A CRA Readiness Pack documents how your product approaches the essential cybersecurity requirements of the EU Cyber Resilience Act (Regulation (EU) 2024/2847). miniterms generates one structured to reflect Annex I — Part I (essential cybersecurity requirements) and Part II (vulnerability-handling requirements) — as a self-assessment you can attach to your technical documentation.
Who this applies to
The CRA applies to manufacturers of products with digital elements placed on the EU market. The Readiness Pack option appears in the Generate wizard and draws on the same identity fields as your other documents (legal name, address, contact), plus the product name, a short description, and how you classify the product under Annex III.
The Annex III class — default, important (class I), or important (class II) — is your own determination. The pack records the class you state; it does not decide it for you.
What the pack includes
- Annex I Part I — a self-assessment table over the essential cybersecurity requirements (secure-by-default configuration, access control, data confidentiality and integrity, attack-surface minimisation, secure update mechanism, logging, and more). You set each requirement's status: implemented, planned, not applicable, or not declared.
- Annex I Part II — your vulnerability-handling process: a coordinated-disclosure contact, your security-update policy, and the expected support period.
- A Software Bill of Materials (SBOM) section — attach an SBOM to evidence the component inventory Part II expects.
Honest gaps
Requirements you mark not declared render as explicit open gaps, never as satisfied. The pack is a truthful snapshot of what you declared — it is only as accurate as your answers, and you are responsible for keeping the measures it describes true in practice.
Generating an SBOM
The wizard includes an optional SBOM generator. Paste your package-lock.json or yarn.lock and it produces a valid SPDX 2.3 document listing your components (name, version, license where declared, and a package URL). The generation happens entirely in your browser — your lockfile never leaves your device; only a summary (format, component count, generation date) is recorded in the pack. pnpm lockfiles are coming in a follow-up.
What it does not do
The pack does not certify that your product complies with the CRA. The self-assessment statuses, the product-class statement, and the vulnerability-handling details reflect what you declared; you are responsible for their truthfulness and for the product genuinely meeting what is stated. It is not individualised legal advice, and having a professional review it is optional.
Publishing
Generate, save, and publish a CRA Readiness Pack the same way as your other document types — through the Generate wizard and the Publish page.