ENISA Secure by Design CRA Compliance Scorecard: SaaS Developer Self-Assessment 2026
Post #5/5 in the sota.io EU ENISA Secure by Design Series
This is the finale of the EU-ENISA-SECURE-BY-DESIGN-2026 series. Across four posts we covered the ENISA Secure by Design Playbook (CRA Annex I checklist), the Secure by Default hardening guide, the SDLC compliance framework, and the CVD programme guide.
Now we put it all together: a complete CRA self-assessment scorecard you can run in an afternoon. Print it, fill it out, hand it to your legal team or a notified body auditor. If you score GREEN in all seven domains, your SaaS product is audit-ready for CRA entry-into-application (August 2025 for critical categories, progressively until December 2027 for others).
Why a Scorecard?
CRA compliance is not binary. Products land on a spectrum from "informally secure" to "formally certified". The ENISA Secure by Design Playbook (v0.4, April 2026) defines 22 security properties across five categories. CRA Articles 12–14 add mandatory lifecycle, hardening, and CVD obligations. Annex I enumerates 15 essential requirements.
The problem: no single document maps all of these to concrete developer actions with a Go/No-Go verdict. This scorecard fills that gap. Seven domains, 60 checks, three outcomes per check: GREEN (compliant), AMBER (partial — remediation plan required), RED (non-compliant — must fix before CE marking).
How to Use This Scorecard
Time required: 2–4 hours for a team of 3 (product owner, lead engineer, security lead).
Scoring:
- GREEN = documented evidence exists, control is operational
- AMBER = control exists but documentation incomplete, or control partial
- RED = control missing or non-operational
Thresholds for CE marking readiness:
- All RED items resolved → mandatory
- AMBER items: remediation plan with timeline → acceptable for Type I (self-declaration)
- For critical products (Annex III/IV): external audit even if all GREEN
Domain 1: Secure Design & Architecture (CRA Annex I §1–4)
Covers threat modelling, attack surface reduction, principle of least privilege, and security-by-design documentation.
| # | Check | Evidence Required | Score |
|---|---|---|---|
| 1.1 | Threat model documented (STRIDE, PASTA, or equivalent) and reviewed ≥annually | Threat model document, review log | ⬜ |
| 1.2 | Attack surface documented: all external endpoints, APIs, SDKs, third-party integrations | Architecture diagram with trust boundaries | ⬜ |
| 1.3 | Principle of least privilege enforced for all service accounts, IAM roles, DB users | IAM policy exports, DB role definitions | ⬜ |
| 1.4 | Security requirements captured in product spec (not just code comments) | Product spec with security section | ⬜ |
| 1.5 | Data flow diagrams classify data sensitivity (PII, health, financial) | DFD with classification labels | ⬜ |
| 1.6 | Third-party component risk assessment exists (SBOM analysis, licence compliance) | SBOM + risk register | ⬜ |
| 1.7 | Cryptographic standards policy: approved algorithms, key lengths, prohibited algorithms list | Crypto policy document | ⬜ |
| 1.8 | Secure design review gates in product roadmap (not just at release) | Sprint/roadmap artefacts | ⬜ |
Domain 1 Score: ___/8 GREEN, ___/8 AMBER, ___/8 RED
Domain 2: Secure Development Lifecycle (CRA Art.13 + ENISA SDLC)
Covers secure coding standards, SAST/DAST integration, dependency management, and developer training.
| # | Check | Evidence Required | Score |
|---|---|---|---|
| 2.1 | Secure coding standards adopted (OWASP Top 10, language-specific guidelines) and enforced via code review | Standards doc + PR review policy | ⬜ |
| 2.2 | SAST tool runs on every PR/commit with findings triaged before merge | CI pipeline config + SAST scan history | ⬜ |
| 2.3 | DAST/API scanning runs on staging environment ≥weekly | DAST scan schedule + latest report | ⬜ |
| 2.4 | SCA (Software Composition Analysis) scans dependencies — CVSS ≥7.0 blocks merge | SCA tool config + policy doc | ⬜ |
| 2.5 | SBOM generated per release in SPDX or CycloneDX format | SBOM files in release artefacts | ⬜ |
| 2.6 | All developers complete secure coding training ≥annually | Training completion records | ⬜ |
| 2.7 | Secrets scanning enabled (no credentials in repos) | Secrets scan tool config + log | ⬜ |
| 2.8 | Container images built from minimal base, scanned for CVEs before deployment | Image scan report, Dockerfile review | ⬜ |
| 2.9 | Infrastructure-as-Code (IaC) scanned for misconfigurations (Checkov, tfsec, or equivalent) | IaC scan results | ⬜ |
| 2.10 | Penetration test conducted ≥annually by qualified party | Pentest report + remediation evidence | ⬜ |
Domain 2 Score: ___/10 GREEN, ___/10 AMBER, ___/10 RED
Domain 3: Secure by Default Configuration (CRA Art.12(2) + ENISA Hardening)
Covers default-off attack surface, credential hygiene, network hardening, and configuration validation.
