Reference
CRA Glossary: Key Terms Explained
Definitions of the key terms used in the EU Cyber Resilience Act — from Annex I and Article 14 to SBOM, CVD, Notified Body, and Market Surveillance Authority.
Annex I
The schedule to the CRA that lists all essential cybersecurity requirements products must satisfy. Part I covers product requirements (security by design, no known exploitable vulnerabilities, secure defaults, etc.). Part II covers vulnerability and incident handling obligations that apply throughout the product's support period.
Article 14
The CRA article requiring manufacturers to report actively exploited vulnerabilities and incidents to ENISA (via the EUVD platform) within strict timelines: an early warning within 24 hours of becoming aware, a detailed report within 72 hours, and a final report once the incident is resolved. These obligations apply from 11 September 2026.
Article 15
The CRA article governing vulnerability handling. Manufacturers must establish a coordinated vulnerability disclosure (CVD) policy, acknowledge reported vulnerabilities promptly, investigate and remediate them without undue delay, and make information about mitigations publicly available.
Article 30
The CRA article specifying what an EU Declaration of Conformity must contain, including product identification, the manufacturer's name and address, a statement that essential requirements are met, a reference to any harmonised standards applied, and the authorised signatory.
CE Marking
The conformity mark affixed to products that meet applicable EU legislation, including the CRA. For products with digital elements, CE marking signals that the manufacturer has completed the required conformity assessment and drawn up an EU Declaration of Conformity. From 11 December 2027, in-scope products cannot be placed on the EU market without CE marking.
Conformity Assessment
The process by which a manufacturer demonstrates that a product meets the CRA's essential cybersecurity requirements. Default and most Class I products can follow the internal control route (Module A — self-assessment). Higher-risk Class I products and all Class II products require third-party assessment by a notified body.
CSAF (Common Security Advisory Framework)
An OASIS standard for machine-readable security advisories. Under the CRA, manufacturers are expected to publish CSAF documents (or equivalent) when issuing security patches, enabling customers and downstream software composition analysis tools to parse vulnerability information automatically.
CVD (Coordinated Vulnerability Disclosure)
A process in which vulnerability researchers report security issues to manufacturers privately, allowing time to develop and release a fix before public disclosure. The CRA mandates manufacturers maintain a CVD policy and a publicly accessible disclosure channel, aligned with ISO/IEC 29147.
CVE (Common Vulnerabilities and Exposures)
A publicly maintained catalogue of known cybersecurity vulnerabilities, each assigned a unique identifier (e.g., CVE-2024-12345). Manufacturers must track CVEs affecting components in their products' SBOMs and remediate those that are actively exploited.
CVSS (Common Vulnerability Scoring System)
An open framework for rating the severity of software vulnerabilities on a 0–10 scale. While the CRA does not mandate CVSS, it is widely used alongside EPSS scores to prioritise remediation. CVSS v3.1 and CVSS v4.0 are the current versions in common use.
CVSS Score
The numeric output of the CVSS calculation, ranging from 0.0 (none) to 10.0 (critical). Scores are split into bands: None (0.0), Low (0.1–3.9), Medium (4.0–6.9), High (7.0–8.9), and Critical (9.0–10.0). A high CVSS score alone does not mean a vulnerability is being exploited — EPSS provides exploitation probability.
Declaration of Conformity
See EU Declaration of Conformity / Article 30.
Distributor
Under the CRA, a natural or legal person in the supply chain that makes a product available on the market without substantially modifying it. Distributors have lighter obligations than manufacturers — they must verify CE marking is present, cooperate with market surveillance authorities, and avoid distributing non-compliant products.
End-of-Life Date
The date after which a manufacturer stops providing security updates for a product. The CRA requires manufacturers to support products for at least five years (or the product's expected lifetime if shorter) and to clearly communicate the end-of-life date to users. Products must not be placed on the market if the support period has already elapsed.
ENISA
The European Union Agency for Cybersecurity. Under the CRA, ENISA receives Article 14 vulnerability and incident reports via the European Vulnerability Database (EUVD). ENISA also publishes guidance on implementing CRA requirements and coordinates with national Computer Security Incident Response Teams (CSIRTs).
Essential Cybersecurity Requirements
The mandatory security properties that all products with digital elements must satisfy, defined in Annex I of the CRA. They include requirements such as no known exploitable vulnerabilities at time of market placement, secure by default configuration, access controls, data minimisation, secure update mechanisms, and protection of confidentiality, integrity, and availability.
Exploitability
The likelihood that a vulnerability can be exploited in practice. The CRA requires manufacturers to prioritise vulnerabilities based on exploitability — particularly those that are actively exploited in the wild, which trigger Article 14 early-warning reporting within 24 hours.
