Technical Brief

Funzionalità del Prodotto e Architettura Tecnica | Expert CRA

A compact technical and business overview of Expert CRA — the CRA lifecycle suite combining readiness assessment, conformity evidence, SBOM operations, Article 14 workflows, and audit trails.

Last updated: May 27, 2026 Audience: Product leadership, Compliance, Security, Auditors
Suite

Expert CRA Assess + Operate

Two Product Modules, One CRA Lifecycle

Expert CRA combines two complementary products. Expert CRA Assess supports scope evaluation, economic-operator role mapping, product classification, conformity-route determination, Annex I control assessment, Annex VII technical-documentation checks, findings, corrective measures, EU Declaration of Conformity draft support, and consultant deliverable tracking.

Expert CRA Operate supports continuous compliance operations: SBOM evidence ingestion, vulnerability intelligence, AI-assisted triage, VEX review, human-approved Article 14 reporting workflows, notifications, and audit evidence.

Together, the suite helps manufacturers move from initial CRA readiness to ongoing vulnerability and reporting operations without splitting evidence across disconnected tools.

Part A

Product Scope And Governance

1. Purpose

Expert CRA is the product experience for the CRA readiness and operations suite. It helps manufacturers of products with digital elements assess and run EU Cyber Resilience Act (CRA) work: scope and classification, conformity route, Annex I controls, Annex VII documentation, product registration, SBOM evidence collection, vulnerability and severe-incident triage, human review, Single Reporting Platform (SRP) workflows, notifications, findings, corrective measures, and audit evidence.

The product is designed around a simple operating principle: automation can prepare, prioritize, validate, remind, and submit, but legally meaningful decisions stay under human control and are preserved in an audit trail. The implementation treats compliance evidence as a regulated system of record rather than as temporary scanner output.

2. Primary Users

  • Security and compliance reviewers work triage queues, record VEX evidence, and prepare SRP drafts.
  • Approvers review finalized evidence and payloads before submission.
  • Auditors inspect read-only evidence, audit logs, and submission history.
  • Organization administrators manage service keys, products, and workspace readiness.
  • Platform super-admins onboard organizations and monitor platform-level status.

3. Workspace And Organization Management

Organization Workspace

Each organization has its own workspace containing products, SBOMs, vulnerability findings, review cases, SRP workflows, notifications, and audit evidence. Legal hold status is surfaced on organization and workspace views so users know when evidence must be preserved with extra care.

Organization Profile

The organization profile captures business and regulatory data that appears in submissions and readiness checks: legal name, registration number, country, primary compliance contact, and main-establishment Member State for CRA Article 14(7) routing.

Part B

Product Operations

4. Dashboard And Work Prioritization

The Overview dashboard acts as a daily control room. It summarizes product portfolio coverage, SBOM inventory, vulnerable packages, and critical CRA actions. Deadline awareness is a first-class product behavior, surfacing 24h, 72h, and final submission deadlines.

5. Product Registry

Products are the source of truth for all downstream evidence and reporting. Users can register product names, CRA categories (standard, important, or critical), security contacts, and support periods. Only registered active product versions can receive new SBOM evidence.

6. Product Context For Better Decisions

Users can upload product-context documents (security architecture, threat models, user manuals) that help reviewers and AI-assisted analysis understand the product. This improves product-aware affectedness reasoning without changing the locked SBOM evidence.

Part C

Evidence, Analysis, And Triage

7. SBOM Evidence And Component Inventory

The SBOM Library supports complete evidence-set uploads (CycloneDX 1.4-1.7, SPDX 2.2-3.0) for registered versions. The API validates files, computes content hashes, and archives raw evidence to S3-compatible object storage with WORM (Write Once Read Many) retention metadata.

8. Vulnerability Intelligence And Monitoring

Expert CRA combines SBOM inventory with vulnerability intelligence from OSV, CISA KEV, FIRST EPSS, and ENISA EUVD. The system distinguishes between full baseline scans and impact deltas, preserving an append-only impact event for audit traceability.

9. AI-Assisted CRA Analysis

Analysis jobs read locked SBOM evidence and product context to provide report candidates, monitor dispositions, or manual triage handoffs. No-report and not-affected outcomes require human evidence and a final reviewer decision.

10. Vulnerability Triage And VEX Evidence

Reviewers can record VEX evidence with product-specific justifications (not affected, affected, fixed, under investigation). Final VEX decisions are locked into the audit history.

11. Human Review Workbench

Organizes cases by type (SRP submissions, VEX triage, intermediate reports) with an explicit state-machine model. This ensures reviewer and approver responsibilities stay separate and auditable.

Part D

CRA Article 14 Reporting

12. SRP Submission Workflows

Manages the full Article 14 reporting lifecycle for vulnerabilities and severe incidents:

  • 24-hour early warning (Art. 14(2)(a))
  • 72-hour notification (Art. 14(2)(b))
  • Final report (within 14 days of mitigation availability)

13. Manual Intake

Allows immediate intake of known exploited vulnerabilities or severe incidents when the manufacturer already has evidence, bypassing the initial scanner path to meet the 24-hour deadline.

14. Intermediate Reports And Dissemination Delay

Supports authority-driven status updates and sensitivity-driven dissemination-delay requests using the same review and approval discipline.

Part E

Notifications, Automation, And Audit

15. Notifications And Activity

Reliable notification delivery via email, SMS, Slack, and Teams. Persistent notification rows ensure delivery is tracked and retryable under provider failures.

16. Service Keys And Automation

Organization-scoped service keys for SBOM ingestion automation in CI/CD pipelines, with last-used tracking and immediate revocation capability.

17. Audit, Evidence, And Non-Repudiation

Preserves a non-repudiable record using hash-chained audit entries, S3 WORM storage, and canonical signed envelopes for evidence integrity.

Part F

Architecture, Boundaries, And Value

18. Technical Implementation Choices

  • Backend-owned ingestion: API handles validation and archival.
  • Immutable baselines: Scans are locked to product versions.
  • Durable workers: Background tasks are reliable and retryable.
  • Tenant isolation: Reinforced by Row-Level Security (RLS).

19. Current Product Boundaries

SRP reporting is the primary regulated workflow. AI is draft support only. Product versions are mandatory for locked evidence. Final reporting is tied to mitigation availability.

20. Business Value

Expert CRA delivers deadline control, lower triage burden, cleaner evidence, stronger accountability, and technical defensibility to manufacturers facing the most significant cybersecurity reform in EU history.

For more detailed technical documentation or to request a full demo of these capabilities:

Contact Our Compliance Experts