TL;DR
This glossary covers essential EU Cyber Resilience Act (CRA) terminology: SBOM (Software Bill of Materials), CycloneDX, SPDX, VEX (Vulnerability Exploitability eXchange), CSAF, CVE, EPSS, KEV, TR-03183, ENISA reporting, CE marking, harmonised standards, notified bodies, risk assessment, technical file requirements, and conformity assessment. Use this reference when preparing for CRA compliance before the December 2027 deadline.
CRA Compliance Glossary
Essential terminology for understanding the EU Cyber Resilience Act, software supply chain security standards, and compliance requirements.
A
Annex VII
CRA Annex VII specifies the minimum content of the EU Declaration of Conformity that manufacturers must draw up for products with digital elements. Includes product identification, manufacturer details, standards applied, and the signature of an authorised representative.
Article 13 - Obligations of Manufacturers
CRA Article 13 sets out the core manufacturer obligations: security by design, SBOM maintenance, vulnerability handling, providing security updates throughout the product lifecycle, and maintaining technical documentation for at least 10 years.
Article 14 - Reporting Obligations
CRA Article 14 requires manufacturers to report actively exploited vulnerabilities to ENISA within 24 hours (early warning), 72 hours (detailed report), and 14 days (final report). Severe incidents follow the same pattern but with a 30-day final report deadline.
C
CE Marking
European conformity mark indicating compliance with EU legislation. Under CRA, products with digital elements must bear CE marking to be legally sold in the EU market. Requires completion of conformity assessment and EU Declaration of Conformity.
Conformity Assessment
Process verifying that a product meets CRA essential cybersecurity requirements. Default products can use self-assessment (Module A), while Important Class I, Class II, and Critical products require third-party assessment by notified bodies.
CRA - Cyber Resilience Act
EU Regulation 2024/2847 establishing mandatory cybersecurity requirements for products with digital elements (PDEs) sold in the European Union. Entered into force December 10, 2024. Main obligations apply from December 11, 2027. Covers hardware and software products with network connectivity.
CSAF - Common Security Advisory Framework
OASIS standard for machine-readable security advisories. Enables automated processing of vulnerability disclosures. Used for coordinated vulnerability disclosure (CVD) and ENISA reporting under CRA requirements.
CVD - Coordinated Vulnerability Disclosure
Process for responsibly disclosing security vulnerabilities to vendors before public announcement. CRA Article 13(8) requires manufacturers to establish and publish CVD policies, including security contact information.
CVE - Common Vulnerabilities and Exposures
Standardized identifier for publicly known cybersecurity vulnerabilities (e.g., CVE-2024-12345). Managed by MITRE Corporation. Used globally for vulnerability tracking, disclosure, and remediation coordination.
CVSS - Common Vulnerability Scoring System
Industry standard for assessing vulnerability severity on a 0-10 scale. CVSS 4.0 is the latest version. Provides base, temporal, and environmental metrics. Critical (9.0-10.0), High (7.0-8.9), Medium (4.0-6.9), Low (0.1-3.9).
CycloneDX
OWASP standard for creating Software Bills of Materials (SBOMs) and related artifacts. Supports SBOM, VEX, HBOM, SaaSBOM, and more. Version 1.5+ recommended. Referenced by BSI TR-03183 as preferred format for CRA compliance.
Critical Product — CRA Annex IV
Products with digital elements that perform essential cybersecurity functions for other products, networks, or services. Listed in CRA Annex IV, these include hardware security modules (HSMs), smartcard readers, secure elements, and hardware devices with security boxes. Critical products require European cybersecurity certification under an applicable scheme, or — where no scheme exists — third-party conformity assessment by a notified body.
D
Default Product Category
Products with digital elements that do not fall under the Important or Critical categories defined in CRA Annexes III and IV. Default products can undergo conformity assessment through internal control (self-assessment) by the manufacturer per CRA Annex VIII, without third-party involvement. This covers the vast majority of consumer and commercial software and hardware.
Distributor
Any entity in the supply chain, other than the manufacturer or importer, that makes a product with digital elements available on the EU market. Distributors must verify that the product bears CE marking and is accompanied by the EU Declaration of Conformity before making it available. If a distributor modifies the product, it becomes a manufacturer under CRA.
E
ENISA - European Union Agency for Cybersecurity
EU agency responsible for cybersecurity policy and incident coordination. Under CRA, manufacturers must report actively exploited vulnerabilities to ENISA within 24 hours, and severe incidents within 72 hours. Reporting obligation starts September 11, 2026.
EPSS - Exploit Prediction Scoring System
FIRST.org model estimating the probability (0-100%) that a vulnerability will be exploited in the wild within the next 30 days. Used for risk-based vulnerability prioritization alongside CVSS. Higher EPSS = higher priority for remediation.
EU Declaration of Conformity
Formal document stating that a product complies with applicable EU legislation including CRA. Must be signed by manufacturer or authorized representative. Required for CE marking. Must reference applicable harmonized standards.
