ENISA Launches CRA Cybersecurity Maturity Assessment Tool to Help Companies Understand Their Product Cybersecurity Readiness
The European Union Agency for Cybersecurity (ENISA) has released the SME Cyber Resilience Maturity Assessment Model, together with an Excel-based self-assessment tool designed to help companies understand their current level of product cybersecurity maturity and their readiness for the EU Cyber Resilience Act (CRA).
As the key obligations under the CRA gradually become applicable, manufacturers need to consider more than the security functions built into their products. Companies must also review their vulnerability management, security update processes, product lifecycle support, and technical documentation.
The CRA Is Already in Force, and the First Reporting Obligations Are Approaching
The CRA entered into force on 10 December 2024. The provisions concerning conformity assessment bodies have applied since 11 June 2026, while manufacturers’ reporting obligations for actively exploited vulnerabilities and severe security incidents will apply from 11 September 2026.
The main cybersecurity obligations for products with digital elements will become fully applicable on 11 December 2027.
This means that the time available for companies to prepare is becoming increasingly limited.
CRA preparation often involves multiple departments and business processes, including product development, cybersecurity risk assessment, vulnerability handling, software updates, technical documentation, and supply-chain management. These activities cannot usually be completed shortly before the regulation becomes fully applicable.
Companies should therefore begin by asking:
How prepared are we today, and which areas should we improve first?
What Does the ENISA Self-Assessment Tool Cover?
The ENISA assessment tool is primarily designed for micro, small, and medium-sized enterprises. Through a structured set of questions, it helps companies assess five key areas:
- Governance and documentation
- Risk management and security by design
- Vulnerability and patch management
- Product lifecycle management
- Cybersecurity awareness, competence, and skills
After completing the assessment, companies can identify whether their current maturity level is Basic, Intermediate, or Advanced and determine which cybersecurity management areas may require further improvement.
The purpose of the tool is not simply to provide a score. It helps companies identify gaps between their existing processes and the direction of CRA preparedness, providing a practical starting point for future improvement planning.
Why Should Companies Start Assessing Their Readiness Now?
There is limited time remaining before the CRA vulnerability and incident reporting obligations become applicable.
Companies that have not yet established a clear vulnerability reporting channel, incident evaluation criteria, internal escalation procedures, or responsible contact points may find it difficult to respond effectively when a cybersecurity issue occurs.
Before the main CRA obligations become fully applicable in 2027, companies may also need to prepare or strengthen:
- Product cybersecurity risk assessments
- Security by Design and Security by Default practices
- Vulnerability handling and security update processes
- Product support periods and lifecycle planning
- CRA technical documentation and conformity information
- Supply-chain and third-party component management
The earlier a company completes its self-assessment, the sooner it can identify gaps and prioritise improvements based on risk, resources, and business needs.
The One Lab Launches an Online Assessment Based on the Official ENISA Excel Tool
To make the assessment process faster and more intuitive, The One Lab has developed an online CRA cybersecurity maturity assessment based on the official ENISA Excel tool.
The online version is based on the same assessment questions, evaluation areas, and scoring logic used in the official ENISA Excel assessment. Users do not need to download an Excel file, switch between multiple worksheets, or organise the scoring results manually.
Instead, companies can complete the assessment directly through a web browser and review their results in a clearer and more accessible format.
The same ENISA assessment content, now available through a simpler and faster online experience.
Through the online self-assessment, companies can gain an initial understanding of:
- Their overall CRA cybersecurity maturity
- Their readiness across the five assessment areas
- Gaps in their current cybersecurity processes
- Areas that should be prioritised for further improvement
Understand Your Readiness Before the CRA Obligations Apply
CRA preparation is not limited to a single product test or technical document. It involves continuous activities throughout product design, development, maintenance, vulnerability handling, and lifecycle support.
Companies do not need to wait until every requirement is fully applicable before taking action. They can begin now by using The One Lab’s online self-assessment tool to understand their current cybersecurity maturity and identify the areas that require immediate attention.
Start Your CRA Cybersecurity Maturity Self-Assessment
Complete the assessment online based on the official ENISA Excel tool, without downloading files or calculating results manually.
Important Notice
This tool is intended for internal self-assessment, readiness analysis, and initial gap identification.
A maturity result of Basic, Intermediate, or Advanced does not mean that a product has completed a formal CRA conformity assessment. The result does not constitute certification, a CE marking decision, or legal proof of compliance.
The actual requirements applicable to a product may depend on its intended purpose, functions, classification, risk level, and applicable conformity assessment procedure.
The One Lab will continue to monitor CRA implementation, ENISA guidance, harmonised standards, and related conformity assessment requirements. Further regulatory and technical updates will be shared as new information becomes available.
References
ENISA – SME Cyber Resilience Maturity Assessment Model
https://www.enisa.europa.eu/publications/sme-cyber-resilience-maturity-assessment-model
European Commission – Cyber Resilience Act
https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act
Not Sure Where to Start?
Request a free initial consultation or product assessment.
Our experts are here to help.
