How to Calculate Your CRA Compliance Readiness Score

Knowing whether your product is ready for the EU Cyber Resilience Act is not a binary question. Compliance involves multiple dimensions — SBOM quality, vulnerability handling, secure development practices, documentation, and monitoring. A readiness score gives you a single metric to track progress, identify gaps, and benchmark against where you need to be.

This guide explains how CRA readiness scoring works, what the five dimensions measure, and how to systematically improve your score before the compliance deadlines.

Why a Readiness Score Matters

CRA compliance is not a single checkbox. It spans dozens of individual requirements across Annex I of Regulation 2024/2847. Without a structured assessment, teams commonly overestimate their readiness in areas they have invested in and underestimate gaps in areas they have not.

A readiness score gives you:

• Visibility: a clear picture of where you stand today
• Priority: identification of which gaps to address first based on their impact on the overall score
• Progress tracking: a measurable way to show improvement over time
• Communication: a simple metric to report to leadership and stakeholders

The cra-scanner tool produces a score from 0 to 100. Here is how to interpret and improve it.

The Five Dimensions of CRA Readiness

Dimension 1: SBOM Quality (0-25 points)

Your Software Bill of Materials is the foundation of CRA compliance. This dimension evaluates:

• SBOM existence: does an SBOM file exist in CycloneDX or SPDX format?
• Component coverage: does it contain a reasonable number of components? An SBOM with zero or very few components suggests incomplete generation.
• Version completeness: do all components have version numbers? Versions are essential for vulnerability matching.
• Package URL (purl) coverage: do components include purls? These enable precise, ecosystem-aware vulnerability lookup.
• Format validity: does the SBOM parse correctly against the CycloneDX or SPDX schema?

How to improve: generate your SBOM from lock files or build artifacts using Syft or the CycloneDX CLI. Ensure all components have versions and purls. Automate SBOM generation in your CI/CD pipeline so it stays current.

Dimension 2: Vulnerability Handling Practices (0-20 points)

This dimension measures whether your project has the foundational practices for handling vulnerabilities, as required by Annex I Section 2:

• SECURITY.md: does your repository have a SECURITY.md file with a clear vulnerability reporting process?
• Security contact: is there a documented way for researchers to report vulnerabilities?
• Automated dependency updates: is Dependabot, Renovate, or a similar tool configured?
• Security documentation: does your project documentation include a security section?

How to improve: create a SECURITY.md file following our vulnerability disclosure policy guide. Enable Dependabot or Renovate on your repositories. Add a security section to your documentation.

Dimension 3: Vulnerability Exposure (0-25 points)

This dimension assesses your known vulnerability status — how many known vulnerabilities exist in your dependencies and how severe they are:

• Critical vulnerabilities: any critical-severity CVEs in your dependency tree result in significant point deduction
• High severity vulnerabilities: high-severity issues reduce the score proportionally
• CISA KEV matches: any dependency with an actively exploited vulnerability (per CISA KEV) results in the maximum deduction in this dimension and likely triggers ENISA reporting obligations
• Remediation age: how long known vulnerabilities have remained unpatched affects the score

How to improve: set up continuous vulnerability monitoring. Prioritize patching critical and high-severity vulnerabilities. Address CISA KEV matches immediately. Track your mean time to remediate.

Dimension 4: Secure Development Signals (0-15 points)

This dimension checks for indicators of secure development practices:

• CI/CD pipeline: does the project use automated build and test pipelines?
• Security testing: are there signs of SAST, DAST, or security-focused test suites?
• Code review process: is branch protection enabled? Are PRs required?
• Signed commits or releases: are releases cryptographically signed?

How to improve: integrate security scanning into your CI/CD pipeline. Enable branch protection rules. Implement code signing for releases. These practices demonstrate secure development to assessors during conformity assessment.

Dimension 5: Documentation and Compliance Signals (0-15 points)

This dimension evaluates the documentation and metadata that support CRA technical documentation requirements:

• License clarity: are licenses clearly declared for the project and its dependencies?
• Support period: is a support or maintenance policy documented?
• Changelog or release notes: do releases include security-relevant change descriptions?
• Contributing guidelines: is there a CONTRIBUTING.md or equivalent that includes security considerations?

How to improve: document your support period explicitly. Maintain a changelog that flags security fixes. Include security considerations in your contribution guidelines.

Interpreting Your Score

80-100: Strong CRA readiness. Your project has the essential infrastructure in place. Focus on maintaining and refining what you have built.

60-79: Good foundation with identifiable gaps. Review which dimensions are pulling your score down and prioritize those areas.

40-59: Partial readiness. Core elements exist but significant work remains. Start with SBOM quality and vulnerability handling — these have the highest impact on both your score and your actual compliance posture.

Below 40: Early stage. Significant work needed across multiple dimensions. Start with the basics: generate an SBOM, create a SECURITY.md, and enable automated dependency updates. See our CRA compliance checklist for a prioritized action plan.

Benchmarking

Where should your score be right now?

• April 2026 (today): aim for 50 or above. You should have an SBOM, a SECURITY.md, and basic vulnerability monitoring in place. The September 2026 ENISA reporting deadline is five months away.
• September 2026: aim for 70 or above. Vulnerability handling processes must be operational, including monitoring, triage, and ENISA reporting capability.
• December 2027: aim for 85 or above. Full compliance with all essential requirements, complete technical documentation, and CE marking applied.

Using cra-scanner for Assessment

The cra-scanner CLI tool automates readiness scoring. Install it from PyPI and run it against your project:

pip install cra-scanner

cra-scanner scan . --sbom path/to/bom.json

For JSON output that you can integrate into dashboards or CI/CD: cra-scanner scan . --format json --output report.json

To enforce a minimum score in CI: cra-scanner scan . --min-score 50

Run it on every pull request using the GitHub Action to track your score over time and prevent regressions.

Improving Your Score Systematically

Focus on the dimensions with the highest point potential and the largest current gap:

1. SBOM Quality (25 points): highest single-dimension weight. If you do not have an SBOM, generating one is the single highest-impact action you can take.
2. Vulnerability Exposure (25 points): patch critical and high-severity vulnerabilities. Set up monitoring against OSV.dev and CISA KEV.
3. Vulnerability Handling (20 points): create a SECURITY.md, enable automated dependency updates, and document your vulnerability handling process.
4. Secure Development (15 points): integrate security scanning into CI/CD, enable branch protection, and implement code signing.
5. Documentation (15 points): document your support period, maintain a changelog, and declare licenses clearly.

Each improvement compounds. A better SBOM enables better vulnerability monitoring, which improves your exposure score, which strengthens your documentation, which prepares you for conformity assessment.

For a full preparation timeline, see our CRA compliance checklist.

Complaro provides continuous CRA readiness tracking across all five dimensions, with actionable recommendations for improving your score. From SBOM management to ENISA reporting, Complaro helps you move from assessment to compliance. Get started free.