CRA overview & timeline
The EU Cyber Resilience Act sets cybersecurity obligations for products with digital elements sold in the EU: a secure update mechanism, integrity of the software and its configuration, a software bill of materials, and a vulnerability-handling process with regulator reporting deadlines. The obligations phase in — vulnerability and incident reporting first, full conformity later — and the penalties for getting them wrong are significant.
Meshanics treats compliance evidence as a product feature, not paperwork bolted on afterwards. The platform records every meaningful action as it happens, and the reporting tools render that recorded reality on demand. Nothing in a report is asserted that the platform has not actually recorded.
What the platform evidences
Several Annex I essential requirements map directly onto how the platform already works:
| CRA expectation | How the platform evidences it |
|---|---|
| Secure update mechanism | Every artifact is signed and verified on the device against a pinned trust anchor; no unsigned update path exists, including in development. |
| Confidentiality & integrity in transit | All device-to-platform transport is mutual TLS; update payloads carry independent signatures verified on-device. |
| Integrity of software & configuration | Every state change is written to an append-only, hash-chained audit log whose integrity is verifiable. |
| Reversible updates | Each update declares a health check; devices restore the previous version automatically on failure. |
| Software bill of materials | An SBOM (CycloneDX or SPDX) can be attached to each artifact and is tracked for coverage. |
| Vulnerability handling | A deadline-tracked reporting workflow records each step against the regulation's clocks. |
| Device & component identification | Each device carries a unique per-device X.509 identity; its installed artifacts and versions are recorded. |
How a report reads
A compliance report evaluates a framework's requirement set against the facts the platform has recorded for your scope. Each requirement comes back with an honest status — met when a check confirms it, partial when it is evidenced but needs attention, manual for a control the platform provides but you operate, and gap for a capability that is not yet available. Gaps are never silently omitted.
The EU CRA profile is the default. The same recorded reality also renders against several other frameworks (industrial, automotive, medical and consumer regimes), so a single fleet can produce evidence for more than one obligation.
What stays with you
The platform assembles and evidences; it does not certify. Submission to a regulator, notified body or CSIRT remains the manufacturer's act, and so does publishing a vulnerability-disclosure policy. Every report carries a plain disclaimer to that effect. The platform also only ever handles metadata — it never inspects, copies or exports the contents your application processes.