CRA Direct Platform
Centralized workspace combining CRA readiness assessment and continuous compliance operations across your product portfolio.
Assess your CRA scope, classify products, build Annex I and Annex VII evidence, manage SBOMs, run human-approved Article 14 reporting workflows, and track audit-ready remediation — deployed on your infrastructure for 100% data sovereignty.
The EU Cyber Resilience Act turns product cybersecurity into an operational obligation. Manufacturers now need evidence, reporting workflows, and audit discipline before the 2026 and 2027 deadlines.
The regulation applies across the EU. All digital product manufacturers must launch their compliance program immediately.
Manufacturers must report actively exploited vulnerabilities and severe incidents through the CRA Single Reporting Platform, including an early warning within 24 hours after becoming aware.
Products with digital elements placed on the EU market must meet the applicable CRA cybersecurity, conformity-assessment, technical-documentation, and CE-marking requirements.
For serious infringements, penalties can reach up to 15 million euros or 2.5% of total global annual turnover. Market-surveillance authorities may also require corrective action, restriction, withdrawal, or recall where applicable.
One CRA lifecycle suite for scope, classification, Annex I controls, technical documentation, SBOM evidence, vulnerability operations, Article 14 workflows, remediation, and audit trails.
Centralized workspace combining CRA readiness assessment and continuous compliance operations across your product portfolio.
Scope evaluation, product classification, conformity route, Annex I control assessment, Annex VII documentation checks, findings, corrective measures, and DoC draft support.
Manage SBOM evidence, vulnerability intelligence, VEX review, Article 14 reporting workflows, notifications, audit trails, and deadline pressure before fire drills start.
Ingest, validate, store, and monitor Software Bills of Materials. CycloneDX and SPDX formats, evidence locking, and traceability for audits.
Monitor CVE and exploit intelligence, prioritize affected products, track remediation status, and preserve evidence for review.
Organize the technical documentation, conformity evidence, user information, and decision records needed to support CE-marking work.
Deploy on your own servers or private cloud. Your compliance data never leaves your controlled environment. Built around the highest EU standards.
The Cyber Resilience Act (CRA) is the most important EU regulation ever adopted regarding digital product cybersecurity. It imposes mandatory security requirements on all manufacturers of products with digital elements on the EU market.
The CRA applies to any manufacturer, importer, or distributor of products with digital elements on the European market — whether based in Europe or not. This includes SaaS providers, IoT manufacturers, app developers, hardware builders.
Three key dates: 10 December 2024 — the CRA entered into force. 11 September 2026 — Article 14 reporting obligations apply. 11 December 2027 — the CRA applies in full, including conformity assessment and CE-marking obligations for products placed on the EU market.
An SBOM (Software Bill of Materials) is an inventory of software components. Under the CRA, manufacturers need component and vulnerability-handling evidence to support supply-chain traceability, security maintenance, technical documentation, and ongoing vulnerability operations.
Yes. CRA Direct is available as an on-premises or private cloud deployment for organizations that require 100% data sovereignty. Your compliance evidence — SBOMs, vulnerability data, incident reports, audit trails — stays entirely within your controlled environment, behind your own security perimeter.
Duration varies by product complexity, classification, evidence maturity, and whether third-party conformity assessment is needed. A readiness assessment can usually identify the scope, classification, evidence gaps, and roadmap within 2 weeks.
Don't wait for the deadline. Every month of delay reduces your room for maneuver. Contact us for a free consultation or platform demo.