A 60-second check. No sign-up to see your result — get the risk class, your deadlines, and what to do next.
one desk: MiCA · DORA · CRA
Question 1 of 6
Do you sell, license, or distribute software or hardware to others?
CRA applies to products placed on the EU market — not to a firm that only runs internal systems.
Question 2 of 6
How is your product delivered? Select all that apply.
The dividing line is whether something is installed or shipped versus consumed purely as a website.
Question 3 of 6
Is your back-end required for a separate product to work?
Pure cloud services sit outside the CRA — unless they are the remote data-processing a shipped product depends on to function.
Question 4 of 6
Is the product free and open-source, outside any commercial activity?
Non-commercial open-source software is carved out. Monetised or commercially-supported open source is not.
Question 5 of 6
Is the product already covered by a sector law with its own cyber rules?
Medical devices (MDR), motor vehicles, aviation (EASA) and marine equipment have their own regimes and sit outside the CRA.
Question 6 of 6
Does the product perform a security or sensitive-access function?
e.g. a crypto wallet holding private keys, a password/identity manager, VPN, firewall, or authentication. This drives your CRA risk class.
We'll email this result plus the MiCA · DORA · CRA checklist for firms like yours. No register data leaves your browser.
Indicative scope guidance, not legal advice.
CleanDesk — compliance for smaller EU financial & crypto firms. CRA dates: vulnerability reporting from 11 Sep 2026; CE-marking from 11 Dec 2027.