CRA compliance platform for
manufacturers, importers, and distributors.

EU Cyber Resilience Act (CRA) compliance software for SBOMs, vulnerability workflows, ENISA reporting, and technical files. All in one place.

Artifact Management

Your SBOMs, validated and versioned

Drop in a CycloneDX or SPDX file. We validate it against BSI TR-03183 quality criteria, score its completeness, and keep audit-ready records for every product version.

CycloneDX and SPDX Format is auto-detected on upload. CycloneDX 1.6 schema validation, SPDX 2.2+ parsing.
TR-03183 quality scoring Weighted metrics for PURL, hashes, supplier, license, and version completeness.
HBOM and VEX support Hardware Bill of Materials and Vulnerability Exploitability eXchange extraction from CycloneDX.
Dependency graph visualization Interactive Mermaid.js component tree with transitive dependency expansion and click-to-navigate.
Version comparison and drift detection Diff SBOMs between versions. Detect new, removed, and modified components.
VEX authoring Create and publish Vulnerability Exploitability eXchange statements directly in-app. Export as CycloneDX VEX.
CycloneDX SPDX HBOM VEX SARIF

Quality Score

Automatic scoring against BSI TR-03183 standard with improvement recommendations.

Dependency Tree

Visualize direct and transitive dependencies with circular dependency detection.

Version Diff

Compare SBOMs across versions. Track what changed and why.

License Check

Identify problematic license combinations across your components.

Vulnerability Scanning

Find vulnerabilities before regulators do

Every SBOM is scanned against multiple vulnerability databases — NVD via Trivy and OSV.dev (aggregating GitHub Advisories, Go, Rust, and PyPI security data). Each finding is enriched with EPSS (Exploit Prediction Scoring System) from FIRST.org to estimate real-world exploitation likelihood in the next 30 days — so you fix what attackers are actually targeting, not just what scores highest on CVSS. Production and staging versions are rescanned automatically when vulnerability databases update, and all findings are cross-referenced with the CISA Known Exploited Vulnerabilities catalog.

Remediation tracking Five-stage lifecycle per vulnerability: start, fix, verify, release. Status tracking per affected version.
Suppression management Suppress false positives with justification, expiry dates, and approval workflows.
Reachability analysis Mark components as reachable or unreachable to prioritize what actually matters.
CSAF advisories Full advisory lifecycle: import, validate, publish. Draft to final with semantic diff. CRA Article 11 compliant.
Multi-source detection Trivy + OSV.dev cross-reference. If one scanner misses a CVE, the other catches it. Bidirectional deduplication ensures no duplicates.
Automated VEX workflow Triage decisions auto-generate draft VEX statements — suppressions, dismissals, and remediation status changes all feed the VEX bridge. Batch review and publish with one click. Export CycloneDX 1.6-compliant VEX per version.
VEX coverage tracking Know exactly what percentage of your assessed vulnerabilities have published VEX statements. The coverage metric bridges suppression decisions, remediation status, and VEX authoring into one audit-ready number.

What happens when you upload

CRA Evidence Security Events dashboard showing vulnerability and incident tracking with ENISA notification deadlines, severity levels, and per-product impact analysis Click to enlarge
SARIF import Firmware analysis VEX support OSV.dev EPSS scoring

NVD-Only Scanners vs. CRA Evidence

Capability NVD Only CRA Evidence
Coverage General CVEs NVD + GitHub + Go + Rust + PyPI
Exploit intelligence CVSS (severity only) EPSS (real-world probability)
CISA KEV alerting Automatic
Update frequency Daily Continuous (synced with OSV.dev)
Ecosystem version matching CPE-based npm, Maven, Go, Cargo, NuGet, Gem
VEX support Manual export (if any) Auto-draft from triage → Review → Publish
Technical Documentation

Technical Documentation That's Actually CRA-Ready

Article 13 says you need to keep technical documentation for 10 years after placing a product on the market. We generate the Annex VII packages, certificates, and compliance reports so you're not scrambling when a market surveillance authority comes knocking.

Technical File Export

One ZIP with everything: machine-readable manifest (JSON), SBOMs (CycloneDX/SPDX), attestations, compliance checklist, and attribution reports. Human-readable and machine-readable, structured per Annex VII.

EU Declaration of Conformity

Generate EU DoC documents with proper formatting, versioning, and CE marking tracking.