| # | Check | Evidence Required | Score |
|---|---|---|---|
| 3.1 | No default passwords — first-run forces credential setup | Setup flow UI/UX test | ⬜ |
| 3.2 | Debug endpoints disabled in production builds | Build config, prod environment vars | ⬜ |
| 3.3 | All data encrypted in transit (TLS 1.2+) — HTTP redirects to HTTPS | TLS config, security headers check | ⬜ |
| 3.4 | All sensitive data encrypted at rest (AES-256 or equivalent) | DB encryption config, storage policy | ⬜ |
| 3.5 | Security headers enabled: HSTS, CSP, X-Frame-Options, X-Content-Type-Options | Headers audit (securityheaders.com) | ⬜ |
| 3.6 | Least-privilege API tokens — no "admin by default" API keys issued | API token policy, scope documentation | ⬜ |
| 3.7 | Unnecessary ports/services disabled — attack surface minimized | Network scan, firewall rules | ⬜ |
| 3.8 | MFA available (or enforced for privileged access) | Auth provider config | ⬜ |
| 3.9 | Rate limiting on authentication endpoints (brute-force protection) | Rate limit config + test evidence | ⬜ |
| 3.10 | Cookie attributes: Secure, HttpOnly, SameSite=Strict/Lax | Cookie audit, auth code review | ⬜ |
Domain 3 Score: ___/10 GREEN, ___/10 AMBER, ___/10 RED
Domain 4: Vulnerability Handling & CVD Programme (CRA Art.14 + ENISA CVD Guide)
Covers disclosure policy, internal handling process, patching SLAs, and customer notification.
| # | Check | Evidence Required | Score |
|---|---|---|---|
| 4.1 | CVD/VDP policy publicly reachable (security.txt or /security page) | URL + security.txt scan | ⬜ |
| 4.2 | security.txt present at /.well-known/security.txt with Contact, Policy, Expires fields | security.txt file | ⬜ |
| 4.3 | Dedicated security report intake (email alias, HackerOne, Intigriti, or equivalent) | Contact/platform config | ⬜ |
| 4.4 | Initial response to reporters ≤5 business days (CRA Art.14 requirement) | Process doc + SLA policy | ⬜ |
| 4.5 | CVSS severity-based patching SLA documented: Critical ≤24h, High ≤7d, Medium ≤30d | SLA policy document | ⬜ |
| 4.6 | Internal vulnerability tracking in dedicated system (Jira, Linear, GitHub Issues with security label) | Tracker config + process doc | ⬜ |
| 4.7 | Post-patch CVE advisory or release note published for each significant vulnerability | Release notes / advisory history | ⬜ |
| 4.8 | Coordinate with ENISA EUVD for CWE/CVE assignment when applicable | Process documented | ⬜ |
| 4.9 | Critical/High vulnerabilities reported to national CSIRT ≤24h (CRA Art.14(4)) | CSIRT contact, report template | ⬜ |
| 4.10 | Customer notification process for vulnerabilities affecting customer data | Notification procedure doc | ⬜ |
Domain 4 Score: ___/10 GREEN, ___/10 AMBER, ___/10 RED
Domain 5: Security Maintenance & Updates (CRA Annex I §10–12)
Covers patch delivery, EOL policy, update integrity, and long-term maintainability.
