SIGNAL·CRA EVIDENCE MAPPING

EU Cyber Resilience Act
requires continuous audit-ready
evidence. Concordance observes it automatically.

Regulation (EU) 2024/2847 — Annex I Essential Requirements
“Manufacturers of software products shall design and develop software products in such a way that the products are secure by default and by design, based on an appropriate risk assessment.”
PART 1 & PART 2
“21 essential requirements addressing product properties and vulnerability handling”
EU Regulation 2024/2847 — OJ L 1, 10.1.2024

50 engineering protocols observed directly from your repos — mapped to all 21 Annex I essential requirements. Real data from your actual toolchain, not questionnaires. The CRA requires manufacturers of software products to demonstrate continuous cybersecurity compliance. For most products, you self-assess (per European Commission estimates). For critical products, notified bodies audit you. Concordance provides the technical documentation.

Run Free CRA Scan →
SEE HOW IT WORKS
What Signal measures — and what it doesn't

Concordance observes 50 engineering protocols from your GitHub repos and issue trackers, then maps them to all 21 requirements of CRA Annex I. It reports what it finds — not whether you comply. Conformity decisions rest with your organisation. For most products, you self-assess under CRA (per European Commission estimates). For Important or Critical products, notified bodies conduct conformity assessment. Concordance provides the technical documentation evidence.

Requirements P1.7 (data minimisation) and P1.13 (secure disposal), P2.6 (ENISA reporting), and P2.7 (coordinated disclosure) are outside engineering signal scope. Requirements covering organisational policies, supplier assessment, and regulatory notification require evidence beyond what repositories provide.

Try It Now
Run a scan. See how your repo maps to all 21 Annex I requirements.
Point Concordance at any public GitHub repo. You'll see 50 protocol scores observed from the toolchain — mapped to every CRA Annex I requirement with strength ratings. Free, instant, no sign-up.
CRA Compliance Scanner
All 21 Annex I requirements scored from real toolchain data
P1 Product
13
requirements mapped · Core
P2 Vulnerability
8
requirements mapped · Strong
Updates
3
requirements mapped · Strong
Outside Scope
4
requirements · Template
Scan a Repository → CRA Mapping →
Pro feature: Run across your full portfolio to surface org-wide CRA evidence continuously.
Context
What is the EU Cyber Resilience Act?

The Cyber Resilience Act (CRA, Regulation EU 2024/2847) is the EU's mandatory security regulation for software products. All software sold or provided in the EU must meet 21 essential requirements, demonstrated through conformity assessment, by 11 December 2027.

Annex I defines 21 essential requirements across two parts: Part 1 covers 13 product property requirements (design, configuration, security updates, documentation). Part 2 covers 8 vulnerability handling requirements (identification, testing, remediation, disclosure, SBOMs).

Conformity Assessment: About 90% of software products self-assess their compliance. Products classified as Important or Critical must use a notified body for conformity assessment. Either way, you must produce technical documentation evidence showing how your product meets all 21 requirements.

Timeline: Reporting obligations begin 11 September 2026. Main obligations take effect 11 December 2027. Notified bodies are expected to be designated by mid-2026. Concordance provides continuous evidence mapping — engineering data from your toolchain, structured against Annex I requirements, ready when you need to demonstrate conformity.

