The Technical Guideline TR-03183 describes Cyber Resilience Requirements for Manufacturers and Products. It intends to provide manufacturers with advance access to the type of requirements that will be imposed on them by the Cyber Resilience Act (CRA).

The CRA came into force in December 2024. The transitional periods are currently running until its full implementation on 11 December 2027. Find out more about the CRA

The Technical Guideline is continuously updated and further developed.

Part 1 "General Requirements" describes requirements for Manufacturers and Products on the basis of the articles and annexes of the CRA.

Part 2 "Software Bill of Materials (SBOM)" describes formal and technical requirements for Software Bill of Materials (SBOM).

Part 3 “Vulnerability Reports and Notifications” describes the handling of incoming vulnerability reports.

Comment period

Part 1 and Part 3 have been published in the preliminary version 0.9.0 as a community draft. They are currently being revised following a comment period. The BSI is reviewing the feedback received so far and will use it in collaboration with relevant stakeholders to further develop the TR-03183 and contribute to European standardisation.

The first comment period ended on 30 November 2024, but it is possible to send further comments and feedback on all parts of the guideline to tr03183@bsi.bund.de at any time.

Note

The BSI has created its own CycloneDX namespace and registered it at CycloneDX as an assistance for creating SBOM compliant with Part 2. Its taxonomy is published within the BSI GitHub account.