EU Cyber Resilience Act (CRA)

Where OWL stands under the EU Cyber Resilience Act (Regulation (EU) 2024/2847). This page is published for transparency while our compliance program is underway; it states plainly what is finalized and what is still being completed.

Part of NDEVR's compliance & conformity program.

Status: in progress — not yet a binding declaration. OWL has not yet been placed on the EU market, and the EU Declaration of Conformity below is a draft preview, not a signed or in-force declaration. It will be issued only once OWL's released version meets the CRA essential requirements and an EU authorized representative has been appointed. The CRA applies in phases: vulnerability-reporting obligations from 11 September 2026 and full application from 11 December 2027.

1. Our approach

The CRA sets cybersecurity requirements for products with digital elements placed on the EU market. NDEVR's approach for OWL:

  • Product classification: Default — OWL is not in the CRA's "important" or "critical" product classes, so conformity is by manufacturer self-assessment.
  • Conformity route: Module A (internal control) — no notified body is involved for a Default product.
  • Standards: no CRA harmonized standard has yet been published, so conformity with the Annex I essential requirements is demonstrated directly through our technical documentation. We will cite the harmonized standards once they appear in the Official Journal.
  • Support period: a declared security support period of at least 5 years from EU market placement (see OWL product security information).
  • Vulnerability handling: a coordinated vulnerability disclosure process is already live — see our disclosure policy and security.txt — and we will report actively-exploited vulnerabilities and severe incidents to the relevant EU authorities as required once those obligations apply.

2. EU Declaration of Conformity (draft preview)

The following is the draft EU Declaration of Conformity for OWL, in the Annex V format. It is not yet signed or in force — the authorized-representative and signature fields are completed at sign-off, after the conformity gate is met. It is reproduced here so the structure and content are transparent in advance.

  • 1. Product (unique identifier): OWL-DoC-2026-001 — OWL server v1.0.0 and clients (desktop, web, CLI, nest), version 1.0.0.
  • 2. Manufacturer: NDEVR, LLC, 1300 W Morton St, Oakland City, IN 47660, USA.
  • 3. Authorized representative: In progress — to be appointed before EU market placement.
  • 4. This declaration of conformity is issued under the sole responsibility of the manufacturer.
  • 5. Object of the declaration: OWL — an end-to-end-encrypted file storage, sync, sharing and collaboration system, comprising the OWL server (File-Server) v1.0.0 and the OWL clients (desktop, web, CLI, nest), version 1.0.0.
  • 6. Conformity: the object described above is in conformity with Regulation (EU) 2024/2847 (Cyber Resilience Act).
  • 7. Other Union legislation: none applicable (e.g. RED, MDR, machinery do not apply).
  • 8. Standards / specifications: none — no CRA harmonized standard is yet published; conformity with the Annex I essential requirements is demonstrated directly via the technical documentation.
  • 9. Notified body: not applicable — Default product, conformity assessed via Module A (internal control).
  • 10. Additional information: conformity assessment procedure Module A (Annex VIII); technical documentation held by the manufacturer and the authorized representative; vulnerability reporting contact security@ndevr.org / /.well-known/security.txt; declared support period 5 years from EU market placement.
  • Signed for and on behalf of NDEVR, LLC — place, date, name, function, and signature: completed at sign-off (in progress).

When the declaration is issued, the signed text will be published here and referenced from the OWL technical documentation and product pages.

3. Technical documentation & SBOM

OWL's full technical documentation (Annex VII) and its CycloneDX Software Bill of Materials are retained by the manufacturer and made available to EU market-surveillance authorities on request. The SBOM is also available to users on request via security@ndevr.org.

4. Questions

CRA / compliance questions: security@ndevr.org. For privacy and data handling, see the privacy policy.