What we screen against
Every position in a CRA Readiness report is tied to one of these sources. The regulation is the binding authority; the Commission's draft guidance and ENISA's material are the best available read on the parts that are still settling. All of them are public — check any citation yourself.
Primary law
-
Regulation (EU) 2024/2847 — the Cyber Resilience Act (EUR-Lex)
The binding legal text. Definitions of "product with digital elements" and "remote data processing" (Art. 3), scope (Art. 2), essential requirements and conformity (annexes), the reporting obligations (Art. 14), the classes (Annexes III–IV), and the transitional provisions including the legacy-product reach of Art. 69(3). This is the authority behind every scope, class and duty determination.
https://eur-lex.europa.eu/eli/reg/2024/2847/oj
European Commission
-
Cyber Resilience Act — European Commission policy page
The Commission's overview of the CRA: timeline (reporting from 11 September 2026, full application from 11 December 2027), scope, obligations for manufacturers, importers and distributors, and links to implementing measures as they publish.
https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act -
Commission draft scope guidance (March 2026)
Non-binding draft guidance on the CRA's scope — the source for the working answers on the two most-contested edges: standalone SaaS out of scope unless it is a remote data processing solution, and the open-source commercial-activity test. Because it is draft and can change, positions that rest on it are flagged as such in the report. Published via the Commission's CRA pages.
https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act -
Commission CRA FAQ and reporting material
The Commission's FAQ and reporting-obligation material, covering the 24/72/14-hour clock, what a "actively exploited vulnerability" and "severe incident" trigger, and how notifications flow to CSIRTs and ENISA.
https://digital-strategy.ec.europa.eu/en/faqs/cyber-resilience-act-faqs
ENISA
-
ENISA — Single Reporting Platform (SRP) and CRA FAQ
ENISA operates the Single Reporting Platform through which manufacturers notify actively exploited vulnerabilities and severe incidents from 11 September 2026. ENISA's SRP material and FAQ are the source for how the reporting channel works — and a live watch item, since the platform's exact process must be usable by the deadline for the 24-hour clock to be met.
https://www.enisa.europa.eu/topics/cyber-resilience-act
On draft and evolving sources. The regulation is fixed; the Commission's scope guidance is draft, the harmonised technical standards are not yet published (expected late 2026), and the SRP is being stood up. We date every report and flag any position that rests on a source that can still move, so you never mistake a provisional read for a settled one. See the methodology for how each source feeds the screening.