CRA Gap Analysis, Automated.
Know Your Gaps, Fix Them Today.
Many manufacturers don't yet know where their gaps are for the Cyber Resilience Act. The later gaps are identified, the costlier they are to address. Z-CMS changes that: a guided, intelligent gap analysis covering every obligation under Article 13 and Annex II — with real-time results.
What Does a CRA Gap Analysis Actually Involve?
A gap analysis — sometimes called a gap assessment — is a well-established practice in cybersecurity compliance. Before investing in remediation, manufacturers evaluate where their product, processes, and documentation currently stand against a given standard or regulation, and identify what work remains. It is typically the first step of any compliance programme.
Applying this to the Cyber Resilience Act is less straightforward than it sounds. The CRA is a brand new regulation, and no single established methodology yet exists for assessing compliance against it. Zealience has developed its own approach by interpreting the official CRA text alongside the draft horizontal standards — prEN 40000-1-3 (vulnerability handling) and prEN 40000-1-4 (product security) — as they become available through CEN/CENELEC. For the product security layer, we also draw heavily on the EN 18031 series of standards, since roughly two-thirds of prEN 40000-1-4's requirements are built on EN 18031. More on that in the next section.
The result is a structured, expert-guided gap analysis built into Z-CMS — covering your product's security properties, your organisation's vulnerability handling processes, and the documentation you must provide to users. Each area maps directly to the CRA's mandatory obligations under Article 13 and Annex II.
Two-Thirds of the CRA's Product Requirements Come From EN 18031. Here's Why That Matters.
If you're already working toward EN 18031 compliance for the Radio Equipment Directive, you have a meaningful head start on the CRA — and here's why that matters more than you might think.
Angelo D'Amato, founder of Vulnir and the expert leading the standardization of EN 40000-1-4 (the CRA's horizontal product standard) at CEN/CENELEC, has presented a detailed mapping between EN 18031 and the upcoming CRA standard. The conclusion: roughly two-thirds of the product requirements in prEN 40000-1-4 are drawn directly from the EN 18031 series. If you've done the EN 18031 work, a large portion of your CRA product compliance groundwork is already laid.
But the CRA doesn't stop at product security. It adds two further obligations that EN 18031 doesn't cover: a rigorous set of vulnerability handling processes — involving stakeholders well beyond the engineering team — and specific information and instructions you must provide to your users. These aren't optional additions. They are mandatory, and for most organisations, they represent genuinely new work.
So: EN 18031 compliance is valuable and relevant. But on its own, it isn't enough. The CRA requires more, and understanding exactly how much more is the starting point for any serious compliance effort.
Not doing EN 18031 yet? You're not behind and we are here to help. Z-CMS guides you through the prorcess, regardless of your starting point.
The Three Pillars Z-CMS Covers
Z-CMS structures its CRA gap analysis around the three most critical obligations manufacturers face under Article 13 of the CRA. Together, they span your product, your internal processes, and your user-facing documentation.
Product Security Requirements
Products must be designed and produced in accordance with Annex I, Part I of the CRA. Z-CMS covers this through the full EN 18031 series questionnaire plus a supplementary questionnaire for the delta requirements in prEN 40000-1-4.
Vulnerability Handling Requirements
The CRA mandates comprehensive processes for handling vulnerabilities throughout a product's lifetime. prEN 40000-1-3 defines 59 mandatory requirements across six phases, touching teams from PSIRT to Legal to Customer Support.
Information & Instructions to the User
CRA Annex II lists 14 obligations on what documentation you must provide to users — from security configuration guidance to end-of-support communication.
Pillar 1 in depth: Product Security
Because two-thirds of prEN 40000-1-4 is built on EN 18031, Z-CMS's existing EN 18031 questionnaire does a substantial portion of the heavy lifting. Since our founding in 2024, Zealience has developed a unique Intelligent Q&A methodology within Z-CMS, praised by leading manufacturers and Notified Bodies worldwide for its quality, depth, and the speed with which it captures compliance information.