| # | Check | Evidence Required | Score |
|---|---|---|---|
| 5.1 | Security updates delivered without undue delay — release process documented | Release playbook | ⬜ |
| 5.2 | End-of-life (EOL) policy published: minimum support period, migration path | EOL policy document | ⬜ |
| 5.3 | Update integrity guaranteed: signed releases, checksum verification | Signing key, verification docs | ⬜ |
| 5.4 | Automatic update mechanism available (or clearly documented update path) | Update mechanism documentation | ⬜ |
| 5.5 | Legacy dependency tracking: EOL libraries flagged in SCA, replacement roadmap | SCA EOL report, roadmap entries | ⬜ |
| 5.6 | Rollback mechanism for failed updates (no data loss, service restoration SLA) | Rollback runbook | ⬜ |
| 5.7 | Change log maintained covering security-relevant changes | CHANGELOG.md or equivalent | ⬜ |
| 5.8 | Dependency audit after major upstream vulnerability (supply chain awareness) | Process doc + example audit | ⬜ |
Domain 5 Score: ___/8 GREEN, ___/8 AMBER, ___/8 RED
Domain 6: Incident Response & Recovery (CRA Annex I §13–15)
Covers incident detection, containment, recovery, and post-mortem processes.
| # | Check | Evidence Required | Score |
|---|---|---|---|
| 6.1 | Incident response plan documented with roles, contact tree, and escalation paths | IRP document | ⬜ |
| 6.2 | Centralised logging with ≥90-day retention (all auth events, admin actions, API calls) | Log config, retention policy | ⬜ |
| 6.3 | Security alerting configured: failed logins, privilege escalation, anomalous API patterns | Alert config + runbook | ⬜ |
| 6.4 | RTO/RPO defined per service tier — backups tested ≥quarterly | Business continuity doc, backup test log | ⬜ |
| 6.5 | GDPR Art.33 72-hour breach notification process documented | Breach notification runbook | ⬜ |
| 6.6 | Post-incident review (PIR) conducted after every P1/P2 security incident | PIR template + example PIR | ⬜ |
| 6.7 | Forensic preservation: logs protected from tampering, audit trail immutable | Log integrity config | ⬜ |
Domain 6 Score: ___/7 GREEN, ___/7 AMBER, ___/7 RED
Domain 7: Documentation & Conformity (CRA Annex I + Conformity Assessment)
Covers technical documentation, Declaration of Conformity, and CE marking readiness.
| # | Check | Evidence Required | Score |
|---|---|---|---|
| 7.1 | Technical documentation prepared per CRA Annex VII (or equivalent for Type I) | Technical file draft | ⬜ |
| 7.2 | Security properties documented: what the product does and does not protect against | Security assumptions document | ⬜ |
| 7.3 | Declaration of Conformity (DoC) drafted (for Type I self-declaration) | DoC draft | ⬜ |
| 7.4 | EU-authorised representative identified (if manufacturer outside EU) | Representative contract | ⬜ |
| 7.5 | Notified body engaged (for Annex III critical products) | NB engagement letter | ⬜ |
| 7.6 | Compliance roadmap with milestones mapped to CRA transition dates | Roadmap document | ⬜ |
| 7.7 | Security contact in technical documentation and on product website | Contact info published | ⬜ |
Domain 7 Score: ___/7 GREEN, ___/7 AMBER, ___/7 RED
Overall Scorecard Summary
| Domain | Total Checks | GREEN | AMBER | RED |
|---|---|---|---|---|
| 1. Secure Design & Architecture | 8 | |||
| 2. Secure Development Lifecycle | 10 | |||
| 3. Secure by Default Configuration | 10 | |||
| 4. Vulnerability Handling & CVD | 10 | |||
| 5. Security Maintenance & Updates | 8 | |||
| 6. Incident Response & Recovery | 7 | |||
| 7. Documentation & Conformity | 7 | |||
| TOTAL | 60 |
CRA Readiness Bands
🟢 CE-Ready (50–60 GREEN, 0 RED) You have documented, operational controls across all domains. For Type I products (self-declaration), prepare your Declaration of Conformity and technical file. For Annex III products, engage a notified body with this scorecard as the pre-audit evidence package.
🟡 Remediation Required (35–49 GREEN, 0 RED) You have a solid foundation but documentation gaps or partial controls remain. Focus AMBER items into a 60-day remediation sprint. Prioritise Domains 4 (CVD) and 3 (Secure by Default) — these are the most frequently cited gaps in ENISA audit guidance.
🔴 Foundation Work Needed (<35 GREEN or any RED) You need structured remediation before attempting CE marking. Start with Domain 3 (quick wins: security headers, TLS, no default passwords) and Domain 4 (CVD: security.txt + intake process). These two domains together have 20 checks and can typically be brought to GREEN in 2–4 weeks.
