CRA Compliance Glossary
Essential terminology for understanding the EU Cyber Resilience Act, software supply chain security standards, and compliance requirements.
No matching terms found.
A
Annex VII
CRA Annex VII specifies the minimum content of the EU Declaration of Conformity that manufacturers must draw up for products with digital elements. Includes product identification, manufacturer details, standards applied, and the signature of an authorised representative.
Article 13 - Obligations of Manufacturers
CRA Article 13 sets out the core manufacturer obligations: security by design, SBOM maintenance, vulnerability handling, providing security updates throughout the product lifecycle, and maintaining technical documentation for at least 10 years.
Article 14 - Reporting Obligations
CRA Article 14 requires manufacturers to report actively exploited vulnerabilities to ENISA within 24 hours (early warning), 72 hours (detailed report), and 14 days (final report). Severe incidents follow the same pattern but with a 30-day final report deadline.
Authorised representative - Article 18
Under Article 18(1) of Regulation (EU) 2024/2847 (the EU Cyber Resilience Act), a manufacturer may, by written mandate, appoint an EU-established legal or natural person as authorised representative. Appointment is optional under the CRA, unlike MDR Article 11 or RED Article 5 which require an authorised representative for non-EU manufacturers. Under Article 18(3), the authorised representative holds the EU Declaration of Conformity and the technical documentation at the disposal of market surveillance authorities for at least 10 years (or the support period, whichever is longer), provides information on reasoned request, and cooperates on actions taken to eliminate risks. Article 18(2) excludes the substantive Article 13 cybersecurity obligations from the mandate. Distinct from the Article 19 importer role. See the Article 18 explainer at /cra-authorised-representative.
C
CE Marking
European conformity mark indicating compliance with EU legislation. Under CRA, products with digital elements must bear CE marking to be legally sold in the EU market. Requires completion of conformity assessment and EU Declaration of Conformity.
Conformity Assessment
Process verifying that a product meets CRA essential cybersecurity requirements. Default products self-assess (Module A). Important Class I can also self-assess where harmonised standards, common specifications, or a cybersecurity certification scheme are fully applied, and otherwise uses third-party assessment. Class II and Critical products use third-party assessment (Module B+C or Module H) or a European cybersecurity certification scheme.
CRA - Cyber Resilience Act
EU Regulation 2024/2847 establishing mandatory cybersecurity requirements for products with digital elements (PDEs) sold in the European Union. Entered into force December 10, 2024. Main obligations apply from December 11, 2027. Covers hardware and software products with network connectivity.
Critical Product - CRA Annex IV
Products with digital elements that perform essential cybersecurity functions for other products, networks, or services. Listed in CRA Annex IV, these include hardware security modules (HSMs), smartcard readers, secure elements, and hardware devices with security boxes. Critical products require European cybersecurity certification under an applicable scheme, or — where no scheme exists — third-party conformity assessment by a notified body.
CSAF - Common Security Advisory Framework
OASIS standard for machine-readable security advisories. Enables automated processing of vulnerability disclosures. Used for coordinated vulnerability disclosure (CVD) and ENISA reporting under CRA requirements.
CSIRT - Computer Security Incident Response Teams
Designated cybersecurity bodies that manufacturers must notify of actively exploited vulnerabilities and severe incidents under CRA Article 14, and that coordinate with ENISA on EU-level vulnerability response.
CVD - Coordinated Vulnerability Disclosure
Process for responsibly disclosing security vulnerabilities to vendors before public announcement. CRA Article 13(8) requires manufacturers to establish and publish CVD policies, including security contact information.
CVE - Common Vulnerabilities and Exposures
Standardized identifier for publicly known cybersecurity vulnerabilities (e.g., CVE-2024-12345). Managed by MITRE Corporation. Used globally for vulnerability tracking, disclosure, and remediation coordination.
CVSS - Common Vulnerability Scoring System
Industry standard for assessing vulnerability severity on a 0-10 scale. CVSS 4.0 is the latest version. Provides base, temporal, and environmental metrics. Critical (9.0-10.0), High (7.0-8.9), Medium (4.0-6.9), Low (0.1-3.9).
CycloneDX
OWASP standard for creating Software Bills of Materials (SBOMs) and related artifacts. Supports SBOM, VEX, HBOM, SaaSBOM, and more. Version 1.5+ recommended. Referenced by BSI TR-03183 as preferred format for CRA compliance.