EU Declaration of Conformity
A document drawn up by the manufacturer declaring that a product with digital elements satisfies the CRA's essential cybersecurity requirements. Must include: product identification, manufacturer details, applicable standards or technical specifications, conformity assessment procedure used, CE marking affixed date, and an authorised signatory. Must be kept for at least 10 years.
Harmonised Standard
A European standard published in the Official Journal of the EU that provides a presumption of conformity with specific regulatory requirements. Manufacturers who apply a harmonised standard in full are presumed to meet the CRA requirements covered by that standard, reducing the burden of conformity assessment. ETSI and CEN/CENELEC are developing CRA harmonised standards.
Important Product
A category of product with digital elements defined in Annex III of the CRA that poses a higher cybersecurity risk due to its function or connectivity. Class I important products include identity management software, VPNs, password managers, and network management software. Class II includes operating systems, industrial control systems, and security hardware. Both classes face stricter conformity assessment requirements.
Importer
A natural or legal person established in the EU that places a product from a third country on the EU market. Importers bear significant obligations under the CRA: they must verify that the manufacturer has carried out the appropriate conformity assessment, that the technical file exists, and that the product bears CE marking. If they have reason to believe a product is non-compliant, they must not place it on the market.
Incident
Under Article 14 of the CRA, any event that has a significant impact on the security of a product with digital elements — in particular, the exploitation of a vulnerability in that product. Incidents involving actively exploited vulnerabilities must be reported to ENISA within 24 hours of the manufacturer becoming aware.
Manufacturer
The natural or legal person who develops or manufactures a product with digital elements and places it on the EU market under their own name or trademark. Manufacturers bear the primary compliance burden under the CRA, including conducting conformity assessments, drawing up technical files, affixing CE marking, and providing security updates.
Market Surveillance Authority
The national authority in each EU member state responsible for monitoring and enforcing market surveillance for products, including CRA compliance. Market surveillance authorities can request technical documentation, order recalls, prohibit products from being placed on the market, and impose financial penalties for non-compliance.
Notified Body
A conformity assessment organisation accredited and notified to the European Commission to carry out third-party assessments under EU legislation. For the CRA, certain Class I and all Class II important products require assessment by a notified body rather than self-declaration. Manufacturers choose their own notified body from the NANDO database.
Open Source Software
Software released under a licence that allows inspection, modification, and redistribution of the source code. The CRA includes a carefully scoped exemption for open source software developed outside a commercial activity. However, companies that commercialise open source software (e.g., sell support, SaaS wrappers, or include it in a paid product) are generally considered manufacturers and must comply with the CRA.
Product with Digital Elements (PDE)
The core term of scope in the CRA — any hardware or software product that has a direct or indirect logical or physical data connection to another device or network. This deliberately broad definition captures smart home devices, routers, industrial sensors, consumer software applications, and connected medical devices. Purely cloud-delivered SaaS without an associated downloadable component is generally not a PDE.
Remote Data Processing
Data processing that takes place at infrastructure remote from the product — typically cloud or server-side components. The CRA covers remote data processing that is essential for the functioning of a product, meaning a pure-SaaS element that a PDE depends on also falls within scope of the CRA's requirements.
Risk Assessment
The process of identifying, analysing, and evaluating cybersecurity risks associated with a product. Under the CRA, manufacturers must conduct a cybersecurity risk assessment for each product and use it to inform design decisions, the technical file, and the conformity assessment. The risk assessment should consider the product's intended use, foreseeable misuse, and the severity and likelihood of potential incidents.
SBOM (Software Bill of Materials)
A formal, structured list of all software components, libraries, and their versions included in a product. The CRA requires manufacturers to identify and document all components in their products to enable rapid vulnerability identification. Machine-readable formats such as SPDX and CycloneDX are preferred and widely supported by tooling.
Security by Design
The principle that security is built into a product from the outset rather than retrofitted. Annex I of the CRA requires manufacturers to design and develop products so that the attack surface is minimised, security features are enabled by default, and insecure configurations are not possible without explicit user action.
Security Patch
A software update that fixes one or more identified security vulnerabilities. The CRA requires manufacturers to provide security patches for the product's supported lifetime (minimum five years) and to make patches available without undue delay after a vulnerability is confirmed. Patches must not introduce new vulnerabilities.
Technical File
A mandatory document (or set of documents) that manufacturers must compile and maintain demonstrating how a product meets the CRA's essential requirements. The technical file must include: a product description, design and development documentation, the cybersecurity risk assessment, security requirements and how they are met, test results, the EU Declaration of Conformity, and any conformity assessment reports. It must be retained for 10 years and made available to market surveillance authorities on request.
Vulnerability
A weakness in a product's design, implementation, or configuration that could be exploited to compromise its security. The CRA requires manufacturers to have no known exploitable vulnerabilities in products at the time of market placement, to monitor for new vulnerabilities throughout the support period, and to remediate discovered vulnerabilities without undue delay.
Need help applying these requirements to your product?
Try CRAReady — Free