Living SBOM
Binary software inventory for efficient management
Finite State delivers the artifacts and workflows manufacturers need to support EU Cyber Resilience Act (CRA) self-assessment generated from the designated product and maintained over time.


We'll walk through the scope, deliverables, and what is required for your designated product.
© 2026 Finite State. All rights reserved.
How It Works
Finite State's managed CRA services turn product inputs into maintained artifacts and workflows for CRA self-assessment.
Reviewable, product-specific deliverables that support CRA self-assessment and ongoing readiness.
What's Included
Binary software inventory for efficient management
Ongoing vulnerability correlation, notification, and VEX support
Draft notifications, CVD policy, and reporting workflow support
Threats, controls, gaps, and remediation guidance
Documentation assembled to support self-assessment and declaration execution
CRA Deliverable Mapping
Explore how Finite State’s managed services map each deliverable to CRA requirements and ongoing product obligations.
Software Composition from Firmware and Binaries
CRA alignment
Supports CRA software transparency and technical documentation requirements.
Ownership + Scope
We generate the proof
Generates SBOM & VEX from what you ship
Runs the cybersecurity risk assessment
CRA obligations phase in over time, but evidence, monitoring, and reporting workflows need to be established before those deadlines arrive.
The CRA officially entered into force, establishing baseline cybersecurity expectations across EU markets.
Conformity assessment body provisions begin.
Use reachability, exploit intelligence, and product context to identify what actually matters.
Main obligations apply fully. Technical evidence and documentation required.
Pricing
One product, one annual engagement
All five CRA deliverables, maintained across releases
A defensible, audit-ready self-assessment
Software Analysis
Living SBOM- Component inventory
Risk & Vulnerability
Reachability-based risk assessment

Monitors vulnerabilities continuously
Drafts disclosures & your CVD policy
Assembles technical docs & the DoC template
You own the decision
Remediation & the Article 14 determination
ENISA / SRP filing
Signed Declaration of Conformity
Readiness for CRA reporting deadlines

Audit Ready
Annual scope
The complete annual scope, five deliverables, full monitoring and disclosure.
Manufacturer accountability