D
Default Product Category
Products with digital elements that do not fall under the Important or Critical categories defined in CRA Annexes III and IV. Default products can undergo conformity assessment through internal control (self-assessment) by the manufacturer per CRA Annex VIII, without third-party involvement. This covers the vast majority of consumer and commercial software and hardware.
Distributor
Any entity in the supply chain, other than the manufacturer or importer, that makes a product with digital elements available on the EU market. Distributors must verify that the product bears CE marking and is accompanied by the EU Declaration of Conformity before making it available. If a distributor modifies the product, it becomes a manufacturer under CRA.
E
ENISA - European Union Agency for Cybersecurity
EU agency responsible for cybersecurity policy and incident coordination. Under CRA Article 14, manufacturers report actively exploited vulnerabilities and severe incidents to ENISA and the coordinating CSIRT via a single reporting platform, with an early-warning notification within 24 hours and a follow-up notification within 72 hours. The reporting obligation starts 11 September 2026.
EPSS - Exploit Prediction Scoring System
FIRST.org model estimating the probability (0-100%) that a vulnerability will be exploited in the wild within the next 30 days. Used for risk-based vulnerability prioritization alongside CVSS. Higher EPSS = higher priority for remediation.
EU Declaration of Conformity
Formal document stating that a product complies with applicable EU legislation including CRA. Must be signed by manufacturer or authorized representative. Required for CE marking. Must reference applicable harmonized standards.
EU Machinery Regulation - Regulation (EU) 2023/1230
EU regulation replacing the Machinery Directive 2006/42/EC, applying from 20 January 2027. Requires cybersecurity evidence in the technical file (Annex III §1.1.9 — protection against corruption) for machines with digital elements. Products with digital elements must comply with both this regulation and the CRA simultaneously.
H
Harmonised Standards
European standards adopted by recognised standardisation bodies (CEN, CENELEC, ETSI) and referenced in the EU Official Journal. Products conforming to harmonised standards benefit from a presumption of conformity with the corresponding CRA essential requirements, simplifying conformity assessment.
HBOM - Hardware Bill of Materials
Machine-readable inventory of hardware components in a product, including processors, memory, integrated circuits, and firmware. Complements SBOM for complete product transparency. CycloneDX supports HBOM format.
I
Important Product (Class I) - CRA Annex III, Part I
Products with digital elements that perform a cybersecurity-relevant function or carry elevated risk. Class I includes identity management systems, VPNs, network management tools, SIEM systems, boot managers, and other categories listed in CRA Annex III Part I. Manufacturers must either apply harmonised standards covering all essential requirements (enabling self-assessment), or undergo third-party conformity assessment by a notified body.
Important Product (Class II) - CRA Annex III, Part II
Products with digital elements that perform critical cybersecurity functions and carry significant risk. Class II includes operating systems, hypervisors, firewalls, intrusion detection systems, microcontrollers, industrial automation systems, and other categories listed in CRA Annex III Part II. These products always require third-party conformity assessment by a notified body, regardless of whether harmonised standards exist.
Importer
An EU-established entity that places a product with digital elements from a manufacturer outside the EU on the European market. Importers must verify that the manufacturer has carried out the conformity assessment, that CE marking is applied, and that technical documentation is available. They share liability for non-compliant products.
K
KEV - Known Exploited Vulnerabilities
CISA's authoritative catalog of vulnerabilities actively exploited in the wild. Highest priority for remediation as they represent confirmed real-world threats. Federal agencies must remediate KEV vulnerabilities within specified timeframes.
M
Manufacturer
The entity that develops or produces a product with digital elements and places it on the EU market under its own name or trademark. Manufacturers bear the primary CRA obligations: conducting risk assessments, maintaining SBOMs, handling vulnerabilities, providing security updates for at least five years, and reporting exploited vulnerabilities to ENISA.
N
Notified Body
Independent conformity assessment body designated by an EU member state to assess whether products meet regulatory requirements. Required for third-party conformity assessment of Important Class I, Class II, and Critical products under CRA Annex III and IV.
NVD - National Vulnerability Database
U.S. government repository of vulnerability data maintained by NIST. Built upon CVE identifiers. Provides CVSS scores, CPE (affected product) information, CWE classifications, and remediation guidance.
