Conformity, evidence, and review routes
Cyber Resilience Act certification
Many teams ask for Cyber Resilience Act certification, but the practical path depends on product category and risk. For some products, internal control and self-assessment may be possible. For important or critical categories, additional conformity assessment steps may apply.
What to do with this information
- Start with product classification. Certification language is not useful until you know the product category.
- Build technical documentation early: security requirements, architecture, SBOM, vulnerability handling, update policy, and test evidence.
- Map the conformity route before launch. Important and critical products may need more formal assessment steps.
- Prepare an EU Declaration of Conformity draft, but keep it tied to current product version and evidence.
How CertCore uses it
CertCore helps teams decide what route they appear to be on, collect evidence, and export a review-ready conformity pack for legal, audit, or notified-body conversations.
Official and technical references
Questions teams ask
Is there a single CRA certificate?
Not generally. The obligation is about conformity with the regulation, supported by the right assessment route and evidence.
Can CertCore issue certification?
No. CertCore is software for readiness evidence and workflow management; it does not act as a notified body or legal authority.
What plan should a publisher choose?
The Studio plan fits most teams managing several software products and needing SBOM API access.