Start with product-version records.
Manufacturers need a way to keep SBOMs, review decisions, remediation status, and evidence history connected to the product versions they ship and maintain.
Coordinate across security, compliance, and engineering.
Product security evidence often spans teams. A shared workflow helps reduce gaps between scanner results, tickets, spreadsheets, and review records.
Avoid overclaiming readiness.
Operational records can support CRA readiness workflows, but they do not certify compliance or replace formal legal and compliance assessment.
Product alignment
How CRA Ledger maps this into a workflow
Product-version record
Released versions are anchored with metadata.
SBOM retained
Original formats are retained with source-artifact context.
Vulnerability review tracked
CVE triage decisions document ownership.
Remediation status connected
Fix updates and SLA tracking stay visible.
Decisions & timestamps preserved
Provenance is recorded for every decision.
Readiness evidence summarized
Evidence summaries keep output context reviewable.
Notice
Operational guidance only. Confirm product scope and CRA duties with official sources and advisers.
CRA Ledger supports readiness workflows and evidence organization. It does not guarantee compliance or replace legal advice.
Related resources