Plain-English operating reference
Cyber Resilience Act wiki
This wiki-style page gives product, security, and engineering teams a practical operating reference for the Cyber Resilience Act. It is not a substitute for the official regulation, but it helps teams decide what to read and what evidence to prepare.
Need the operational version?
What to do with this information
- Product with digital elements: software or hardware product with digital functionality, including components that can affect cybersecurity.
- Manufacturer: the party placing the product on the EU market under its name or trademark.
- SBOM: a machine-readable software bill of materials that helps track dependencies and vulnerabilities.
- CVE tracking: continuous monitoring of known vulnerabilities affecting components in the SBOM.
- Article 14: vulnerability reporting workflow with strict notification timing and evidence requirements.
- EU Declaration of Conformity: a formal declaration that the product meets applicable requirements.
How CertCore uses it
CertCore turns these wiki terms into live workflow states: in scope, category, SBOM complete, CVEs triaged, report clock open, declaration ready, and calendar clean.
Official and technical references
Questions teams ask
Is this the official wiki?
No. It is a practical reference page. Use the official EUR-Lex text and Commission pages for authoritative material.
Who should own CRA readiness?
Usually product security, engineering, product management, and legal need a shared process.
What is the easiest evidence win?
Generate an SBOM and connect it to vulnerability tracking for each releasable product version.