For the remaining new requirements in prEN 40000-1-4, the standard is still maturing — at this stage, only titles and brief descriptions are published. Z-CMS draws on Dr. Guillaume Dupont's 10+ years of IoT cybersecurity and compliance experience, along with his deep knowledge of comparable standards such as ETSI EN 303 645 and IEC 62443-4-2, to make well-grounded expert assessments of what those requirements will entail.
Pillar 2 in depth: Vulnerability Handling
Vulnerability handling under the CRA is not just an engineering problem. prEN 40000-1-3 structures its 59 mandatory requirements across six phases — and the stakeholders involved span the entire organisation. Think CISO, PSIRTs, Product Management, Customer Support, Legal & Compliance, and PR — they all have a role.
[PRE]
Preparation
[RCP]
Receipt
[VRF]
Verification
[RMD]
Remediation
[RLS]
Release
[PRA]
Post-Release
Z-CMS walks you through each phase with targeted questions so your organisation can assess its current process maturity clearly.
Deep dive: CRA vulnerability handling requirements under EN 40000-1-3How It Actually Works: Intelligent Q&A, Not a Spreadsheet
The CRA gap analysis in Z-CMS uses the same Intelligent Q&A methodology that has made Z-CMS the tool of choice for EN 18031 compliance among manufacturers and Notified Bodies worldwide.
Rather than handing you a static checklist, Z-CMS asks you questions about your product, your processes, and your documentation — and the questions adapt dynamically based on your answers. The system handles more than one million combinations of inputs, capturing the nuance of real products in the real world. The complexity of the standards stays under the hood; you just answer questions.
Your journey through Z-CMS
Answer the EN 18031 questionnaire
Intelligent Q&A adapts dynamically to your product type and previous answers — covering EN 18031-1, -2, and -3.
Complete the prEN 40000-1-4 supplement
Answer additional questions covering the new CRA-specific product requirements not present in EN 18031.
Answer the vulnerability handling questionnaire
Work through six phase-specific Q&As based on prEN 40000-1-3 to assess your organisation's process maturity across all mandatory requirements.
Review your I&I obligations
A dedicated questionnaire checks each of the 14 CRA Annex II documentation requirements.
Access your live gap analysis dashboard at any time
Real-time scores for every requirement — across all three pillars — with an exportable PDF report.
Each requirement is scored in real time
Ready
You meet this requirement
Not Needed
Doesn't apply to your product
Gap
A gap that needs addressing
Inconclusive
More information needed
Outcome: Comprehensive Gap Analysis Report
By the end of the gap analysis, you have a comprehensive, structured picture of your CRA readiness across all three pillars — product security, vulnerability handling, and user documentation. You gain deep insights into where your current practices align with the draft standards, where significant work remains, and where your processes are already heading in the right direction. This kind of extensive, structured analysis would otherwise require months of specialist consulting work.
For Engineers
Actionable, requirement-level compliance gaps they can start remediating today. Z-CMS' rich guidance educates engineers on the topic of the CRA & cybersecurity.
For Product Owners
A clear view of product compliance, applicable requirements, and what needs to change before market in one view.
For C-Level Leaders
A comprehensive picture of where your organisation stands — with deep insights into what needs to change and time to act on it before 11 December 2027.
Built on a Foundation That Already Works
Since our founding in 2024, Zealience has built Z-CMS on one core belief: cybersecurity compliance shouldn't require a team of specialists to interpret. Engineers should be able to complete compliance work independently — and Z-CMS makes that possible. Our EN 18031 workflow has already earned recognition from leading manufacturers and Notified Bodies for the quality of its analysis, the speed of implementation, and the cost savings it delivers compared to traditional approaches.
The CRA gap analysis extends that same philosophy — and the same battle-tested infrastructure — to the compliance challenge that now sits on every connected-product manufacturer's roadmap. Read about our customers' experiences on our success stories page.
Standards covered
Frequently Asked Questions: CRA Gap Analysis
Q What is a CRA gap analysis?
