What format does the CRA require for the SBOM?

Regulation (EU) 2024/2847 does not mandate a specific SBOM format (SPDX, CycloneDX, SWID). CRACheck generates it as a structured section within the Technical Documentation PDF. If a market surveillance authority requests a machine-readable format, you may need to export it separately.

Does the SBOM need to include open-source licence information?

Annex VII point 2(b) focuses on vulnerability handling. Licence information is relevant for open-source compliance but is not explicitly required by the CRA SBOM provision. However, including licence types is good practice.

Our product uses a SoC with embedded firmware from the chip vendor — do we include that?

Yes. If the SoC's embedded firmware contributes to the product's digital functionality and has a potential vulnerability surface, it should be documented.

How often must the SBOM be updated?

Article 31.2 requires technical documentation to be continuously updated during the support period. When you update firmware, add or replace a software component, the SBOM section must reflect the change.

Is the SBOM shared with the public?

No. The SBOM is part of your technical documentation, kept at the disposal of market surveillance authorities (Art. 13(13)). Annex VII point 8 allows authorities to request it — but it is not a public document.

Is this a subscription?

No. One-time payment. 30 days editing, 10 regenerations. PDF yours permanently.

Can I request a refund?

Pursuant to Art. 16(m) of Directive (EU) 2011/83, licence activation constitutes express consent. Refunds only for reproducible technical failures.

What if the regulation changes?

Regenerate at no additional cost during licence validity.

Your EU buyer has added an SBOM clause to the purchase order. Annex VII point 2(b) of Regulation (EU) 2024/2847 requires the technical documentation to include the software bill of materials. Your product integrates a Realtek WiFi chip, a FreeRTOS kernel, three open-source libraries and a Tuya SDK. The SBOM documents all of them. CRACheck generates it as part of the 8-document Annex VII dossier.

The SBOM is not a standalone deliverable under the CRA — it is part of the technical documentation required by Article 31 and Annex VII. Point 2(b) of Annex VII requires "the software bill of materials" as part of the vulnerability handling processes documentation. Point 8 adds that market surveillance authorities may request the SBOM separately. If you do not know what software runs in your product, you cannot produce the SBOM. If you cannot produce the SBOM, your Annex VII documentation is incomplete. CRACheck structures the SBOM section within the Technical Documentation. 15-25 minutes. €149. Browser-side.

Generate CRA dossier — €149 Free: check your product classification

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Key numbers

Annex VII.2(b)

SBOM is a mandatory element of CRA technical documentation.

Annex VII.8

Market surveillance authorities can request the full SBOM separately.

€149

CRACheck structures the SBOM as part of the complete 8-document dossier.

How CRACheck works

You enter your product data. CRACheck structures the documentation per Article 31 + Annex VII.

Inventory all software components

Firmware, RTOS, SDK, drivers, open-source libraries, third-party modules. Include version numbers.

Map dependencies

Which components depend on which. Which are updatable independently. Which are embedded in the SoC.

Enter data in CRACheck

The generator guides you through the component inventory. The SBOM is generated as part of the Technical Documentation.

Review with your firmware team

Validate that no component is missing. Check version numbers. Verify licence types for open-source components.

Download and deliver

The SBOM is embedded in the Technical Documentation PDF and also available for separate extraction if a market surveillance authority requests it under Annex VII point 8.

Common mistakes

❌

ANNEX VII.2(b)

"We use a third-party SDK — we do not know what libraries are inside it"

Article 13.5 requires manufacturers to exercise due diligence when integrating third-party components. If you integrate a WiFi SDK and do not know its software dependencies, your due diligence is incomplete. Request the SBOM from your SDK vendor. If they cannot provide it, that is a supply chain risk you must document.

❌

ART. 13.6

"Our SBOM is a confidential trade secret — we cannot share it"

Annex VII point 8 states that the SBOM must be provided "further to a reasoned request from a market surveillance authority." It is not published publicly. Your trade secrets are protected under Directive (EU) 2016/943. The SBOM can use component names and versions without disclosing source code.

❌

ANNEX I, PART II

"We listed our main components — a high-level SBOM is enough"

Annex VII point 2(b) requires the SBOM as part of vulnerability handling documentation. The purpose is to enable identification of known vulnerabilities. A high-level list of "WiFi module" and "RTOS" does not enable CVE matching. Include component names, versions and suppliers at a level that enables vulnerability tracking.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Annex III classification. Reporting obligations apply to all products regardless of classification.

Technical Documentation

Art. 31 + Annex VII. Contains the SBOM section per Annex VII point 2(b). The core document.

Risk Assessment

Art. 13.2-13.3. References known vulnerabilities in SBOM components.

User Information

Annex II. Includes the vulnerability reporting contact address for external reporters.

Declaration of Conformity

Art. 28 + Annex V.

CVD Policy

Coordinated Vulnerability Disclosure. Covers vulnerability handling for third-party components identified in the SBOM.

Notification Template

Art. 14 ENISA notification. Pre-structured for the 24h/72h/14d timeline.

Obligations Calendar

CRA dates and support period milestones.

See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 SBOM AUDIT + CRA DOCUMENTATION BY CONSULTANCY

€5,000–€15,000

SBOM extraction tools + documentation. 2-4 months.

✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history