Go back to the web Sign In

Frequently Asked Questions

Common questions about CRA Evidence and CRA compliance.

Getting Started

What is CRA Evidence?

CRA Evidence is a compliance management platform for the EU Cyber Resilience Act (CRA). It provides tools for:

  • Managing Software Bills of Materials (SBOMs)
  • Tracking vulnerabilities and remediation
  • Storing required documentation
  • Generating technical file exports
  • Tracking ENISA notification deadlines
  • Publishing security advisories (CSAF/VEX)

Who needs to use CRA Evidence?

CRA Evidence serves all CRA economic operator roles:

Role How CRA Evidence helps
Manufacturers Create SBOMs, manage vulnerabilities, build technical files, report to ENISA
Importers Verify manufacturer compliance, maintain documentation, track products
Distributors Check CE marking, verify documentation, manage due diligence

This includes software companies, IoT device manufacturers, industrial equipment makers, and consumer electronics producers.

Is CRA Evidence required for CRA compliance?

No, CRA Evidence is not required. CRA compliance can be achieved with any tools that help you meet the regulatory requirements. CRA Evidence makes it easier by providing purpose-built features for SBOM management, vulnerability tracking, and documentation.

Cyber Resilience Act Basics

What is the Cyber Resilience Act?

The Cyber Resilience Act (Regulation (EU) 2024/2847) is an EU regulation establishing cybersecurity requirements for products with digital elements. It requires manufacturers to:

  • Design products securely
  • Maintain SBOMs
  • Track and fix vulnerabilities
  • Report actively exploited vulnerabilities to ENISA
  • Keep documentation for 10+ years

When does CRA take effect?

Key dates:

Date Milestone
December 10, 2024 CRA entered into force
September 11, 2026 Reporting obligations begin
December 11, 2027 Full enforcement

Does CRA apply to my product?

CRA applies if you:

  • Place products with digital elements on the EU market
  • The product can connect to a network or another device

Exemptions include:

  • Pure SaaS (no software distributed to users)
  • Medical devices (covered by MDR)
  • Vehicles (covered by vehicle regulations)
  • Open source developed non-commercially

What's a "Product with Digital Element" (PDE)?

Any product that includes software or connectivity:

  • Software applications
  • IoT devices
  • Network equipment
  • Industrial control systems
  • Consumer electronics with software components

SBOMs

What SBOM formats does CRA Evidence support?

  • CycloneDX JSON (1.5+, recommended)
  • SPDX JSON (2.2+)

How do I generate an SBOM?

See our SBOM Guide for detailed instructions. Quick options:

  • Container images: Use Syft (syft image:tag -o cyclonedx-json)
  • Node.js: Use @cyclonedx/cyclonedx-npm
  • Python: Use cyclonedx-py
  • Java: Use CycloneDX Maven/Gradle plugin

What's a good quality score?

Score Rating
80-100 Excellent - meets TR-03183 recommendations
60-79 Good - minor improvements recommended
40-59 Fair - significant gaps
0-39 Poor - major quality issues

Aim for 80+ for full vulnerability detection capability.

Why is my quality score low?

Common reasons:

  • Missing PURLs: Components need Package URLs for vulnerability matching
  • No hashes: SHA-256 hashes verify component integrity
  • No supplier info: Supplier data enables supply chain tracking

Solution: Use lock files and comprehensive SBOM tools like Syft.

Can I upload multiple SBOMs per version?

Yes. You might have multiple SBOMs for:

  • Different build configurations
  • Different platforms
  • Updated dependency snapshots

CRA Evidence tracks all of them.

Documents

What documents are required?

For all products:

  • Risk assessment
  • EU Declaration of Conformity
  • User manual
  • Vulnerability disclosure policy

See Documents Checklist for complete details.

What file formats are accepted?

  • PDF (recommended for formal documents)
  • Microsoft Office (docx, xlsx, pptx)
  • Plain text and Markdown
  • Images (png, jpg for diagrams)

How long must I keep documents?

CRA requires keeping technical documentation for:

  • 10 years after the product is placed on market, OR
  • The support period, whichever is longer

Can I use one document for multiple versions?

Yes, if the content hasn't changed materially. However:

  • Review and date-stamp for each release
  • Note any version-specific considerations
  • Update when there are significant changes

Vulnerabilities

How does vulnerability scanning work?

When you upload an SBOM:

  1. CRA Evidence extracts component identifiers (PURLs)
  2. Components are checked against the Trivy vulnerability database
  3. Known CVEs are associated with your version
  4. Results appear on your version page

What if there's a false positive?

If a vulnerability doesn't actually affect your product:

  1. Document why (e.g., affected code path not used)
  2. Mark as False Positive in CRA Evidence
  3. Consider using VEX statements

When do I need to report to ENISA?

You must report actively exploited vulnerabilities (where someone is actually using the vulnerability in attacks):

  • 24 hours: Early warning
  • 72 hours: Detailed report
  • 14 days: Final report

This requirement begins September 11, 2026.

Does CRA Evidence submit to ENISA automatically?

No. CRA Evidence tracks deadlines and records that you submitted, but you must submit through the ENISA Single Reporting Platform (when available). CRA Evidence helps you prepare and track compliance.

How often should I re-scan?

Recommended: Enable automatic re-scanning on database updates. This catches newly discovered vulnerabilities in your existing components.

Products and Versions

How should I structure products?

