Product versions change.
Evidence has to follow release candidates, shipped versions, and updated SBOMs.
EU Cyber Resilience Act
CRA evidence must stay current as your product changes.
The Cyber Resilience Act requires manufacturers to maintain documented evidence of cybersecurity processes across every product version. Full enforcement begins December 2027. CRA Ledger helps teams organize those workflows without replacing legal assessment.
CRA in brief
Applies to
manufacturers, importers, distributors of products with digital elements in the EU
Enforcement
December 2027 (reporting from September 2026)
Penalties
up to €15 million or 2.5% of annual global turnover
Timeline and penalty details are summarized for orientation. Read the CRA guide for source notes and official references.
CRA evidence problem
CRA is not just a documentation task.
Product security evidence must stay current as products, vulnerabilities, remediation work, and review decisions change.
Vulnerabilities appear after release.
Teams need a repeatable way to review new findings and preserve what happened.
Review decisions need traceability.
Disposition, ownership, and remediation decisions should not live only in tickets.
Evidence must stay available.
Audit history, original uploads, and review activity need to remain reviewable over time.
Affected teams
Who needs product security evidence?
CRA readiness work often spans commercial, security, engineering, and compliance teams. The product supports evidence organization without making legal determinations.
Manufacturers
Maintain product-version evidence and security review history.
Importers and distributors
Coordinate product-security records without overstating legal conclusions.
Product security teams
Run vulnerability handling with retained review context.
Compliance teams
Organize records for readiness reviews and customer evidence requests.
Engineering/platform teams
See what changed, what is blocked, and what needs action.
What CRA Ledger supports
Operational evidence workflows for CRA readiness.
CRA Ledger helps teams organize product-security evidence without making legal determinations.
Product-version evidence
Keep SBOMs, findings, decisions, and remediation context tied to the product version they belong to.
SBOM intake and retention
Upload or register CycloneDX/SPDX records and retain original artifact metadata for later review.
Vulnerability review history
Track CVE review state, rationale, severity, ownership, and review activity.
Remediation and SLA context
Keep remediation updates, blocked work, and SLA pressure visible alongside findings.
Audit activity
Preserve user activity, review changes, imports, and evidence events for traceability.
Readiness summaries
Prepare product-security summaries for CRA readiness discussions without claiming legal certification.
Limitations
What it does not replace.
CRA Ledger supports operational readiness and evidence workflows. It does not provide legal advice, legal certification, notified body approval, or a replacement for formal legal/compliance assessment.
Next step
Map your product-security workflow to CRA evidence.
Review how SBOM intake, vulnerability handling, remediation status, and retained evidence fit your product portfolio.