A gap analysis is an established cybersecurity compliance practice: you evaluate where your product, processes, and documentation currently stand against a given regulation or standard, and identify what work is needed to close the gaps. Applying this to the Cyber Resilience Act is new territory — the CRA is a brand new regulation with draft standards still being finalised. Zealience has developed its own methodology for a CRA gap analysis by interpreting the official CRA text and the draft standards prEN 40000-1-3 and prEN 40000-1-4, and built it directly into Z-CMS.
Q Which standards are used for a CRA gap analysis?
A comprehensive CRA gap analysis draws on EN 18031-1, EN 18031-2, and EN 18031-3 for product security requirements (as roughly two-thirds of the CRA product standard prEN 40000-1-4 is based on EN 18031), the draft standard prEN 40000-1-4 for remaining product requirements, prEN 40000-1-3 for vulnerability handling process requirements, and CRA Annex II for information and instructions to the user obligations.
Q What is the difference between a CRA gap analysis and CRA gap assessment?
The terms are used interchangeably. Both refer to the same process: assessing your current state against CRA requirements to identify what work remains. Some organisations prefer "gap assessment" to emphasise a more formal, structured evaluation, while "gap analysis" is the more commonly used term in practice.
Q When do manufacturers need to comply with the Cyber Resilience Act?
Manufacturers must comply with Article 14 of the CRA (incident and actively exploited vulnerability reporting) by 11 September 2026. Full CRA compliance — including Article 13 covering product security, vulnerability handling processes, and user documentation — is required by 11 December 2027.
Q Does EN 18031 compliance count toward CRA compliance?
Substantially, yes. According to Angelo D'Amato, the expert leading the CRA's horizontal standards prEN 40000-1-3 and prEN 40000-1-4 at CEN/CENELEC, roughly two-thirds of prEN 40000-1-4's product requirements are drawn directly from the EN 18031 series. If your product already meets EN 18031-1, -2, and -3, a significant portion of your CRA product security requirements are already addressed. However, the CRA additionally mandates vulnerability handling processes (prEN 40000-1-3) and specific user documentation (Annex II), which EN 18031 does not cover.
Q How does Z-CMS automate the CRA gap analysis?
Z-CMS uses an Intelligent Q&A system that dynamically adapts its questions based on your previous answers and product type. It guides manufacturers through all relevant requirements across EN 18031, prEN 40000-1-4, prEN 40000-1-3, and CRA Annex II, capturing product and process information across more than one million possible input combinations. Based on your answers, Z-CMS produces real-time compliance scores for each requirement — Ready, Not Needed, Gap, or Inconclusive — along with an exportable report.
Q How do you ensure that the data we input in Z-CMS is secure?
Your compliance data — product specifications, known vulnerabilities, software dependencies — is highly sensitive. Z-CMS is designed so that this data never leaves your environment. Unlike SaaS platforms or AI-driven tools that upload data to external servers, Z-CMS is deployed either fully air-gapped on your own infrastructure or within your own private cloud. Zealience has zero access to your data: no cloud sync, no AI training, no external processing. Your existing security controls — firewalls, identity management, network segmentation, monitoring — remain fully enforceable.
Q What does a CRA gap analysis cover that a product security assessment does not?
A CRA-specific gap analysis goes beyond product security. In addition to assessing whether the product itself meets the essential cybersecurity requirements, it evaluates your organisation's vulnerability handling processes (covering all six phases defined in prEN 40000-1-3 — from preparation through post-release), and checks that your user-facing documentation satisfies all 14 obligations in CRA Annex II. Many conventional product security assessments only cover the product layer. The vulnerability handling layer alone requires manufacturers to prepare 7 types of documents — including a Vulnerability Handling Policy, a CVD Policy, an SBOM, and a Security Advisory. We cover all of them in detail, with free templates, in our dedicated article.
Find Out Where Your Gaps Are — Before It's Too Late to Fix Them
The best time to assess your CRA readiness is now, while you still have time to act. Z-CMS gives you a comprehensive, accurate gap analysis in a fraction of the time and cost of a traditional consulting engagement.
Article 14 deadline
11 September 2026
Incident & vulnerability reporting obligations
Full CRA deadline
11 December 2027
Complete compliance including Article 13
See Z-CMS's CRA Gap Analysis in action
We're happy to walk you through the full feature in a live demo.