SME Cyber Resilience Maturity Assessment (free tool)
The Maturity Assessment is a free, no-signup self-check for SMEs that make products with digital elements. It is based on the published SME Cyber Resilience Maturity Assessment Model and rates your current product security practice against the expectations of the EU Cyber Resilience Act (CRA). It is available at https://cvdportal.com/cra-maturity-assessment and is also listed under Free Tools (https://cvdportal.com/tools).
Who it is for
It is aimed primarily at manufacturers that place products with digital elements on the EU market, since those are directly subject to CRA requirements. Integrators, distributors and service providers in the product lifecycle can also use it to assess and improve their product security practices.
How it works
You answer 25 questions grouped into five domains:
- Governance and documentation
- Risk management, security-by-design and security-by-default
- Vulnerability and patch management
- Product lifecycle management
- Awareness, competence and skills
For each question you pick the description that best matches your current practice on a five-level maturity scale, from Level 1 (Initial) to Level 5 (Optimised).
How the score is calculated
- Each question is scored 1 to 5 based on the level you select.
- Each domain average is the mean of its five question scores.
- The overall score is the mean across all answered questions.
- Question scores of 1 or 2 are flagged as "needs work", 3 as "moderate" and 4 or 5 as "good".
- The overall score maps to a maturity band: Basic (1 to 2.5), Intermediate (2.6 to 3.9) or Advanced (4 to 5).
How CRA Portal helps
Each question shows whether the platform supports it. Questions the platform helps with carry a "Supported by CRA Portal" tag and the plan tier (Free, Reporting, Compliance or Enterprise). Questions that are organisational practice, such as staff training and competence, are marked as not covered by the platform.
In the results, a "How CRA Portal closes your gaps" table lists the questions where you scored below the level the platform is built to support, with a link to the relevant feature. The platform supplies the tooling and process, so the supported level is capped at Level 4. Level 5 is measurement and continuous improvement, which depends on how your organisation runs the tooling.
Results and improvement checklist
Once you start answering, the tool shows your overall score, maturity band, per-domain scores with a visual bar, a score distribution and your priority areas. Below the results it shows an improvement checklist tailored to your maturity band, with the actions to work on next. Domains scoring at or below 2.5 are marked Priority. Checklist items have tick boxes so you can track progress.
Is my data stored?
No. The assessment runs entirely in your browser. Your answers and checklist ticks are saved to your own browser's local storage so you can come back to them, and nothing is sent to or stored on CVD Portal's servers. Use Copy summary to copy a plain-text report to your clipboard, or Print / PDF to save or print your results. Reset clears everything.
Does completing it make my products CRA compliant?
No. This is an indicative maturity check to orient your improvement work. CRA conformity requires documented evidence: a per-product risk assessment, closure of the Annex I essential requirements, the Annex VII technical documentation, vulnerability handling, an EU Declaration of Conformity and CE marking. Set up a free portal to receive and track vulnerability reports, and use the Compliance workspace to build the self-assessment evidence.