H
HBOM - Hardware Bill of Materials
Machine-readable inventory of hardware components in a product, including processors, memory, integrated circuits, and firmware. Complements SBOM for complete product transparency. CycloneDX supports HBOM format.
Harmonised Standards
European standards adopted by recognised standardisation bodies (CEN, CENELEC, ETSI) and referenced in the EU Official Journal. Products conforming to harmonised standards benefit from a presumption of conformity with the corresponding CRA essential requirements, simplifying conformity assessment.
I
Importer
An EU-established entity that places a product with digital elements from a manufacturer outside the EU on the European market. Importers must verify that the manufacturer has carried out the conformity assessment, that CE marking is applied, and that technical documentation is available. They share liability for non-compliant products.
Important Product (Class I) — CRA Annex III, Part I
Products with digital elements that perform a cybersecurity-relevant function or carry elevated risk. Class I includes identity management systems, VPNs, network management tools, SIEM systems, boot managers, and other categories listed in CRA Annex III Part I. Manufacturers must either apply harmonised standards covering all essential requirements (enabling self-assessment), or undergo third-party conformity assessment by a notified body.
Important Product (Class II) — CRA Annex III, Part II
Products with digital elements that perform critical cybersecurity functions and carry significant risk. Class II includes operating systems, hypervisors, firewalls, intrusion detection systems, microcontrollers, industrial automation systems, and other categories listed in CRA Annex III Part II. These products always require third-party conformity assessment by a notified body, regardless of whether harmonised standards exist.
K
KEV - Known Exploited Vulnerabilities
CISA's authoritative catalog of vulnerabilities actively exploited in the wild. Highest priority for remediation as they represent confirmed real-world threats. Federal agencies must remediate KEV vulnerabilities within specified timeframes.
M
Manufacturer
The entity that develops or produces a product with digital elements and places it on the EU market under its own name or trademark. Manufacturers bear the primary CRA obligations: conducting risk assessments, maintaining SBOMs, handling vulnerabilities, providing security updates for at least five years, and reporting exploited vulnerabilities to ENISA.
N
NVD - National Vulnerability Database
U.S. government repository of vulnerability data maintained by NIST. Built upon CVE identifiers. Provides CVSS scores, CPE (affected product) information, CWE classifications, and remediation guidance.
Notified Body
Independent conformity assessment body designated by an EU member state to assess whether products meet regulatory requirements. Required for third-party conformity assessment of Important Class I, Class II, and Critical products under CRA Annex III and IV.
O
OSV.dev - Open Source Vulnerability Database
Open Source Vulnerability database maintained by Google. Aggregates security advisories from GitHub (GHSA), Go, Rust, PyPI, and 15+ ecosystems into a single queryable API. CRA Evidence uses OSV.dev as a secondary vulnerability source alongside NVD to catch advisories that ecosystem-specific databases track before they receive CVE IDs.
P
PDE - Product with Digital Elements
Any software or hardware product with a connection (direct or indirect) to another device or network. The core scope of CRA regulation. Includes IoT devices, industrial equipment, consumer electronics, and standalone software.
PURL - Package URL
Standardized format for identifying software packages across ecosystems (e.g., pkg:npm/lodash@4.17.21). Used in SBOMs to uniquely identify components. Enables automated vulnerability matching and license compliance.
R
Risk Assessment
Systematic process of identifying, analysing, and evaluating cybersecurity risks associated with a product with digital elements. Required by CRA Article 13(2) and must be documented in the technical file. Covers threats, vulnerabilities, potential impact, and risk mitigation measures throughout the product lifecycle.
S
SBOM - Software Bill of Materials
Formal, machine-readable inventory of software components and dependencies, including versions, licenses, and relationships. Required by CRA Article 13(4) for vulnerability management and supply chain transparency. Can be in CycloneDX or SPDX format.
SPDX - Software Package Data Exchange
ISO/IEC 5962:2021 standard for communicating software bill of materials information. Developed by the Linux Foundation. Widely used for license compliance and vulnerability tracking. Version 2.2.1+ recommended for CRA compliance.
T
Technical File
Complete documentation package demonstrating CRA compliance. Includes risk assessment, SBOM, security design documentation, vulnerability handling procedures, test results, and EU Declaration of Conformity. Must be retained for 10 years or product lifetime (whichever is longer).
TR-03183
German BSI (Federal Office for Information Security) Technical Guideline providing detailed requirements for SBOM creation and management. Widely referenced as best practice for CRA Article 13 compliance. Specifies minimum SBOM fields, formats, and update requirements.
V
VEX - Vulnerability Exploitability eXchange
Document communicating the exploitability status of vulnerabilities in a specific product. States whether a CVE affects your product (affected, not affected, fixed, under investigation). Helps downstream users reduce alert fatigue from false positives.
Ready to Get CRA-Ready?
CRA Evidence helps you manage SBOMs, track vulnerabilities, and generate audit-ready documentation.