When does the EU Cyber Resilience Act apply to embedded products?

The CRA entered into force in December 2024. The 24h ENISA reporting obligation applies from September 2026, full application from December 2027.

What is BSI TR-03183 and why is it relevant?

BSI TR-03183 is the German technical guideline defining minimum SBOM requirements for CRA-covered products. It mandates CycloneDX or SPDX format, PURL identifiers, and licence data.

Does embtrace support the ENISA vulnerability reporting obligation?

Yes, embtrace includes an ENISA reporting module that generates structured notifications for actively exploited vulnerabilities in accordance with CRA Art. 14.

Does embtrace work with Yocto and Buildroot?

Yes, embtrace integrates seamlessly with existing Yocto and Buildroot builds. It does not replace your build system — it adds CRA compliance on top.

EU Regulation 2024/2847

CRA Compliance with embtrace

The EU Cyber Resilience Act requires manufacturers of products with digital elements to provide SBOMs, vulnerability management, and technical documentation. Non-compliance carries penalties of up to €15 million or 2.5% of global annual turnover.

Dec 2024

CRA in force

Sep 2026

24h reporting

Dec 2027

Full application

CRA Requirements → embtrace Commands

Complete mapping: which CRA article is addressed by which embtrace command.

CRA Requirement	Article	embtrace Feature	Command
Machine-readable SBOM	Art. 13(15)	SBOM generation (CycloneDX/SPDX)	`embtrace sbom generate`
SBOM of all top-level deps	Annex I, Part II(1)	Yocto/Buildroot import + merge	`embtrace sbom import + merge`
Vulnerability management	Art. 13(6)	CVE scanning + VEX lifecycle	`embtrace sbom vuln`
24h ENISA notification	Art. 14(2)	ENISA report generator	`embtrace comply enisa-report`
5-year security support	Art. 13(8)	Support period in config	`embtrace comply audit --policy cra`
Technical documentation	Art. 31, Annex VII	Automatic documentation generation	`embtrace comply documentation`
10-year record keeping	Art. 31(2)	Release archive with manifest	`embtrace release create`
Secure updates	Annex I, Part I(3)	Signed update packages (Ed25519)	`embtrace update create --sign`
Traceability	Annex I, Part II(1)	Release manifest (Git→Build→Release)	`embtrace release create`

BSI TR-03183 — Technical Guideline

The German Federal Office for Information Security (BSI) has defined concrete technical requirements for SBOM and vulnerability management in TR-03183 v2.1.0. embtrace supports this as a standalone policy.

Mandatory SBOM fields (TR-03183)

Component name
Version number (exact, no range)
Manufacturer / Supplier
Licence (SPDX Licence ID)
Package URL (PURL)
Cryptographic hash (SHA-256)

embtrace command

# BSI TR-03183 policy audit
embtrace sbom audit \
  --sbom product-sbom.cdx.json \
  --policy bsi-tr-03183

✓ name: 100% (47/47)
✓ version: 100% (47/47)
⚠ supplier: 95% (45/47)
✓ license: 100% (47/47)
✓ purl: 100% (47/47)

Overall: YELLOW
Exit code: 2

Liability Protection Through Documentation

The EU Product Liability Directive (2024/2853) reverses the burden of proof: manufacturers must demonstrate that they managed vulnerabilities professionally.

Without Documentation

A device is compromised. The manufacturer cannot produce an SBOM, CVE documentation, or patch history.

Court presumes defectiveness

The manufacturer must prove otherwise — practically impossible without records.

With embtrace

The manufacturer presents: SBOM, CVE history, VEX documents, patch history, audit reports — generated automatically with every release.

Proof of professional vulnerability management

“We knew what was in our product and assessed and documented every CVE.”

The evidence chain — automated with embtrace

1. Transparency

SBOM

sbom generate

2. Assessment

CVE Scan + VEX

sbom vuln

3. Traceability

Changelog + Manifest

release create

4. Compliance

Audit + ENISA

comply audit

Unsure whether your product is subject to the CRA?

Contact us for a free initial assessment. We will help you understand which CRA requirements apply to your product and how embtrace addresses them.

Free initial assessment →