-assessment is permitted. Either way, a documented gap analysis — which this score supports — is a requirement, not optional.
How to Calculate Your CRA Compliance Score
1. Rate your product's Secure by Design posture (0–4): covers threat modelling, minimal attack surface, and security testing in the SDL. 2. Rate Vulnerability Handling (0–4): covers CVE tracking, coordinated disclosure policy, and remediation SLAs. 3. Rate Documentation & SBOM (0–4): covers technical documentation, CE declaration, and a published Software Bill of Materials. 4. Rate Update & Patch Policy (0–4): covers the update delivery mechanism, patch signing, and support lifetime commitment. 5. Rate Incident Reporting (0–4): covers your ability to report actively exploited vulnerabilities to ENISA within 24 hours as required by Article 14. 6. The calculator sums all five domain scores, divides by 20, and multiplies by 100 to produce a 0–100% score with a compliance tier.
Formula
CRA Score = (D1 + D2 + D3 + D4 + D5) / 20 × 100 D1 — Secure by Design (0–4) D2 — Vulnerability Handling (0–4) D3 — Documentation & SBOM (0–4) D4 — Update & Patch Policy (0–4) D5 — Incident Reporting (0–4) Tier thresholds: 90–100% → Fully Compliant 70–89% → Substantially Compliant 40–69% → Partially Compliant 0–39% → Non-Compliant
Example CRA Compliance Score Calculations
Example 1 — Mature IoT firmware vendor (high compliance)
Secure by Design: 4 / 4 (threat model in SDL, pentest every release)
Vulnerability Handling: 4 / 4 (CVE programme, 30-day patch SLA)
Documentation & SBOM: 3 / 4 (SBOM published, CE docs in progress)
Update & Patch Policy: 4 / 4 (OTA signed updates, 10-year support)
Incident Reporting: 3 / 4 (ENISA process drafted, not yet tested)
─────────────────────────────────────────────
Total: (4+4+3+4+3) / 20 × 100 = 18/20 × 100 = 90% → Fully Compliant Example 2 — Early-stage SaaS-connected hardware startup
Secure by Design: 2 / 4 (basic SAST, no threat model)
Vulnerability Handling: 1 / 4 (ad-hoc, no public disclosure policy)
Documentation & SBOM: 1 / 4 (minimal docs, no SBOM)
Update & Patch Policy: 2 / 4 (manual OTA, support period undefined)
Incident Reporting: 1 / 4 (no formal process)
─────────────────────────────────────────────
Total: (2+1+1+2+1) / 20 × 100 = 7/20 × 100 = 35% → Non-Compliant Example 3 — Mid-market industrial control system supplier
Secure by Design: 3 / 4 (threat model exists, DAST planned)
Vulnerability Handling: 3 / 4 (VDP live, 90-day SLA)
Documentation & SBOM: 2 / 4 (internal SBOM only)
Update & Patch Policy: 3 / 4 (signed patches, 5-year support)
Incident Reporting: 2 / 4 (internal runbook, no ENISA test)
─────────────────────────────────────────────
Total: (3+3+2+3+2) / 20 × 100 = 13/20 × 100 = 65% → Partially Compliant Tips to Improve Your CRA Compliance Score
- › Start with SBOM generation — it unblocks both the Documentation and Vulnerability Handling domains simultaneously. Tools like Syft or Trivy can produce a CycloneDX SBOM from your container images in minutes.
- › Publish a Vulnerability Disclosure Policy (VDP) at security.txt before anything else. It costs nothing, scores you at least a 1 in Vulnerability Handling, and signals good faith to regulators.
- › Map your existing ISO 27001 or SOC 2 controls to CRA requirements. Most mature vendors are 60–70% of the way there without knowing it — a gap analysis often reveals fewer gaps than feared.
- › Prioritise the Incident Reporting domain early. The CRA requires reporting actively exploited vulnerabilities to ENISA within 24 hours (Article 14). Running a tabletop exercise is low-cost and moves you from 1 to 3 quickly.
- › Commit to a defined end-of-life support period in your product documentation. The CRA requires manufacturers to specify and honour a minimum support lifetime — a written policy alone moves Update & Patch Policy from 1 to 2.
- › For "important" class products, engage a notified body early. Third-party audit timelines in Europe are long — starting 12 months before your target enforcement date is not too early.
Notes
- › Results are estimates and may vary based on actual usage.
- › Always validate against your production environment.