21
Annex I Requirements
Most
Self-Assessment Products
19
Requirements w/ Engineering Signal
50
Protocols Mapped
What This Does
Observes the engineering practices Annex I asks about.
The CRA requires manufacturers to deliver secure products and remediate vulnerabilities. Concordance watches how your teams actually do that — from real toolchain data, across every repo, continuously.
PART 1
Product Properties (13 requirements)
Design and development, secure defaults, access protection, data protection, updates, documentation. 36 protocols observe how your teams specify, design, code, review, analyse, test, release and document.
PART 2
Vulnerability Handling (8 requirements)
Identification, testing, remediation, updates, disclosure, SBOMs. 14 protocols observe how your teams find, test, patch and communicate about vulnerabilities.
EVIDENCE
Continuous Documentation
All 50 protocols feed into Annex I requirements. Concordance continuously maps your engineering data to requirements. Your evidence is always current — no questionnaires, no manual documentation.
Note: Concordance surfaces observed engineering data that maps to CRA Annex I requirements. It does not determine, certify, or imply compliance. Conformity decisions rest with your organisation, your notified body (if applicable), and your market surveillance authority.
The Mapping
Annex I → Concordance Protocols
Each CRA requirement maps to specific Concordance protocols. The mapping strength indicates the depth of engineering evidence Concordance surfaces for that requirement.
Req.
Description
Mapped Protocols
Evidence
P1.1
Designed and developed to ensure appropriate cybersecurity based on risks
4.6 Security Analysis, 4.7 Dependency Scanning, 3.1 Branch Protection
Strong
P1.2
Delivered without known exploitable vulnerabilities
4.6 SAST, 4.7 SCA, 4.2 CI Gating
Strong
P1.3
Secure by default configuration
3.10 Repo Documentation, 4.9 Environment Parity, 3.9 Secrets Management
Strong
P1.4
Protection against unauthorised access
3.1 Branch Protection, 3.5 Approval Rigor, 3.6 Code Ownership
Strong
P1.5
Protect confidentiality of stored, transmitted and processed data
3.9 Secrets Management
Partial
P1.6
Protect integrity of data and commands against manipulation
3.1 Branch Protection, 4.2 CI Gating, 4.8 Build Reproducibility
Strong
P1.7
Minimise processing of data (data minimisation)
Outside engineering scope — privacy architecture
Template
P1.8
Ensure availability including resilience to denial-of-service
5.7 Rollback, 5.8 Feature Flags, 6.3 Runbooks, 6.1 Incident Response
Strong
P1.9
Minimise negative impact on availability of other services
4.9 Environment Parity, 5.7 Rollback, 5.8 Feature Flags
Partial
P1.10
Provide security updates and mechanisms to apply them
5.2 Release Cadence, 5.4 Release Approval, 5.5 Changelog
Strong
P1.11
Ensure security updates are timely and free of charge
5.2 Release Cadence, 5.3 Lead Time
Strong
P1.12
Provide clear instructions and security information
3.10 Repo Docs, 5.5 Changelog, 2.3 Technical Docs
Strong
P1.13
Mechanism for secure disposal of user data
Outside engineering scope — data lifecycle
Template
P2.1
Identify and document vulnerabilities and components
4.6 SAST, 4.7 SCA, 2.6 Dependency Management
Strong
P2.2
Apply regular testing and review of product security
4.1 CI Pipeline, 4.2 CI Gating, 4.3 Test Coverage, 4.6 SAST
Strong
P2.3
Address and remediate vulnerabilities without delay
5.2 Release Cadence, 5.3 Lead Time, 6.7 Change Failure Tracking
Strong
P2.4
Provide security updates separately from functionality updates
5.5 Changelog, 5.6 Semantic Versioning, 5.8 Feature Flags
Strong
P2.5
Disseminate information about vulnerabilities and corrective measures
5.5 Changelog, 3.10 Repo Documentation
Partial
P2.6
Share vulnerability information with ENISA and CSIRTs
Outside engineering scope — regulatory reporting
Template
P2.7
Provide mechanism for coordinated vulnerability disclosure
Outside engineering scope — organisational policy
Template
P2.8
Provide SBOM in machine-readable format
2.6 Dependency Management, 4.7 Dependency Scanning
Partial
StrongAutomated, observed from toolchain
PartialSupporting data + policy template
TemplateOutside engineering scope — template only
Signal · CRA
Your engineering data, mapped to Annex I.
Same pattern as SOC 2 and ISO 27001. Concordance scores map to the relevant CRA requirement. Data from your existing scan — no additional tooling.
P1.2No exploitable vulnerabilities
4.6 SAST
P1.2Vulnerability handling
4.7 SCA
P1.1Risk-based design
3.1 Branch Protection
P2.2Testing & review
4.3 Test Coverage
P1.10Security updates
5.2 Release Cadence
P2.1Vulnerability identification
4.7 Dependency Scanning
P1.4Access protection
3.5 Approval Rigor
P1.3Secure defaults
3.9 Secrets Management
Evidence Depth
Deepest where CRA asks the most of engineering.
Concordance is an SDLC governance platform. Its deepest data maps to Part 1 and Part 2 requirements — where Annex I asks for engineering proof. For requirements outside engineering scope, we surface what we can and are transparent about where the boundary is.
P1 Product Properties (Core)13 protocols · Strong
P2 Vulnerability Handling8 protocols · Strong
P1.10–P1.12 Update & Documentation7 protocols · Strong
P1.5, P1.9 Data & Service Protection4 protocols · Partial
P2.5 Vulnerability Dissemination2 protocols · Partial
P1.7, P1.13 Data Minimisation & DisposalOutside scope · Template
How It Works
Self-assessment to notified body submission in four steps.
1

Try a sample scan

Point Concordance at any public repo. See all 50 protocol scores mapped to Annex I requirements. Free, instant, no sign-up.

2

Connect your teams

Read-only OAuth. Create your teams, add your repos. Portfolio view surfaces CRA-mapped evidence across every team in the org.

3

Continuous observation

CRA requires ongoing compliance. Concordance scans continuously, so your evidence mapping stays current. Practices degrade? You see it before audit time.

4

Ready for assessment

When it's time to self-assess or submit to a notified body, the technical documentation is already structured. Per-team, per-requirement, mapped to Annex I, ready for submission.

Portfolio View
Org-wide CRA evidence. Every team. Always current.
A single scan tells you where one repo stands. The Portfolio view surfaces CRA-mapped data across every team in your organisation — continuously.
Concordance Pro · Signal · CRA Annex I
TeamP1 PropsP2 VulnUpdatesDocs
Platform Core4.23.83.54.0
Payments API3.93.12.83.6
Mobile Team3.42.53.22.9
Data Pipeline2.82.11.92.4
Legacy Services1.91.41.21.7
Illustrative data. Concordance Pro shows your actual team scores across all 21 Annex I requirements.
Sample Scan (Free)

See how the mapping works

Scan any public repo. See all 50 protocol scores mapped through the CRA lens. Understand what engineering data maps to Annex I on a single repo.

Pro · Portfolio View ($99/mo)

Org-wide evidence, continuously

Up to 5 teams, 20 repos. Continuous observation. CRA evidence mapping across every team. Plus SOC 2, ISO 27001, Sentinel, and Bastion lenses.

CRA Timeline
Key dates for manufacturers.
The CRA is now published. Critical deadlines approach. Concordance helps you meet them with continuous evidence.
June 2026
Notified Bodies Designation
Conformity assessment bodies expected to be formally designated.
Sept 11, 2026
Reporting Obligations Begin
Manufacturers must begin reporting vulnerabilities to ENISA and CSIRTs.
Dec 11, 2027
Main Obligations Take Effect
All 21 Annex I requirements become enforceable. Market surveillance begins.

See what your engineering data
says about CRA compliance.

Try a free sample scan on any public repo. When you're ready for org-wide evidence, the CRA Signal lens is included with Concordance Pro.

Run Free CRA Scan →Set Up Your Teams