How CRA Evidence started

It started in 2025, when Joan Romero heard about the Cyber Resilience Act for the first time.

From that point he started connecting it to his entire career as a Cloud Engineer and SRE. We are building and shipping more products than ever, but we are not taking care of cybersecurity. Incidents keep growing.

The Cyber Resilience Act exists because of that. Europe saw the problem and decided to act. Joan decided to help teams get through it, and started building CRA Evidence.

That became a reality in 2026. The first chapter was going through CEEI, the European Centre for Business and Innovation of the Principality of Asturias. With their help, the company got started.

Built from Oviedo, Spain Helping product teams turn CRA obligations into evidence they can actually maintain.
Spanish startup certification The company behind CRA Evidence has been granted innovative startup status under Spain's Startup Law, a recognition that gives certified companies access to Spain's startup framework. The status is issued by Spanish Enisa (Empresa Nacional de Innovación, Spain's public innovation agency, not the EU cybersecurity agency ENISA). Verify it in the public register by searching for SENDA TECH SOLUTIONS S.L.
Madrid Barcelona Lisbon Oviedo Asturias SPAIN Portugal France Baleares 200 km 0 200 N
The problem we solve

Why CRA Evidence was built

More digital products reach Europe every year, from industrial controllers to home devices, and the Cyber Resilience Act is the first regulation that expects every one of them to carry real security evidence for its full life. We wanted to help the teams doing that work.

Nobody clearly owned the Cyber Resilience Act. Not engineering, not legal, not product. We built CRA Evidence so that work has a home: tracked, corrected, and audit-ready across the ten-year window the regulation requires.

See how we work with teams

Every product with digital elements sold in the EU must be designed, produced, and maintained with real cybersecurity evidence across its full life cycle, kept on file for at least ten years.

Regulation (EU) 2024/2847, Articles 13–14 · paraphrased

That is the work we build for.

Who we serve

The CRA applies differently to each role. We adapt to each.

Manufacturers, importers, and distributors carry different obligations under the regulation. CRA Evidence ships the right workflow for each.

Manufacturers

CRA Article 13

You build products with digital elements. The heaviest CRA obligations fall on you.

  • SBOM validation against BSI TR-03183
  • Continuous vulnerability monitoring with new CVEs detected within 15 minutes
  • EU Declaration of Conformity generator
  • User Information & Instructions (UII) builder
  • Version-level compliance tracking
The average manufacturer has 200+ dependencies per product. You can't track that in a spreadsheet.

Importers

CRA Article 19

You bring products into the EU market. You must verify manufacturer compliance before you sell.

  • Article 19 verification checklists
  • Manufacturer documentation requests
  • Evidence storage with audit trail
  • Records for market surveillance
If a product you import fails CRA requirements, you're liable. CRA Evidence helps you verify before you commit.

Distributors

CRA Article 20

You sell products in the EU but don't manufacture or import them. Lighter obligations.

  • Compliance verification workflows
  • Product documentation access
  • Article 20 guidance
  • Incident escalation paths
Lighter obligations, but you still need a system. CRA Evidence keeps it simple.

The questions we keep hearing

Every team preparing for the CRA is working through the same basics:

  • What format should my SBOM be in?
  • How do I track vulnerabilities across 300 dependencies?
  • What exactly goes in a technical file?
  • How do I prove compliance to a market surveillance authority?

The regulation is complex enough. Your tools shouldn't be.

Based in the European Union
Recognition

Independent recognition

Third-party signals you can verify yourself. Read the full announcements in the newsroom.

Innovative startup status, Spanish Enisa

Spain's national innovation agency

Member of Cluster TIC Asturias

Regional ICT industry cluster
Visit the newsroom →

Ready to simplify CRA compliance?

Map obligations, generate evidence, and stay audit-ready across all product versions before December 11, 2027.

Start Free Trial View Pricing