CRA-oriented evidence

SBOMFlow organizes release evidence around the EU Cyber Resilience Act (CRA, Regulation (EU) 2024/2847). It helps you see and assemble the engineering evidence that CRA-related obligations concern.

Important

SBOMFlow is not legal advice and makes no conformity claim. It records
the manufacturer's declared product class and reports evidence gaps; it does not
classify your product, decide conformity, or determine that any requirement is
met. Always confirm your obligations with qualified advisors and the official
sources below.

What SBOMFlow maps

  • Annex I (essential requirements): SBOMFlow reports which requirement areas have observed evidence and which have gaps, for the declared product class. Gaps mean evidence not observed, not requirement unmet.
  • Annex VII (technical documentation): SBOMFlow can assemble supporting technical-documentation inputs into an evidence index. Completing and judging the documentation is a human task.
  • Article 14 (reporting): SBOMFlow can produce unsigned draft early-warning / notification / final-report documents for a human to review and file. SBOMFlow never submits them and never contacts a reporting platform.

Conformity assessment is out of scope

CRA conformity-assessment routes (self-assessment vs a notified body) depend on product classification and applicable harmonised standards. SBOMFlow records the class you declare and does not choose a route for you.

Official sources

Verify all dates and obligations against the primary sources:

Note

Regulatory timelines change. Treat any date you see in tooling as informational
and confirm against the European Commission and EUR-Lex before relying on it.