60-Day CRA Readiness Sprint
For teams in the 🔴 or 🟡 bands, this sprint sequence delivers the highest impact per week:
Weeks 1–2: Quick Wins (Domains 3 + 4)
- Enable security headers (1 day)
- Add security.txt (2 hours)
- Create security report intake alias (1 day)
- Document patching SLA (half day)
- Enable SAST in CI pipeline (2 days)
Weeks 3–4: Process Documentation (Domains 2 + 6)
- Write secure coding standards (3 days)
- Document incident response plan (2 days)
- Configure centralised logging (3 days)
- Set up backup testing schedule (1 day)
Weeks 5–6: Architecture & Lifecycle (Domains 1 + 5)
- Conduct threat modelling workshop (2 days)
- Generate SBOM for current release (1 day)
- Write EOL policy (1 day)
- Audit dependencies for EOL libraries (1 day)
Weeks 7–8: Documentation & Conformity (Domain 7)
- Draft technical documentation outline
- Identify notified body (if Annex III)
- Draft Declaration of Conformity
- Final scorecard re-run → target all GREEN/AMBER
CRA Transition Timeline
Understanding when your obligations kick in prevents last-minute scramble:
| Date | Milestone |
|---|---|
| 2024-12-10 | CRA entered into force |
| 2026-06-11 | Notified bodies accreditation deadline (Art.35(3)) |
| 2026-09-11 | Market surveillance authority obligations apply |
| 2027-03-11 | Full CRA applies to all products (including software as a product) |
| 2027-12-11 | Enhanced obligations for Annex III/IV critical products |
Key insight for SaaS: If your software is embedded in hardware products, or if you provide software components to hardware manufacturers, you may be in scope from March 2027. Cloud services that are purely subscription-based (SaaS-only delivery) fall under NIS2 incident reporting obligations but are currently outside CRA's direct scope — however, components you ship as downloadable agents, CLI tools, or SDKs are in scope.
The ENISA Secure by Design Series: What We Covered
This series translated five ENISA guidance documents into actionable developer checklists:
-
Playbook & Annex I Checklist — 22 ENISA security properties mapped to 49 CRA Annex I checks. The foundation.
-
Secure by Default Hardening Guide — CRA Art.12(2) operationalised: configuration management, credentials, network hardening, and the three-layer default security model.
-
SDLC Compliance Framework — CRA Art.13 as a living lifecycle obligation: SAST/DAST/SCA integration, SBOM generation, developer training cadences, and the 90-day compliance calendar.
-
CVD Programme Guide — CRA Art.14 in practice: VDP launch in 14 days, EUVD coordination, national CSIRT reporting table, and the 24h/72h/5-day cascade.
-
This scorecard — 60 checks across 7 domains. The complete self-assessment instrument.
Deploying on EU Infrastructure
CRA compliance is about your software. But where you run it matters for the surrounding NIS2 and GDPR obligations that intersect with CRA:
- NIS2 Art.21 security measures require "appropriate and proportionate technical measures" — documented controls that map directly to this scorecard.
- GDPR Art.25 data protection by design is satisfied by Domains 1, 3, and 6 of this scorecard.
- CLOUD Act exposure is eliminated when you run on EU-native infrastructure (Hetzner, Scaleway, OVHcloud) with no US-parent data processor in the chain.
sota.io is an EU-native managed PaaS — GDPR-100%, no US parent, no CLOUD Act exposure — that lets you deploy any language on Hetzner Germany. The platform handles the infrastructure layer of your CRA compliance story; this scorecard handles the software layer.
Summary
The CRA Compliance Scorecard gives you a structured, evidence-based picture of where your SaaS product stands before an audit. Sixty checks, seven domains, three traffic lights. Fill it out quarterly. Treat AMBER items as sprint tickets. Resolve all RED items before CE marking.
CRA is not a one-time certification exercise — it is an ongoing secure development culture. The ENISA Secure by Design Playbook makes that culture explicit. This scorecard makes it measurable.
Your next step: download this scorecard, assign domains to your engineering team, and schedule a 2-hour assessment session before July 2026.
EU-Native Hosting
Ready to move to EU-sovereign infrastructure?
sota.io is a German-hosted PaaS — no CLOUD Act exposure, no US jurisdiction, full GDPR compliance by design. Deploy your first app in minutes.