Indian development teams adopted SBOM tooling years before the CRA existed. Syft, Trivy, CycloneDX — the pipeline produces machine-readable dependency lists on every build. But Annex VII §2(b) of Regulation (EU) 2024/2847 requires the SBOM as part of the vulnerability handling documentation, alongside the coordinated vulnerability disclosure policy and evidence of secure update distribution. The contractual requirement is not "send us a JSON file." It is "deliver Annex VII technical documentation that includes the SBOM in context." CRACheck structures the entire dossier: 8 PDF documents, SBOM contextualised within Annex VII §2(b), 15–25 minutes, €149 per product. 100% browser-side.
€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side
CycloneDX or SPDX output is the raw material, not the deliverable. Annex VII §2(b) of Regulation (EU) 2024/2847 requires the SBOM as part of the technical documentation, alongside the coordinated vulnerability disclosure policy and evidence of secure update distribution. Sending a JSON file is like sending a spreadsheet instead of a financial report — the data is there but the structure is missing.
Annex I Part II §1 of Regulation (EU) 2024/2847 specifies "covering at the very least the top-level dependencies." This means direct dependencies as a minimum — but market surveillance authorities may request deeper visibility. Best practice is to include transitive dependencies for security-critical components. CRACheck structures the SBOM section to reflect regulatory expectations.
The SBOM is mandatory in two places: Annex I Part II §1 (vulnerability handling requirement) and Annex VII §2(b) (technical documentation content). Annex VII §8 adds that the SBOM must be provided to market surveillance authorities upon reasoned request. Your client is not overreaching — they are reading the regulation correctly.
8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.
Annex III/IV classification.
Annex VII with SBOM contextualised in §2(b). Design, development, and vulnerability handling documentation.
Art. 13(2). Cybersecurity risk assessment including supply chain risk from third-party dependencies identified in the SBOM.
Annex II. Includes vulnerability reporting contact and support period.
Art. 28 + Annex V.
Annex I Part II §5. Coordinated vulnerability disclosure policy — the companion document to the SBOM.
Art. 14. ENISA notification for vulnerabilities discovered in SBOM components. Art. 14(2): early warning within 24h, notification within 72h, final report within 14 days.
Key dates.
Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.
Generated from your data, in your browser. No data leaves your device.
Structures your SBOM data within the Annex VII §2(b) framework. Generates the complete 8-document dossier. 15–25 minutes. €149.
Does not scan your codebase for dependencies — use your existing CI/CD tools for that. Does not perform vulnerability analysis on SBOM components. Does not replace a software composition analysis (SCA) tool.
Your pipeline generates the raw data. CRACheck structures it for the regulation.
Article 64 of Regulation (EU) 2024/2847.
Art. 64(2). Missing SBOM is a failure to comply with vulnerability handling requirements.
Art. 64(3).
Art. 64(4).
| Alternative | Cost | What you get |
|---|---|---|
| Compliance consultant | €4,000–€8,000 | SBOM structuring + regulatory context. 3–6 weeks. |
| Send raw CycloneDX/SPDX to client | Free | Client rejects it. Not Annex VII format. |
| Manually restructure SBOM into Annex VII | Free + engineering days | Custom format. No regulatory validation. |
| CRACheck | €149 | 8 documents. SBOM in Annex VII §2(b) context. 15–25 min. |
Each product requires its own Annex VII documentation with SBOM. If you manage 10+ products for EU clients, contact us for volume pricing.
Request Volume PricingCRACheck generates a structured document under Article 31 and Annex VII of Regulation (EU) 2024/2847 from the information you provide. The accuracy and completeness of the SBOM data is your responsibility.
We guarantee the document structure follows Annex VII and the legal references are correct. We do not guarantee that the SBOM will satisfy a specific market surveillance authority request under Annex VII §8.
CRACheck is not legal advice. For questions about SBOM disclosure obligations under Annex VII §8, consult a qualified lawyer.
Eight documents. Annex VII fully structured. Regulation (EU) 2024/2847. Your data stays on your device. The ZIP you download is yours forever.