IN SHORT
The Cyber Resilience Act (Regulation (EU) 2024/2847) is the European Union law that makes a software bill of materials mandatory.
If you sell a product with digital elements into the EU, you have to produce a machine-readable SBOM, keep it updated, and hand it over whenever a market surveillance authority asks for it.
Two dates matter. Vulnerability reporting starts on 11 September 2026, and the rest of the obligations, SBOM included, apply from 11 December 2027. The law only requires your top-level dependencies. But that's the same gap that let Log4Shell slip through.
What is the Cyber Resilience Act?
The EU Cyber Resilience Act (CRA) is the first horizontal EU regulation imposing mandatory cybersecurity requirements on hardware and software products with digital elements. It mandates secure-by-design principles, vulnerability handling, and lifecycle transparency for any product sold in the EU market — regardless of where the manufacturer is based.
EURO 15M
24 Hours
10 Years
90%
CRA Compliance Timeline

Who Does the CRA Affect?
Manufacturers
Anyone who develops, manufactures, or has products with digital elements designed and developed under their name or trademark.
Importers
Entities established in the EU that place a product with digital elements bearing a third-country manufacturer's name on the EU market.
Distributors
Any party in the supply chain — other than the manufacturer or importer — who makes a product with digital elements available in the EU market.
Product Classification Under CRA
Default (~90%)
Important Class I
Important Class II
Critical
SBOM Requirements Under CRA
The Cyber Resilience Act mandates comprehensive Software Bill of Materials documentation. The obligation is set out in Article 13(1)(h) together with Annex I, Part II, point (1) of Regulation (EU) 2024/2847.
Here are the key requirements you need to meet:
Vulnerability Reporting Obligations
The CRA introduces strict timelines for reporting actively exploited vulnerabilities and severe incidents to ENISA and your CSIRT.
24h
Early warning notification
72 hrs
Full vulnerability notification
14 days
Final report after correction
1 month
Severe incident report
NEW • FREE RESOURCE
Use our free evaluation rubric to find the one that fits your needs.

A demo and a sales pitch won’t tell you whether an SBOM platform holds up under the CRA. So we built this rubric. It’s a vendor-neutral way to test any platform, including your own, against what the CRA and BSI TR-03183-2 require. There are 66 checks across seven areas, each tied to a specific CRA or BSI requirement, and the summary tab does the math. By the end you can see where each tool is strong and where it falls short. Critical items are flagged, so a dealbreaker can’t slip past.
Generation
Content & Quality
Lifecycle
Vuln & VEX
Format
Integration
Beyond CRA
Get the rubric
Tell us where to send it and we’ll email it over.
How Interlynk Helps?
We map every CRA requirement to a concrete platform capability — so you can demonstrate compliance, not just claim it.
FAQs
More questions? Contact us now.
Trusted by 100+ Organizations
Join 100+ organizations already using Interlynk to automate SBOM management and meet EU regulatory requirements.