Library
Research papers
Long-form orientation documents for ICT risk, procurement, and sovereignty programmes. These are briefing resources — not legal advice. For primary regulatory texts and standards, see Resources.
Cyber Resilience Act Hub: practical implementation guides
Evergreen CRA guidance for scope classification and Article 14 vulnerability reporting readiness. Includes source-cited implementation detail. April 2026.
Guide hub · ongoing updates
Sovereignty beyond the cluster boundary: Kubernetes upstream and supply-chain risk
Runtime controls, upstream governance, SBOMs, SLSA, contributor concentration, and a six-step framework for mature programmes. March 2026.
White paper · also printable as PDF from the page
What the Cyber Resilience Act actually requires of your open source dependencies
Manufacturers vs stewards, September 2026 vs December 2027, Annex I, Kubernetes dependency stack, SBOMs, and Article 14 reporting. March 2026.
White paper · printable as PDF from the page