EU Device Compliance Quiz
GeneralAnswer 6 yes/no questions and instantly see your EU device compliance readiness score. Covers CE marking, Cyber Resilience Act (CRA), and the key security controls required for EU market entry.
Last updated: April 2026
This calculator is designed for real-world usage based on typical engineering scenarios and publicly available documentation.
The EU device compliance quiz helps hardware manufacturers, IoT engineers, and product managers quickly assess whether a connected device meets the core requirements of EU regulations — including the Cyber Resilience Act (CRA), Radio Equipment Directive (RED), and CE marking obligations — before committing to costly conformity assessments. The EU Cyber Resilience Act entered into force on 11 December 2024 and sets mandatory cybersecurity requirements for all products with digital elements sold in the European Union. It applies to any manufacturer targeting EU consumers, regardless of where the company is headquartered. Non-compliance risks fines of up to €15 million or 2.5% of global annual turnover, plus market withdrawal orders. This quiz evaluates six core control areas that regulators and notified bodies consistently examine: CE marking status, vulnerability disclosure policy, software bill of materials (SBOM), patch timeliness, encrypted communications, and a documented secure development lifecycle. The scoring model is deliberately binary — each control either exists or it does not — reflecting how auditors assess initial compliance readiness. Use the quiz result to identify which gaps to close before formal conformity assessment. A score below 50% signals that foundational work is needed. A score above 83% suggests the device is well-positioned for a smooth conformity assessment process.
How the EU Device Compliance Quiz Scores Your Device
1. Answer each of the 6 yes/no questions covering the core EU compliance control areas. 2. Each question maps to a specific EU regulation: CE Marking/RED, CRA Article 13, CRA Article 13(3), or CRA Annex I. 3. Your score is calculated as (number of "Yes" answers ÷ 6) × 100. 4. A score of 84%+ signals High Readiness; 50–83% indicates Partial Readiness with addressable gaps. 5. Review the regulation reference shown under each question to identify which EU law mandates that control. 6. Use the result to prioritise remediation before submitting your device for formal conformity assessment.
Formula
Compliance Score = (Controls Passed / Total Controls) × 100 Controls assessed (6 total, each weighted equally): CE Marking — required for EU market access (all device categories) Vulnerability Policy — CRA Article 13: public vulnerability disclosure process SBOM — CRA Article 13(3): software component inventory Patch Timeliness — CRA Annex I: critical CVEs patched within 24 hours Encrypted Comms — CRA Annex I: security-by-design, data in transit Secure SDLC — CRA Article 13: documented development security process Score Tiers: ≥ 84% (5–6 controls) → High Readiness 50–83% (3–4 controls) → Partial Readiness — gaps to address < 50% (0–2 controls) → Low Readiness — remediation required before EU market entry
Example EU Device Compliance Quiz Results
Example 1 — Well-prepared IoT manufacturer (6 / 6)
CE Marking: Yes → required for EU market ✓ Vulnerability Policy: Yes → CRA Art. 13 satisfied ✓ SBOM: Yes → CRA Art. 13(3) satisfied ✓ Patch Timeliness: Yes → CRA Annex I satisfied ✓ Encrypted Comms: Yes → CRA Annex I satisfied ✓ Secure SDLC: Yes → CRA Art. 13 satisfied ✓ ────────────────────────────────────────── Score: (6 / 6) × 100 = 100% → High Readiness
Example 2 — Mid-tier device maker with SBOM and patching gaps (4 / 6)
CE Marking: Yes ✓ Vulnerability Policy: Yes ✓ SBOM: No ← gap (CRA Art. 13(3)) Patch Timeliness: No ← gap (CRA Annex I) Encrypted Comms: Yes ✓ Secure SDLC: Yes ✓ ────────────────────────────────────────── Score: (4 / 6) × 100 = 67% → Partial Readiness Priority actions: implement SBOM generation in CI/CD and formalise 24-hour patch SLA
Example 3 — Entry-level connected device, non-compliant (2 / 6)
CE Marking: Yes ✓ Vulnerability Policy: No ← gap (CRA Art. 13) SBOM: No ← gap (CRA Art. 13(3)) Patch Timeliness: No ← gap (CRA Annex I) Encrypted Comms: No ← gap (CRA Annex I) Secure SDLC: Yes ✓ ────────────────────────────────────────── Score: (2 / 6) × 100 = 33% → Low Readiness 4 critical gaps must be closed before EU market entry; formal assessment will fail
Tips to Pass the EU Device Compliance Quiz
- › Start with CE marking — without it, your device cannot legally enter the EU market regardless of your CRA readiness score.
- › Draft your vulnerability disclosure policy before starting conformity assessment — regulators treat its absence as a critical blocker. A public security.txt file and a dedicated security@ inbox is a minimal viable starting point.
- › Generate your SBOM during the build process using tools like <a href="https://cyclonedx.org" target="_blank" rel="noopener">CycloneDX</a> or SPDX so the inventory stays current with every firmware release automatically.
- › Set your patch release SLA to 24 hours for critical CVEs — document this SLA in your vulnerability response policy so auditors can verify it. Use the <a href="/calculators/vulnerability-response-time-calculator">Vulnerability Response Time Calculator</a> to model your response window.
- › Mandate TLS 1.2+ for all device-to-cloud and device-to-app communications — plaintext protocols are a direct CRA Annex I violation and one of the most common audit failures.
- › Document your SDLC in a Security Development Process policy; a concise one-page document referencing threat modelling, code review, and penetration testing cadences is sufficient to satisfy CRA Article 13.
Notes
- › Results are estimates and may vary based on actual usage.
- › Always validate against your production environment.