Compliance Reports

PDF or HTML. Vulnerability summary, component inventory, quality scores, and remediation status in one report you can hand to auditors.

Security Data Sheet

Annex II security datasheet wizard. Draft it, validate it, publish it. Export as PDF, Markdown, or HTML.

Certificates

Certificate lifecycle: draft, issue, revoke. Immutable issued certificates with downloadable PDF generation.

Multi-language Documents

Generate documents in 6 languages: English, Spanish, German, French, Italian, Polish.

Annex I Readiness

Score your product against all 20 essential cybersecurity requirements from CRA Annex I Part I. Track what you've met and what's missing.

Artifact Signing

Sigstore-based signing for SBOMs and artifacts. Keyless and key-based modes with signature verification for supply chain integrity.

Support Period Tracking

Define and track the mandatory minimum 5-year support period per CRA Article 13(5). Alerts when products approach end-of-support.

ENISA Notifications

Meet Every ENISA Reporting Deadline

CRA Article 14 requires notifying ENISA of actively exploited vulnerabilities and severe incidents. Two separate tracks with different deadlines. CRA Evidence handles both with structured templates and countdown tracking.

24h

Early Warning

Initial vulnerability notification within 24 hours of discovery. CVE ID, affected products, and attack complexity assessment.

72h

Detailed Notification

Technical analysis with remediation timeline, workarounds, and expanded impact assessment within 72 hours.

14d

Final Report

Resolution confirmation with permanent fix details, deployment timeline, and lessons learned. 14 days for vulnerabilities, 30 days for incidents.

Deadline reminders Automatic alerts before each obligation expires
ENISA SRP ready Structured payloads for ENISA Single Reporting Platform. Day-one integration when API launches.
Submission history Full audit trail of all generated notifications and status tracking
Incident management Separate workflow for severe incidents (Art. 14(3)). 30-day final report vs. 14 days for vulnerabilities.
PDF reports & overdue alerts Early warning, detailed, and final report PDFs. Dashboard countdown when deadlines approach.
CSIRT coordination Simultaneous notification to ENISA and your national CSIRT per Article 14.
Built for Every CRA Role

Manufacturer, Importer & Distributor Dashboards

The CRA puts different obligations on manufacturers (Art. 13), importers (Art. 19), and distributors (Art. 20). Each role gets its own workspace with the workflows that actually matter to them.

Product & Version Management

Products organized by CRA category: Default, Important Class I/Class II, Critical. Each version tracks its release state, environment, and retention tier.

Full Artifact Pipeline

Upload SBOM, HBOM, and VEX per version. Quality scoring and vulnerability scanning kick in automatically.

Vulnerability & Incident Management

CVE tracking, remediation workflows, ENISA notifications. The security dashboard ranks everything by EPSS score and flags CISA KEV entries.

Technical File Generation

Annex VII export packages everything into a ZIP: machine-readable SBOMs, compliance checklists, attribution reports, and conformity declarations. Ready for automated market surveillance audits.

Customer Notifications

Vulnerability notification system for downstream customers. Multi-language templates with distribution list management.

Trust Badges

Embeddable compliance trust badges for your product pages. Link to public verification of your CRA compliance status.

Conformity Assessment Tracking

Track your assessment route based on product category: self-assessment (Default), internal control (Important Class I), or third-party (Important Class II, Critical).

Article 19 Verification Workflow

Step-by-step checklist covering what Article 19 requires: CE marking check, Annex II review, importer ID on product, EU DoC collected, final sign-off.

Manufacturer Registry

Keep track of your manufacturers: contacts, EU representatives, CVD/CSAF metadata. Set how often each one needs reverification.

Stop-Ship Decisions

Found a problem? Block the product. Record your justification, notify stakeholders, and report to the authority. Everything is tracked.

Reverification Triggers

New vulnerability found? Major update released? Review date coming up? You'll get an alert to reverify.

Clone Verifications

Reviewing a new version of the same product? Clone the previous verification. Checklist state and manufacturer data carry over.

Verification Dashboard

See where everything stands at a glance: how many products are verified, pending, blocked, or due for reverification.

Article 20 Due Care Checklist

Everything Article 20 asks for, in a checklist: product ID and traceability, CE marking, EU declaration, manufacturer contacts, anomaly detection.

