CRA SBOM Fundamentals
Build, maintain, and retain the Software Bill of Materials the Cyber Resilience Act demands. Built for product teams selling into the EU - 60 minutes, audit-grade, free.
Who this is for
Product managers, software engineers, security leads, and compliance officers at companies manufacturing or distributing products with digital elements in the EU. Any team that must meet CRA Article 13(5) SBOM obligations or Article 14 vulnerability reporting requirements.
What you will be able to do
Explain the CRA Article 13(5) SBOM obligation, identify the required fields in an SBOM component entry, distinguish top-level from transitive dependencies and why best practice covers both, choose between CycloneDX and SPDX for your use case, generate an SBOM from a CI/CD pipeline, run automated vulnerability monitoring against an SBOM, and document Article 14 reporting decisions with VEX statements. Structured across 5 modules:
Why is this free?
The CRA SBOM obligation reaches every manufacturer of products with digital elements sold in the EU. Most guidance is buried in regulatory text and draft standards. We built this course so that every product team can understand and implement their Article 13(5) obligations without paying a consultant. The platform is free. The attestation is free. Open source, no lock-in.
Ready to build your first CRA-compliant SBOM?
Create a free account and start with Lesson 0.1. About fifty minutes total. Pair with the platform's vulnerability monitoring tools to implement Article 14 continuous monitoring.
Start for free