Annex I register
The Annex I register is your organisation’s readiness self-assessment against the CRA’s essential cybersecurity requirements: one entry per Annex I requirement — Part I (secure-by-design product properties) and Part II (vulnerability-handling processes), 21 items in total.
The register
Section titled “The register”Each entry carries:
- a status — Met, Partial, Gap, or Not applicable;
- controls — the measures you have in place;
- a justification — the prose explaining the status;
- citations — the evidence the entry rests on;
- a source marker — auto-derived, AI-drafted, or you wrote this — so it is always visible where a statement came from.
The requirement text shown is a cited paraphrase of Annex I, not the authoritative OJ wording.
Generate, then edit
Section titled “Generate, then edit”Generate seeds the register from the requirement catalog and auto-derives what Resilic can actually evidence — your SBOMs, CVD policy, vulnerability-handling procedure, triage activity, and published advisories — citing each source. AI then drafts justifications grounded in those controls and that evidence; it does not invent posture you don’t have.
Everything is editable: change a status, describe your controls, rewrite a justification. Edits are marked as human-authored.
Gap report and sign-off
Section titled “Gap report and sign-off”The register computes a gap report — every Partial and Gap entry in one list — which is the honest answer to “where do we stand against Annex I?”.
Sign-off is a deliberate act: approval is blocked while any Gap entry lacks a justification, so you cannot sign a register that silently skips its weak spots. Once approved:
- the register can be exported (mapping + narrative + gap report) — export accepts approved registers only;
- the approved narrative and status feed the design-and-vulnerability-handling section of your technical documentation, and the register is the evidence source for dual compliance and the standards watch.
What this is — and isn’t
Section titled “What this is — and isn’t”Annex I duties apply with the full CRA on 11 Dec 2027 — they are not part of the Article 14 reporting obligation that starts in September 2026. The register is a readiness self-assessment: Resilic structures the mapping, checks it for gaps, and keeps the evidence attached, but it does not attest that your product conforms, and a completed register is not “CRA compliance”. The AI drafts; you review, correct, and sign — the signature and the claims remain yours.