CE Evidence Upload

Upload your CE marking evidence: photos, scans, certificates. File type and size checks are built in, and everything is audit-logged.

Verification Certificates

Generate PDF certificates proving due care compliance. Includes distributor details, scope, date, and unique verification number.

Stop-Ship Actions

Something's wrong? Stop distribution. The justification is recorded, and authorities and manufacturers are notified.

Portfolio View

See all your verifications in one place. Filter by status, product, or completion date to find what needs attention.

Compliance Progress

Visual progress bars per product. You can see at a glance how far along each verification is and what's left.

CI/CD & Automation

Fits into your build pipeline

There's a CLI and a REST API. Upload SBOMs, trigger scans, and gate releases from CI. Works with GitHub Actions, GitLab CI, or anything that can run a shell command.

CLI tool Upload SBOM/HBOM/VEX, scan, check status, manage releases, and compare versions from the terminal.
Severity fail thresholds Fail CI builds when critical or high vulnerabilities are detected. Configurable per pipeline.
Scoped API keys Fine-grained permissions: sbom:read, sbom:write, vuln:read, vuln:write, and more. Rate-limited and audited.
Webhooks Receive events for vulnerability discoveries, ENISA deadline warnings, and other compliance events.
Policy engine Policy-as-code rules for licenses, vulnerability thresholds, quality scores, and blocked components. Scope from global to per-version.
Release approval gates Configurable approval workflows before version releases. Manual gates and automated condition checks.
# Scan a Docker image and upload SBOM
$ docker run --rm \
-e CRA_EVIDENCE_API_KEY="cra_xxx" \
-v /var/run/docker.sock:/var/run/docker.sock \
craevidence/cli:latest \
upload-sbom \
--product my-app \
--version 2.1.0 \
--image my-app:2.1.0 \
--scan --fail-on high

Upload successful!

Product       my-app (created new)
Version       2.1.0 (created new)
Components    142
Quality Score 87%

Vulnerabilities
  Critical    0
  High        0
  Medium      3
  Low         1
GitHub Actions GitLab CI Jenkins Any CI
View full CI/CD integration guide
Integrations

Works with what you already use

Jira

Create issues for vulnerabilities directly

Slack

Real-time vulnerability and deadline alerts

GitHub

Security advisory sync and repo integration

Dependency-Track

Import SBOMs from existing instances

Microsoft Teams

Notifications in your Teams channels

ENISA Deadlines

Automated 24h, 72h, 14d/30d reminders

Supplier Portal

Customer-facing SBOM sharing with access control

Generic Webhook

Send events to any HTTP endpoint

Security & Trust

Built to be trusted with your compliance data

Access Control
Role-Based Access

Owner, Admin, Member, Viewer roles. Scoped API keys with fine-grained permissions.

SSO & MFA

SAML 2.0, Google & Microsoft OAuth, SCIM provisioning. TOTP multi-factor.

Data Protection
Encryption

AES-256 at rest, TLS 1.3 in transit. Argon2id password hashing.

Multi-Tenancy

Complete tenant isolation. Every query enforces organisation boundaries.

Observability
Audit Logging

Full traceability of all actions. Queryable audit trail with CSV export.

Rate Limiting

Sliding window rate limiting on login, API, and upload endpoints.

Compliance
Content Security

Strict CSP headers, CSRF protection, HTML sanitization, and HSTS.

10-Year Retention

Production data retained for 10 years per CRA Article 13. Tier-based retention.

Free Tools

Not sure if the CRA applies to you?

Figure out your obligations before signing up for anything. These tools are free and don't require an account.

CRA Applicability Checker 11-question wizard to determine if the Cyber Resilience Act applies to your product. Covers sector exemptions, connectivity requirements, and product classification.
CRA Role Quiz Find out whether you're a manufacturer, importer, or distributor under the CRA. Different roles have different obligations.
Shareable results Share your assessment results with colleagues or legal teams via unique URL. Available in all 6 languages.
Try the CRA Applicability Checker Try Free CRA Quiz

No signup required. Takes about 2 minutes.

Start your CRA evidence system now.

Map obligations, generate evidence, and stay audit-ready before December 11, 2027. 14-day free trial, no credit card.

Create Free Account
See CRA compliance plans Read the CRA compliance guide