CRATrust Blog
Insights & Guidance
Expert analysis on EU Cyber Resilience Act compliance, SBOM management, vulnerability reporting, and what the September 2026 deadline means for your organisation.
NVD vs OSV: Choosing the Right Vulnerability Database for Your Security Programme
NVD and OSV are both authoritative vulnerability databases — but they serve different purposes and have different strengths. This guide compares them and explains when to use each, including GHSA, VEX, and proprietary commercial feeds.
From SBOM to Security: How Software Composition Analysis Protects Your Products
Generating an SBOM is the first step. Software Composition Analysis (SCA) is what happens next — continuously cross-referencing your component inventory against vulnerability databases to surface real threats in real time. Here is how it works.
Annex I vs Annex III: Understanding CRA Product Categories and Security Requirements
The EU Cyber Resilience Act classifies products into three tiers with different conformity assessment requirements. This guide explains Annex I security requirements, Annex III product classifications, and exactly which products fall into Class I and Class II.
The Hidden Risks in Your Software Supply Chain: Log4Shell, XZ Utils, and What Comes Next
Log4Shell exposed a single open-source library lurking in millions of enterprise products. XZ Utils demonstrated that a trusted maintainer could be compromised. These incidents reveal systemic vulnerabilities in the modern software supply chain — and why the CRA's SBOM mandate exists.
Open Source Software and the CRA: What Maintainers and Businesses Need to Know
The EU Cyber Resilience Act has profound implications for the open-source ecosystem. We explain who is in scope, the concept of open-source software stewards, and what businesses that depend on open-source components must do to comply.
CRA Compliance Checklist: 15 Steps to Meet EU Cyber Resilience Act Requirements
The EU Cyber Resilience Act compliance journey can feel overwhelming. This actionable 15-step checklist breaks it down into manageable phases — from product classification through to ongoing vulnerability management — so your team knows exactly what to do and when.
CVSS Scores Explained: Understanding Vulnerability Severity in Your Software
CVSS scores are the industry standard for rating vulnerability severity — but they are widely misunderstood and misapplied. This guide explains how CVSS 3.1 works, what the numbers really mean, and how to use them effectively for vulnerability prioritisation.
How to Generate an SBOM: A Practical Guide for Development Teams
A Software Bill of Materials (SBOM) is now a legal requirement under the EU Cyber Resilience Act. This hands-on guide covers the two major SBOM standards, the best open-source tools to generate them, and how to integrate SBOM generation into your CI/CD pipeline.
What Is the EU Cyber Resilience Act? A Complete Guide for Software Manufacturers
The EU Cyber Resilience Act (CRA) is the most significant cybersecurity legislation affecting software and hardware products in decades. This comprehensive guide explains what it means, who it affects, and what you must do before the September 2026 deadline.
Ready to get compliant?
Join manufacturers across Europe already building with CRATrust.