Skip to content

Annex I register

The Annex I register is your organisation’s readiness self-assessment against the CRA’s essential cybersecurity requirements: one entry per Annex I requirement — Part I (secure-by-design product properties) and Part II (vulnerability-handling processes), 21 items in total.

Each entry carries:

  • a statusMet, Partial, Gap, or Not applicable;
  • controls — the measures you have in place;
  • a justification — the prose explaining the status;
  • citations — the evidence the entry rests on;
  • a source marker — auto-derived, AI-drafted, or you wrote this — so it is always visible where a statement came from.

The requirement text shown is a cited paraphrase of Annex I, not the authoritative OJ wording.

Generate seeds the register from the requirement catalog and auto-derives what Resilic can actually evidence — your SBOMs, CVD policy, vulnerability-handling procedure, triage activity, and published advisories — citing each source. AI then drafts justifications grounded in those controls and that evidence; it does not invent posture you don’t have.

Everything is editable: change a status, describe your controls, rewrite a justification. Edits are marked as human-authored.

The register computes a gap report — every Partial and Gap entry in one list — which is the honest answer to “where do we stand against Annex I?”.

Sign-off is a deliberate act: approval is blocked while any Gap entry lacks a justification, so you cannot sign a register that silently skips its weak spots. Once approved:

  • the register can be exported (mapping + narrative + gap report) — export accepts approved registers only;
  • the approved narrative and status feed the design-and-vulnerability-handling section of your technical documentation, and the register is the evidence source for dual compliance and the standards watch.

Annex I duties apply with the full CRA on 11 Dec 2027 — they are not part of the Article 14 reporting obligation that starts in September 2026. The register is a readiness self-assessment: Resilic structures the mapping, checks it for gaps, and keeps the evidence attached, but it does not attest that your product conforms, and a completed register is not “CRA compliance”. The AI drafts; you review, correct, and sign — the signature and the claims remain yours.