CRA-oriented evidence
SBOMFlow organizes release evidence around the EU Cyber Resilience Act (CRA, Regulation (EU) 2024/2847). It helps you see and assemble the engineering evidence that CRA-related obligations concern.
Important
SBOMFlow is not legal advice and makes no conformity claim. It records
the manufacturer's declared product class and reports evidence gaps; it does not
classify your product, decide conformity, or determine that any requirement is
met. Always confirm your obligations with qualified advisors and the official
sources below.
What SBOMFlow maps
- Annex I (essential requirements): SBOMFlow reports which requirement areas have observed evidence and which have gaps, for the declared product class. Gaps mean evidence not observed, not requirement unmet.
- Annex VII (technical documentation): SBOMFlow can assemble supporting technical-documentation inputs into an evidence index. Completing and judging the documentation is a human task.
- Article 14 (reporting): SBOMFlow can produce unsigned draft early-warning / notification / final-report documents for a human to review and file. SBOMFlow never submits them and never contacts a reporting platform.
Conformity assessment is out of scope
CRA conformity-assessment routes (self-assessment vs a notified body) depend on product classification and applicable harmonised standards. SBOMFlow records the class you declare and does not choose a route for you.
Official sources
Verify all dates and obligations against the primary sources:
- European Commission — Cyber Resilience Act
- European Commission — CRA reporting obligations
- European Commission — CRA conformity assessment
- EUR-Lex — Regulation (EU) 2024/2847
Note
Regulatory timelines change. Treat any date you see in tooling as informational
and confirm against the European Commission and EUR-Lex before relying on it.