CONCORDANCE·CRA EVIDENCE MAPPING

CRA demands evidence.
Your codebase already has it.

Concordance scans 50 engineering protocols across 6 SDLC phases and maps them to all 21 essential requirements of CRA Annex I. Paste any public GitHub, GitLab, or Bitbucket repo — see your evidence in seconds.

📡 SCM-only scan — tracker protocols greyed out.Details

This is automated engineering evidence mapping only — not a conformity assessment, audit opinion, or attestation. It does not replace a full CRA compliance programme, legal counsel, or assessment by a notified body or market surveillance authority.

CRA conformity is determined through self-assessment (Annex III) or notified body evaluation — not by any tool. Concordance provides evidence signals as-is, with no warranty of completeness or accuracy. Regulation (EU) 2024/2847. See Methodology for full scope details.

📊See the full Pro reportGet your CRA evidence — free for 90 days
50 Protocols → 21 RequirementsCONCORDANCE ENGINE
Strong7 requirements
Partial10 requirements
Template4 policy only
P1.1Risk-Based Design
5 protocols
P1.2No Known Exploitable Vulnerabilities
3 protocols
P1.3Secure by Default
3 protocols
P1.4Unauthorised Access Protection
4 protocols
P1.5Data Confidentiality
1 protocol
P1.6Data Integrity
4 protocols
P1.7Data Minimisation
policy ref
P1.8Availability & DDoS Resilience
4 protocols
P1.9Service Isolation
3 protocols
P1.10Security Updates
5 protocols
P1.11Timely & Free Updates
2 protocols
P1.12Clear Instructions
3 protocols
P1.13Secure Data Disposal
policy ref
P2.1Vulnerability Identification
3 protocols
P2.2Testing & Review
5 protocols
P2.3Remediation
4 protocols
P2.4Separate Security Updates
3 protocols
P2.5Vulnerability Disclosure
2 protocols
P2.6ENISA Reporting
policy ref
P2.7Coordinated Disclosure
policy ref
P2.8SBOM Provision
2 protocols
6 SDLC phases:RequirementsDesignDevelopmentTestingReleaseOperations

How Concordance maps to CRA

The Concordance Framework observes 50 engineering protocols across 6 SDLC phases — branch protection, CI pipelines, review quality, dependency management, secrets handling, and more. Each protocol is scored 1–5 and mapped to CRA Annex I requirements, giving you continuous, automated evidence of the engineering practices that support conformity.

P1.1Risk-Based DesignStrong
P1.2No Known Exploitable VulnerabilitiesPartial
P1.3Secure by DefaultPartial
P1.4Unauthorised Access ProtectionPartial
P1.5Data ConfidentialityPartial
P1.6Data IntegrityPartial
P1.7Data MinimisationTemplate
P1.8Availability & DDoS ResiliencePartial
P1.9Service IsolationPartial
P1.10Security UpdatesStrong
P1.11Timely & Free UpdatesStrong
P1.12Clear InstructionsStrong
P1.13Secure Data DisposalTemplate
P2.1Vulnerability IdentificationStrong
P2.2Testing & ReviewStrong
P2.3RemediationStrong
P2.4Separate Security UpdatesPartial
P2.5Vulnerability DisclosurePartial
P2.6ENISA ReportingTemplate
P2.7Coordinated DisclosureTemplate
P2.8SBOM ProvisionPartial
Strong — good protocol coveragePartial — some signals; also requires non-engineering evidenceTemplate — outside engineering signal scope

What is the Cyber Resilience Act?

The Cyber Resilience Act (Regulation (EU) 2024/2847) establishes cybersecurity requirements for products with digital elements sold in the EU. Annex I defines 21 essential requirements in two parts: 13 product security requirements (Part 1) and 8 vulnerability handling requirements (Part 2). Reporting obligations begin September 2026; main obligations apply from December 2027.

Most products can self-assess conformity under Annex III (per European Commission estimates). Important and Critical products require third-party assessment by a notified body. The Concordance Framework maps real engineering data to these requirements — providing the kind of structured, continuous evidence that supports conformity readiness. Stay audit-ready at all times.

CONCORDANCE PRO

The full CRA evidence report

21 requirements scored, technical documentation referenced, conformity-ready PDF exported — continuously, across every repo.

SOC 2 Type IIISO 27001:2022NIS2 Art. 21CRA Annex I
Start Free — 90 days Pro