CRA Scorecard

Assess your product’s likely CRA relevance and cybersecurity readiness

This scorecard provides an initial indication of how the Cyber Resilience Act (CRA) may apply to your product. Identify potential scope, key cybersecurity considerations, and whether further expert assessment may be required.

September 2026: Reporting obligations apply to products already on the EU market

168

days until
reporting obligations

624

days until
full CRA enforcement

Compliance Score & RadarINTERACTIVE

Your readiness across 8 CRA domains — spider diagram, RAG status per domain, and sector benchmarking to see where you stand.

Financial Impact AnalysisPERSONALISED

Compliance investment estimate vs. cost of inaction — fines, EU market access risk, and ROI calculation.

Project Roadmap & TimelineACTIONABLE

Phased Gantt chart with NMi-led and client-led workstreams, resource estimates, and milestone tracking.

Downloadable Report & Next StepsTAKE-AWAY

Full assessment report with gap-to-service mapping, document checklist, and direct NMi engagement pathway.

Who is this for?

Any manufacturer placing products with digital elements on the EU market — from embedded firmware in industrial sensors to cloud-connected consumer devices. If your product has software, firmware, or connectivity, the CRA almost certainly applies.

Case Reference

“The CRA Scorecard showed us that IT security and product security are fundamentally different disciplines. We thought we were covered — we weren’t.”

— Head of Engineering, NMi client (2025)

European Industrial IoT Manufacturer • Initial score: 31% → Structured remediation plan within 12 weeks

Takes approximately 5 minutes to complete

Does the Cyber Resilience Act apply to your product?

CRA Scorecard

September 2026: Reporting obligations apply to products already on the EU market