FOR ENGINEERING + COMPLIANCE AT MANUFACTURERS SELLING INTO THE EU
CRA obligations, operationalized.
The Cyber Resilience Act makes SBOMs, coordinated vulnerability handling, and due-diligence evidence a condition of selling into the EU. ReARM turns each obligation into something your pipeline already does.
HOW TEAMS USE REARM FOR THIS
01
SBOM per product release
Annex I requirements met by default: every product release carries its SBOM.
↳ SBOM/xBOM Management02
Coordinated vulnerability handling
Findings triage and analysis workflow, documented as it happens.
↳ Findings Aggregation03
Distribution to authorities and customers
SBOMs and artifacts served downstream via TEA.
↳ Distribution04
Due-diligence evidence
Documented release criteria and immutable history, ready when the question comes.
↳ Release PoliciesNOTE: optional page, cut anytime
TIMELINE
Sep 2026: reporting obligationsDec 2027: full application
ANNEX I · SBOM · CVD · DISTRIBUTION (TEA) · DUE-DILIGENCE EVIDENCE