Compliance & Disclosure

Evidence as a byproduct of how you operate.

Compliance does not need to be a separate workflow. OnBoard™ IoT Security (OBIS) turns signing, provisioning, OTA operations, and vulnerability response into governed operational evidence across the product lifecycle. Compliance & Disclosure reads from the same operational record stream — it does not create a parallel system.

Book a Demo
Compliance Timeline

Regulatory compliance timelines are now fixed.

CRA reporting and lifecycle security obligations become enforceable across 2026 and 2027. Operational evidence, vulnerability disclosure workflows, and lifecycle traceability move from best practice to regulatory requirement.

In effect

DEC 2024

CRA enters into force

The transition period begins. OEMs selling into the EU start establishing vulnerability disclosure, SBOM governance, and lifecycle security operations.
In effect

AUG 2025

EU RED DA + EN 18031

Cybersecurity conformity requirements become mandatory for connected wireless products sold into the EU market.
Upcoming

SEP 11, 2026

Vulnerability reporting begins

ENISA reporting windows take effect: 24-hour early warning, 72-hour notification, and 14-day technical reporting supported by governed operational evidence.
Upcoming

DEC 11, 2027

Full CRA compliance

Non-conforming connected products can no longer enter the EU market. Security-by-design and lifecycle governance become mandatory for CE marking.
Evidence Flow

Every action writes a record. Compliance & Disclosure derives from them.

Release versions, provisioning records, vulnerability decisions, OTA operations, and device state records are governed as part of the same operational trust workflow. Compliance evidence is derived directly from operational records — not reconstructed later through manual reporting.

Vulnerability Disclosure Operations

Structured disclosure workflows under operational control.

CRA reporting windows require structured vulnerability disclosure across initial notification, impact assessment, and remediation reporting. OBIS links these workflows directly to governed operational records and device state.

24h

EARLY WARNING

Initial exposure notification.

Initial reporting of an actively exploited vulnerability, including affected products and the first severity assessment.
Derived from OBIS operational records
Release version identifier + CVE number
Initial CVSS / EPSS assessment
Exploitation signal source

72h

Notification

Confirmed scope and impact.

Detailed impact assessment covering affected release versions, production batches, deployed device coverage, and interim mitigations.
Derived from OBIS operational records
Affected release versions
Production batches + deployed device coverage
VEX decisions + interim mitigations

14d

Technical report

Remediation and deployment coverage.

Root cause analysis, remediation path, OTA rollout planning, residual risk, and deployment coverage across affected devices.
Derived from OBIS operational records
SBOM + component provenance
OTA targeting + rollout governance
Per-device remediation coverage
Regulatory Alignment

Build compliance once. Reuse the evidence.

OBIS operational evidence aligns to EU CRA requirements while supporting adjacent frameworks including RED DA, PSTI, EO 14028, ETSI EN 303 645, and IEC 62443 — without requiring separate compliance workflows per region.

Mandatory
Covered by companion standards
Not directly mandated
IEC 62443-4-2 does not directly mandate SBOM management; related supply-chain security requirements are covered through companion standards including IEC 62443-2-4.
IEC 62443-4-2 mandates patchability, while vulnerability handling processes are addressed through IEC 62443-2-1 and IEC 62443-2-4 lifecycle security requirements.
RED DA does not directly mandate vulnerability disclosure to authorities; associated EN 18031 requirements cover vulnerability monitoring and handling under VLM clauses.
Get Started

Built for operational compliance readiness at scale.

Discuss your vulnerability disclosure workflows, operational evidence strategy, CRA readiness requirements, and lifecycle governance architecture with the OBIS engineering team.

Book a Demo
Contact Us
Building digital trust infrastructure for connected devices and credentials — backed by 13 years of expertise in digital credentials and cryptographic systems.
IoT Security
OverviewSecure Build & ReleaseFactory ProvisioningSBOM & VulnerabilitySecure Update & OTACompliance & DisclosureMatterGoogle Cast
Mobile Credentials
OverviewTransitAccessDigital Car Key
Resources
OverviewBlogCase Study
Company
About UsPartners
Privacy PolicyTerms Of ServiceCookie Policy
© 2026 Shanghai Snowball Digital Intelligence Technology Co., Ltd. All rights reserved.
EN
|
ZH