CRA quiz compliance 2 • Projekt.dk

Quiz published APR 12, 2026

24 questions with four options - select the correct one.

1.

Which product category is explicitly included in the scope of the CRA?

Standalone cloud-based software that has no local device interaction.

Any motor vehicle governed by the Type Approval Regulation (EU) 2018/858.

Any hardware or software product that allows for a logical data connection.

Medical devices that are already regulated under Regulation (EU) 2017/745.

2.

What defines a "substantial modification"?

Releasing a standard security patch to fix a known critical software bug.

Updating the visual branding of the physical product or user interface.

Moving the product hosting from one cloud provider to another similar one.

A change that affects compliance with the essential security requirements.

3.

How long is the mandatory support period for updates?

A fixed period of exactly five years from the date of market placement.

The duration of the standard two-year consumer legal guarantee period.

The expected product lifetime, taking into account user expectations.

For the entire duration that the manufacturer remains a legal entity.

4.

What is the deadline for an "early warning" of an exploited vulnerability?

Within 72 hours of the manufacturer identifying the risk of an exploit.

Within 24 hours of becoming aware of an actively exploited vulnerability.

Without undue delay and in any event within 48 hours of detection.

Within 12 hours of the first recorded attempt at a network breach.

1 out of 6

5.

Where must the Software Bill of Materials (SBOM) be maintained?

On a public website for general consumer access and security auditing.

Inside a secure database that is managed and audited directly by ENISA.

As part of the technical documentation for market surveillance purposes.

In a printed document that is included in the physical product packaging.

6.

When must a manufacturer submit a vulnerability notification with general information?

Within 72 hours of becoming aware of the actively exploited vulnerability.

No later than 48 hours after the vulnerability has been patched for users.

Simultaneously with the early warning to provide authorities with context.

Within seven days of the incident, provided the risk has been mitigated.

7.

Who manages the Single Reporting Platform for vulnerability notifications?

The national data protection authority of the manufacturer's home state.

The European Data Protection Board in collaboration with local police.

The European Commission’s Directorate-General for Communications and Technology.

ENISA, the European Union Agency for Cybersecurity, manages the platform.

8.

What is an importer's primary verification duty?

Ensuring the manufacturer has affixed the CE mark to the product.

Redesigning default security policies to meet specific local preferences.

Conducting independent penetration testing on all incoming product code.

Notify the market surveillance authorities, what products are being imported.

2 out of 6

9.

How long must the EU declaration of conformity be retained?

For the duration of the active support period provided to the users.

Until the specific product model is no longer sold in the Union.

For ten years after the product has been placed on the market.

For twenty-five years from the date the initial design was finalized.

10.

Which assessment applies to "unclassified" (default) products?

A third-party audit performed by a designated EU Notified Body.

The manufacturer’s self-assessment through an internal control process.

A full quality assurance audit by an external specialized audit firm.

A mandatory source code review conducted by the European Commission.

11.

Which product is classified as "Important" Class I?

Identity management systems and browsers for general consumer use.

Smart lighting systems designed for private domestic user environments.

Basic fitness trackers that only monitor steps and heart rate data.

Industrial firewalls designed to protect the core of a power plant.

12.

Which product is classified as "Important" Class II?

A basic smart home thermostat that controls a single heating zone.

Standalone calculator software that does not connect to the internet.

Operating systems that are used exclusively on consumer mobile devices.

Firewalls and intrusion detection/prevention systems.

3 out of 6

4 out of 6

5 out of 6

6 out of 6