Framework

Cyber Resilience Act (Regulation 2024/2847)

EU-wide baseline for products with digital elements. 44 controls across product security, vulnerability handling, and documentation.

Owner: Compliance TeamLast reviewed: 2026-04-14

Scope in OneComply

  • /dashboard/cra/product-security — product register, classification (default / important / critical), SBOM upload.
  • /dashboard/cra/vulnerability-management — CVE register with NVD lookup and exploitability tagging.
  • /dashboard/cra/technical-documentation — Annex VII readiness and evidence-package checks.
  • /dashboard/cra/cvd-policy — Coordinated Vulnerability Disclosure policy and security.txt.
  • /dashboard/cra/reporting — ENISA Art. 14 24h / 72h / 14-day single reporting platform.

Typical Workflow

  1. Register each product with digital elements; classify per EU 2025/2392.
  2. Upload a CycloneDX 1.5+ or SPDX 2.3+ SBOM; OneComply validates format and freshness (90-day staleness warning).
  3. Load the CRA control library; evidence essential requirements (Annex I).
  4. Maintain the vulnerability register; use the built-in NVD lookup for CVE metadata.
  5. Generate an Annex VII evidence bundle only when mandatory artifacts are complete.
  6. Publish the CVD policy + /.well-known/security.txt.
  7. When an actively-exploited vuln is discovered, trigger ENISA Art. 14 single-report flow.

Standards Referenced

  • CycloneDX 1.5 / SPDX 2.3 (SBOM formats).
  • RFC 9116 (security.txt).
  • ISO/IEC 29147 (vulnerability disclosure).
  • EU Implementing Regulation 2025/2392 (product classification).

Continue reading

SBOM Pipeline
Incident Reporting