O
OSV.dev - Open Source Vulnerability Database
Open Source Vulnerability database maintained by Google. Aggregates security advisories from GitHub (GHSA), Go, Rust, PyPI, and 15+ ecosystems into a single queryable API. CRA Evidence uses OSV.dev as a secondary vulnerability source alongside NVD to catch advisories that ecosystem-specific databases track before they receive CVE IDs.
P
PDE - Product with Digital Elements
A product with digital elements is hardware or software placed on the EU market whose intended or reasonably foreseeable use involves a direct or indirect data connection to another device or network. The legal definition is in CRA Article 3(1). The CRA distinguishes four forms: software products (Article 3(4)), hardware products (Article 3(5)), components placed on the market separately (Article 3(6), including firmware and SDKs), and remote data processing solutions supplied by the manufacturer (Article 3(2), cloud or remote services necessary for the product to perform its functions). A pure cloud SaaS without an installable client is generally outside the CRA; a hybrid product where the manufacturer's cloud service is necessary for the product to function is in scope through Article 3(2). The decisive test is the data connection, and Article 3(8), (9), and (10) distinguish logical, physical, and indirect connections.
prEN 50742
Draft European standard for safety of machinery covering protection against corruption requirements. Provides technical specifications for implementing Machinery Regulation (EU) 2023/1230 §1.1.9. Defines two compliance paths: a standalone approach, and integration with IEC 62443 for manufacturers already working within that industrial cybersecurity framework. Once published as a harmonised standard, conformity creates a presumption of conformity with the Machinery Regulation cybersecurity requirements. Publication expected late 2026.
PURL - Package URL
Standardized format for identifying software packages across ecosystems (e.g., pkg:npm/lodash@4.17.21). Used in SBOMs to uniquely identify components. Enables automated vulnerability matching and license compliance.
R
RDPS - Remote Data Processing Solutions
Cloud or SaaS functionality that processes data remotely as part of a product with digital elements. Falls within the product's CRA conformity assessment scope if it meets a three-part test: data is processed 'at a distance', the product would lose a core function without it, and it is designed by or under the responsibility of the manufacturer. Third-party SaaS that does not meet this test must still be treated as a component under Article 13(5) due diligence.
Risk Assessment
Systematic process of identifying, analysing, and evaluating cybersecurity risks associated with a product with digital elements. Required by CRA Article 13(2) and must be documented in the technical file. Covers threats, vulnerabilities, potential impact, and risk mitigation measures throughout the product lifecycle.
S
SBOM - Software Bill of Materials
Formal, machine-readable inventory of software components and dependencies, including versions, licenses, and relationships. Required by CRA Article 13(4) for vulnerability management and supply chain transparency. Can be in CycloneDX or SPDX format.
SCA - Software Composition Analysis
Software composition analysis (SCA) identifies open-source and third-party components, versions, licences, and known vulnerabilities in a software product. It is commonly used to generate SBOMs, keep them current across releases, and feed vulnerability monitoring under CRA Article 13.
SPDX - Software Package Data Exchange
ISO/IEC 5962:2021 standard for communicating software bill of materials information. Developed by the Linux Foundation. Widely used for license compliance and vulnerability tracking. Version 2.2.1+ recommended for CRA compliance.
T
Technical File
Complete documentation package demonstrating CRA compliance. Includes risk assessment, SBOM, security design documentation, vulnerability handling procedures, test results, and EU Declaration of Conformity. Must be retained for 10 years or product lifetime (whichever is longer).
TR-03183
German BSI (Federal Office for Information Security) Technical Guideline providing detailed requirements for SBOM creation and management. Widely referenced as best practice for CRA Article 13 compliance. Specifies minimum SBOM fields, formats, and update requirements.
V
VEX - Vulnerability Exploitability eXchange
Document communicating the exploitability status of vulnerabilities in a specific product. States whether a CVE affects your product (affected, not affected, fixed, under investigation). Helps downstream users reduce alert fatigue from false positives.
VKB - Vulnerability Knowledge Base
A continuously updated vulnerability database that aggregates advisories from multiple sources — such as NVD/cvelistV5, OSV.dev, GitHub Advisories, CISA KEV, and EPSS — into a single queryable knowledge base. Instead of scanning dependencies on demand against a single source, a VKB maintains a local mirror of all known vulnerabilities and matches them against software components as new CVEs are published. This reduces detection latency from hours or days to minutes, and cross-referencing multiple sources lowers the risk of missed advisories.
Ready to Get CRA-Ready?
CRA Evidence helps you manage SBOMs, track vulnerabilities, and generate audit-ready documentation.