CRA topic guides

CRA deep-dives

Last updated · 8 Jun 2026

The EU Cyber Resilience Act has a lot of moving parts. These guides cover the requirements and concepts that matter most for manufacturers: SBOMs, security by design, vulnerability handling and more. Each one explains what the law says, how to comply in practice, and where people go wrong.

Get the CRA Checklist What is the CRA?

Topic guides

Explore the key requirements

SBOM

SBOM (Software Bill of Materials) under the CRA

An SBOM is an "ingredients label" for your software: a machine-readable inventory of components and dependencies.

Read the guide →

Security by design

Security by design under the CRA

Security by design means building in security from the first design decision, proportionate to the product's risk.

Read the guide →

Secure by default

Secure by default under the CRA

Secure by default means the out-of-the-box configuration is the safe configuration.

Read the guide →

Secure software development

Secure software development under the CRA

A secure software development lifecycle (SDLC) is implied throughout the CRA's essential requirements.

Read the guide →

Software supply chain security

Software supply chain security under the CRA

You are responsible for the security of third-party and open-source components you ship.

Read the guide →

Coordinated vulnerability disclosure

Coordinated vulnerability disclosure (CVD) under the CRA

A coordinated vulnerability disclosure policy is a mandatory CRA requirement (Annex I, Part II).

Read the guide →

Not sure where to start?

The CRA Readiness Checklist walks you through the key obligations step by step, from scoping to conformity assessment.

Get the CRA Checklist

The CRA Brief

Stay current on CRA guidance

We watch Brussels so you don't. Plain-English CRA updates, free.

No spam. Unsubscribe anytime.