Beta We're open for early access!
Join Beta

EU Cyber Resilience Act Compliance Platform

CRA Evidence helps manufacturers, importers, and distributors meet EU Cyber Resilience Act requirements.

Auto-generate your EU DoC, risk assessment & technical file, ready for every product version
Digital Product Passport tailored to each product version
Detect new CVEs with our vulnerability knowledge base (VKB)
Auto-generate VEX statements with our algorithm or author them manually
Start 14-Day Free Trial Learn More
CRA 2024/2847 TR-03183 CycloneDX & SPDX
CRA Evidence Version Compliance Center showing product versions with CRA readiness status, required documents such as Risk Assessment and EU Declaration, release dates, and environment tracking Click to enlarge
CycloneDX
1.6 Supported
SPDX
2.2.1+ Supported
TR-03183
BSI Compliant
10 Years
Document Retention

CRA Compliance Timeline

Key dates you need to know

11 September 2026

Vulnerability reporting via the ENISA Single Reporting Platform begins for all manufacturers. Report actively exploited vulnerabilities within 24 hours.

11 December 2027

Full CRA enforcement for new products. Products already on the market before this date are grandfathered unless substantially modified.

10+ Years

Documentation retention period. Technical files must be kept for the lifetime of the product or at least 10 years.

Free Tool No account required

Does the CRA Apply to Your Product?

Answer 6 simple questions to find out if your product falls under the EU Cyber Resilience Act scope. Get your result in under 2 minutes.

Check Now

Everything You Need: SBOMs, Vulnerability Scanning, Automated VEX & Technical Documentation

One platform to manage your entire Cyber Resilience Act readiness workflow, from SBOMs to Digital Product Passports

Automated SBOM Validation

Upload and validate CycloneDX artifacts (SBOM, HBOM, VEX). Track software and hardware components, licenses, and vulnerabilities across all your products.

CRA Technical File Generation

Manage all CRA-required documents: risk assessments, EU Declaration of Conformity, user documentation, and vulnerability policies.

Vulnerability Tracking

Vulnerability Knowledge Base synced every 15 minutes from NVD, OSV.dev, CISA KEV with EPSS exploit probability scoring. Auto-generate VEX statements from triage decisions. Track remediation and ENISA Article 14 deadlines per version.

Product Versioning

Organize products and versions with full traceability. Link artifacts (SBOM, HBOM, VEX), documents, and vulnerabilities to specific releases.

Audit-Ready Export Packages

Generate audit-ready technical file bundles with all required documentation. Ready for regulators and market surveillance.

Compliance in Your CI/CD Pipeline

API-first design with support for automated artifact uploads from your build pipeline. GitHub Actions, GitLab CI, and more.

Role-Specific Workflows

Tailored dashboards for manufacturers (Art. 13), importers (Art. 19), and distributors (Art. 20). Each role gets the workflows that matter to them.

Automated Vulnerability Scanning

Scan SBOMs against our Vulnerability Knowledge Base covering NVD, GitHub Advisories, and CISA KEV. EPSS risk scoring helps you prioritize what to fix first.

API & Webhooks

REST API and webhook notifications for all platform events. Connect with Jira, Slack, GitHub, or any tool in your workflow.

Digital Product Passports

Generate dynamic, publicly accessible Digital Product Passports for software and hardware products. QR codes for physical labeling, JSON-LD, and PDF export — multi-language and machine-readable.

Conformity Assessment

Score your product against all 20 essential cybersecurity requirements from CRA Annex I. Track what you've met, what's missing, and generate your EU Declaration of Conformity.

Multi-Language Documents

Generate technical documentation, compliance reports, and Digital Product Passports in 6 EU languages: English, Spanish, German, French, Italian, and Polish.

See All Features

How It Works

Get audit-ready before December 2027

1
Set Up Your Organization

Create your workspace, invite your team, classify products by CRA category (Default, Important Class I/Class II, Critical).

2
Upload Artifacts & Evidence

SBOMs, technical documents, risk assessments, and compliance evidence per product version. Auto-validated against TR-03183.

3
Scan & Monitor Vulnerabilities

Own Vulnerability Knowledge Base synced every 15 minutes from NVD, GitHub Advisories, and CISA KEV. Production versions automatically rescanned when new CVEs appear.

4
Generate CRA Audit-Ready Documentation

Annex VII technical files, EU Declarations of Conformity, compliance reports, and ENISA notification templates.

5
Stay Audit-Ready

10-year retention, full audit trails, and exportable evidence packages for market surveillance authorities.

1
Register Your Supply Chain

Add manufacturers and their products. Track contacts, EU representatives, and compliance metadata.

2
Verify Manufacturer Compliance

Step-by-step Article 19 checklist: CE marking, EU DoC, Annex II review, importer ID on product, final sign-off.

3
Monitor & Act

Reverification triggers when new vulnerabilities appear or review dates approach. Stop-ship decisions when needed.

1
Add Products to Your Portfolio

Register the connected products you distribute. Upload CE marking evidence and manufacturer documentation.

2
Complete Due Care Checks

Article 20 checklist: product ID, CE marking, EU declaration, manufacturer contacts, anomaly detection.

3
Generate Verification Certificates

PDF certificates proving due care compliance. Unique verification numbers, audit-logged, stored for 10 years.

Ready to Get CRA-Ready?

Join companies already preparing for CRA 2027. Start your free trial today.

Start Free Trial Sign In
EU Cyber Resilience Act compliance guide CRA compliance insights