diff --git a/obligations/cra.json b/obligations/cra.json
index 8a6eeabf..8b21a6c6 100644
--- a/obligations/cra.json
+++ b/obligations/cra.json
@@ -1490,6 +1490,93 @@
     198
    ],
    "note": "Adressieren NIS2-Einrichtungspflichten, CSIRT/ENISA-Behördenaufgaben, Konformitätsbewertungsstellen/EUCC-Zertifizierung, Distributor/Importeur-Pflichten, nationale Strategien, Secure-by-Design/Tooling oder Interoperabilität — keine herstellerseitige Vulnerability-Handling-Pflicht nach CRA Art. 13(8)/Annex I Part II"
+  },
+  {
+   "type": "supports",
+   "from": "sbom_creation",
+   "to": "vuln_identification_inventory",
+   "cross_family": true,
+   "note": "SBOM macht enthaltene Komponenten für die Schwachstellensuche sichtbar",
+   "review_status": "proposed",
+   "source": "human_reasoned_preview",
+   "confidence": "high"
+  },
+  {
+   "type": "supports",
+   "from": "sbom_dependency_coverage",
+   "to": "vuln_identification_inventory",
+   "cross_family": true,
+   "note": "transitive Abhängigkeiten ermöglichen Erkennung in Drittkomponenten",
+   "review_status": "proposed",
+   "source": "human_reasoned_preview",
+   "confidence": "high"
+  },
+  {
+   "type": "supports",
+   "from": "sbom_maintenance_update",
+   "to": "vuln_identification_inventory",
+   "cross_family": true,
+   "note": "aktuelle SBOM hält das Komponenten-Inventar für Vuln-Scans aktuell",
+   "review_status": "proposed",
+   "source": "human_reasoned_preview",
+   "confidence": "high"
+  },
+  {
+   "type": "depends_on",
+   "from": "vuln_assessment_prioritization",
+   "to": "vuln_identification_inventory",
+   "cross_family": false,
+   "note": "Bewertung setzt identifizierte Schwachstellen voraus",
+   "review_status": "proposed",
+   "source": "human_reasoned_preview",
+   "confidence": "high"
+  },
+  {
+   "type": "depends_on",
+   "from": "vuln_info_dissemination_users",
+   "to": "vuln_remediation_patching",
+   "cross_family": false,
+   "note": "Nutzerinformation erfolgt nach Bereitstellung des Updates",
+   "review_status": "proposed",
+   "source": "human_reasoned_preview",
+   "confidence": "high"
+  },
+  {
+   "type": "depends_on",
+   "from": "exploited_vuln_reporting_authorities",
+   "to": "vuln_identification_inventory",
+   "cross_family": false,
+   "note": "Meldung ausgenutzter Schwachstellen setzt deren Erkennung voraus",
+   "review_status": "proposed",
+   "source": "human_reasoned_preview",
+   "confidence": "high"
+  },
+  {
+   "type": "depends_on",
+   "from": "coordinated_vulnerability_disclosure",
+   "to": "vuln_handling_process",
+   "cross_family": false,
+   "note": "CVD ist Bestandteil des Schwachstellenbehandlungsprozesses",
+   "review_status": "proposed",
+   "source": "human_reasoned_preview",
+   "confidence": "high"
+  },
+  {
+   "type": "depends_on",
+   "from": "sbom_maintenance_update",
+   "to": "sbom_creation",
+   "cross_family": false,
+   "note": "Pflege setzt die initiale Erstellung voraus",
+   "review_status": "proposed",
+   "source": "human_reasoned_preview",
+   "confidence": "high"
   }
+ ],
+ "relationship_types": [
+  "depends_on",
+  "supports",
+  "produces_evidence_for",
+  "implements",
+  "derived_from"
  ]
 }
\ No newline at end of file