Free CRA reporting guides

Build the reporting process before the clock starts.

Short, source-grounded guides for Article 14 readiness. They are not legal advice; they show how to turn owners, SBOMs, scanners, tickets, and release records into a rehearsable workflow.

Scope and owners

Who should own the first CRA reporting decision?

Name a role and a backup. If nobody owns the first decision today, keep that as a gap rather than implying the incident process already covers CRA reporting.

Reporting timelines

What starts on September 11, 2026 under the Cyber Resilience Act?

Manufacturers need a process for actively exploited vulnerabilities and severe security incidents. The operational gap is usually not awareness of the law; it is knowing who starts the 24-hour clock, what evidence gets attached, and where the 72-hour update comes from.

What belongs in a 24-hour CRA early-warning draft?

Keep it factual and incomplete where facts are incomplete: product, awareness timestamp, exploitation or severity basis, affected versions if known, first corrective action, and evidence links. A useful draft prevents guessing under time pressure.

Evidence sources

How should a software team use SBOMs for CRA reporting readiness?

Treat the SBOM as one evidence source, not the whole process. The pack should say which product surfaces are covered, what is missing, where artifacts are stored, and who can retrieve them during the first reporting window.

Drills

What should a CRA reporting tabletop drill prove?

The drill should prove that owners can find evidence, identify affected versions, draft a 24-hour early warning, expand it by 72 hours, and list final-report evidence without inventing facts.

Need the product-specific version?

VulnBrief turns your attested facts into a reporting runbook, notification drafts, evidence register, vulnerability-intake policy, and tabletop drill. Flat $3,999, one time.

Build my reporting pack →