MMPlugs Logo

Docs / MMCRA Toolkit / Run the Setup Wizard

Run the Setup Wizard

Run the Setup Wizard

The Setup Wizard walks you through the configuration the toolkit needs before it can generate complete CRA artifacts. Five steps, usually under ten minutes.

You can skip the wizard and configure individual pages directly, but the wizard is the path of least resistance for first-time users.

Step 1 — Manufacturer identity

Required by CRA Annex V (DoC) and ENISA notification:

  • Legal name — your company's registered legal name
  • Trading name — optional, if it differs
  • Contact email — security contact, monitored daily
  • Mailing address — physical address required for the DoC
  • Website — your company URL

This data populates the supplier field of every SBOM and the manufacturer block of every Declaration of Conformity.

Step 2 — EU authorised representative

If you're not established in the EU, the CRA requires you to name an authorised representative based in the EU. If you are EU-based, toggle this off.

Fields when enabled:

  • Representative legal name
  • EU address
  • Email
  • Phone

The representative's details appear in every DoC and your Vulnerability Disclosure Policy.

Step 3 — Vulnerability Disclosure Policy

The VDP draft is pre-populated with sensible defaults. Review and adjust:

  • Reporting channel — email address or web form URL
  • Response SLA — first acknowledgment within 72 hours is the convention
  • Safe-harbor terms — standard CVD safe-harbor language
  • In-scope products — list the plugins covered by this VDP
  • Out-of-scope items — what researchers should NOT submit (social engineering, physical, third-party services)
  • PGP key — optional, for encrypted reports

When saved, the toolkit can either publish the VDP as a WordPress page or export it as standalone HTML for your marketing site.

Step 4 — Declaration of Conformity defaults

Pre-fills the DoC for every product you ship:

  • Default standards applied — ISO/IEC 29147, ISO/IEC 30111 (you can add more per-product)
  • Conformity assessment route — self-assessment is the default for non-critical products; type examination or full quality assurance for important/critical products under Annex III/IV
  • Default signer — the name and role of the person who signs declarations

Per-product DoCs inherit these defaults and let you override on a per-plugin basis.

Step 5 — Ongoing monitoring

The CRA's Article 14 requires you to monitor your products for new vulnerabilities post-release. The toolkit's Monitor schedules a weekly OSV.dev check across every plugin with a saved SBOM.

  • Enable monitoring — toggle on
  • Notification email — where to send weekly alerts (defaults to your admin email)
  • Schedule — runs weekly; first run is one minute after you save

When enabled, the toolkit registers the mmcra_monitor_run cron event. New advisories trigger an email; quiet weeks still log a "nothing new" entry in the audit log so the cadence is visible to auditors.

Finish

After step 5 the toolkit lands you on the Dashboard with the compliance grid. Run the Generate all SBOMs bulk action to seed the data the Monitor needs.

You can re-run the wizard any time from the Dashboard. It pre-populates with your current settings.