One product = one commercial offering. Versions represent releases:

My Product (Product)
  +-- v1.0.0 (Version)
  +-- v1.1.0 (Version)
  +-- v2.0.0 (Version)

What CRA category is my product?

Category Examples Assessment
Default Business apps, consumer software Self-assessment
Important Class I Password managers, VPNs, SIEM Self + standards OR third-party
Important Class II Operating systems, hypervisors Third-party required
Critical HSMs, industrial control systems Third-party required

See Core Concepts for full classification guidance.

What support period should I set?

CRA requires a minimum of 5 years. Choose based on:

  • Expected product lifecycle
  • Industry norms
  • Your support capabilities

Document your justification in the version settings.

Technical File

What is a technical file?

A complete documentation package demonstrating CRA compliance, as required by Annex VII. CRA Evidence generates this as a ZIP archive.

What's included in the export?

  • Machine-readable manifest (JSON)
  • Human-readable summary (README)
  • CRA compliance checklist
  • All uploaded SBOMs
  • All uploaded documents
  • Manufacturer information
  • Conformity assessment details

When should I export?

  • At each new version release
  • Before applying CE marking
  • When requested by authorities
  • For annual records

Why does my export show "Incomplete"?

You're missing required items. Check:

  • Is at least one SBOM uploaded?
  • Are all required documents present?
  • Are version fields filled (end of support date, etc.)?

The manifest lists specific missing items.

Organisation and Access

Can multiple people access my organisation?

Yes. CRA Evidence supports team collaboration with roles:

Role Permissions
Owner Full control, cannot be removed
Admin Manage members, billing, settings
Member Create/edit products, upload artifacts
Viewer Read-only access

Can I be in multiple organisations?

Yes. Users can belong to multiple organisations with different roles in each.

How do I add team members?

  1. Go to Settings > Organisation > Members
  2. Click Invite Member
  3. Enter email and select role
  4. They'll receive an invitation email

API and Integration

Is there an API?

Yes. CRA Evidence provides a REST API for:

  • Uploading SBOMs programmatically
  • Managing products and versions
  • Querying vulnerabilities
  • Triggering exports

See API Overview for documentation.

How do I get an API key?

  1. Go to Settings > API Keys
  2. Click Create API Key
  3. Select scopes (permissions)
  4. Copy and securely store the key

Can I integrate with CI/CD?

Yes. See CI/CD Integration for examples with:

  • GitHub Actions
  • GitLab CI
  • Jenkins
  • Azure DevOps

Billing and Plans

Is there a free tier?

Check current pricing at https://craevidence.com/pricing. Features and limits vary by plan.

What's the storage limit?

Depends on your plan. Check Settings > Organisation for your current usage and quota.

How do I upgrade?

Go to Settings > Billing to manage your subscription.

Security and Privacy

Where is my data stored?

CRA Evidence uses EU-based infrastructure to comply with data residency requirements.

Is my SBOM data confidential?

Yes. Your SBOMs, documents, and vulnerability data are private to your organisation. CRA Evidence does not share or aggregate customer data.

How is data encrypted?

  • In transit: TLS 1.2+
  • At rest: AES-256 encryption

Do you have SOC 2 / ISO 27001?

Contact security@craevidence.com for security certifications and documentation.

Troubleshooting

My SBOM upload failed

Common causes:

  • Invalid JSON syntax
  • Missing format identifier (bomFormat or spdxVersion)
  • File truncated during upload
  • Exceeds size limit

Solution: Validate your JSON locally (jq . sbom.json)

Vulnerability scan shows no results

Possible reasons:

  • Low PURL coverage in SBOM (check quality score)
  • Components are up to date (good!)
  • Trivy doesn't have data for your components

Export is taking too long

For large versions with many files:

  • Try API export with longer timeout
  • Export SBOM and documents separately
  • Contact support if issues persist

I forgot my password

  1. Go to the login page
  2. Click "Forgot Password"
  3. Enter your email
  4. Follow the reset link

Getting Help

Where can I get support?

How do I report a bug?

Email support@craevidence.com with:

  • What you were trying to do
  • What happened
  • Browser and operating system
  • Screenshots if helpful

Can I request a feature?

Yes! Email support@craevidence.com with your suggestion. We prioritize based on customer needs and CRA compliance requirements.

Advanced Features

What are CSAF and VEX?

CSAF (Common Security Advisory Framework) is a standard format for publishing security advisories. VEX (Vulnerability Exploitability eXchange) clarifies whether vulnerabilities actually affect your product.

See CSAF & VEX Management for details.

How do I report incidents to ENISA?

CRA Evidence tracks ENISA notification deadlines (24h, 72h, 1 month) and records your submissions. See Incident Reporting.

What is the Supplier Portal?

A customer-facing portal where your customers can access SBOMs, security advisories, and compliance documentation. See Supplier Portal.

Can I automate compliance policies?

Yes. Classification rules let you automatically flag issues based on license type, vulnerability severity, or supplier status. See Classification Rules.

What about roles and permissions?

CRA Evidence has four roles: Owner, Admin, Member, and Viewer. See Roles & Permissions for details.

Still Have Questions?

If your question isn't answered here:

  1. Check the relevant guide in the onboarding documentation
  2. Review the technical documentation
  3. Contact support@craevidence.com

We're here to help you achieve CRA compliance.

Last updated February 27, 2026
Was this page helpful?
Thanks for your feedback!

Help us improve. What was missing or unclear?