100% Free & Open Source

CRA Compliance
Shouldn't Cost a Fortune

Complaro gives you everything for free — SBOM analysis, vulnerability scanning across OSV.dev, CISA KEV, and GitHub Advisories, ENISA report generation, and a full compliance dashboard. No limits, no paywalls, no account gates.

Start Now — It's Free View on GitHub

Unlimited productsUnlimited scansENISA reports includedNo credit card ever

CRA Reporting Deadline

20707

days

hrs

min

sec

app.complaro.com

Product Dashboard

3 products · Last scan 2 min ago

3 Products

Payment ServiceDefault

No vulnerabilities

IoT GatewayClass I

2 vulnerabilities found

Auth LibraryClass II

1 vulnerability found

Free Tool

CRA Readiness Scanner

Enter a public GitHub repository and get an instant CRA readiness score. See what's missing before the September 2026 deadline.

How It Works

From SBOM to CRA Compliance Readiness

Three steps between uploading your first SBOM and generating a compliance-ready incident report draft.

SBOM Analysis

express4.18.2

...

lodash4.17.21

...

xz-utils5.6.0

...

openssl3.1.4

...

Classification: Default (Art. 6)

4 components analyzed · 1 critical, 1 warning

Identify and Classify Your Products

Upload your Software Bill of Materials or let cra-scanner detect one. The platform maps every component against CRA Annex III and Annex IV to determine your product classification and which essential requirements apply.

Vulnerability Detected

CRITICAL

CVE-2024-3094

xz-utils 5.6.0 · Actively exploited

CVSS: 9.8

CISA KEV: Yes

EPSS: 0.97

⚠

May trigger 24h ENISA reporting

Article 14(2)(a) · Early warning required

NVD

CISA KEV

GitHub SA

Scan for Known Vulnerabilities

Complaro matches your SBOM components against NVD, CISA Known Exploited Vulnerabilities, and GitHub Security Advisories. Version-aware matching reduces false positives while flagging actively exploited CVEs that trigger the 24-hour ENISA reporting obligation.

ENISA Report

Draft ready for review

Subject

Early Warning - CVE-2024-3094

Report Type24h Early Warning

ProductIoT Gateway v2.1

Affected Componentxz-utils 5.6.0

CVSS Score9.8 Critical

ENISA ReferenceArt. 14(2)(a)

Generate ENISA-Format Reports

Export pre-filled vulnerability reports in the three CRA-mandated formats: 24-hour early warning, 72-hour incident notification, and 14-day final report. Available as PDF and machine-readable JSON.

Platform

Purpose-Built for the EU Cyber Resilience Act

Unlike general-purpose vulnerability scanners, Complaro is designed specifically for CRA compliance. The platform understands CRA product classification and scores your readiness across five compliance dimensions.

Integration

CI/CD Integration

Connect Complaro to your development workflow. Scan SBOMs automatically on every release and catch compliance issues before they ship.

GitHub Actions

GitLab CI

Jira

Slack

complaro-ci / mainrunning...

Push to main

feat: update payment-service SBOM · 14s ago

Generate SBOM...

Vulnerability Scan

CRA Classification

Compliance Check

Upload Report

Critical Alert

24-Hour Vulnerability Reporting

When a CVE hits your dependencies, Complaro flags it, helps assess your reporting deadline, and generates pre-filled ENISA-format reports before your team has finished their morning coffee.

24h

Early Warning

72h

Notification

14d

Final Report

Actively exploited vulnerability detected

Just now · Automatic scan

CRITICAL

CVE-2024-3094

xz-utils 5.6.0 · Backdoor in upstream distribution tarball

9.8

CVSS

CISA KEVNVDGitHub AdvisoryEPSS: 0.97

Article 14(2)(a) - Early warning deadlineStarted 15h 36m ago

8h 24m remaining24h deadline

Reports

ENISA Report Generation

Reports come pre-filled with data from your scan. Add the details only your team knows, export as PDF or JSON, and submit to ENISA.

Subject

Early Warning - CVE-2024-3094

Report Type24h Early Warning

ProductIoT Gateway v2.1

Affected Componentxz-utils 5.6.0

CVSS Score9.8 Critical

ENISA ReferenceArt. 14(2)(a)

Dashboard

Multi-Product Dashboard

Manage compliance across your entire product portfolio from a single interface. Track everything per product.

Portfolio Overview0 products

Compliant

At Risk

Critical

Payment APIDefault

0+3

IoT GatewayClass I

0-2

Auth ServiceClass II

0+5

Mobile SDKDefault

0+1

Why Complaro

Everything You Need. Nothing to Pay.

We believe compliance tooling should be accessible to every team — from solo developers to large organizations. Every feature is included, always.

Vulnerability Reports in Minutes, Not Weeks

The CRA gives you one day to report an exploited vulnerability. Complaro helps you generate the report in minutes.

Built for Engineers

Made for the team that actually manages dependencies, not for consultants filling out PDFs.

Every Product. One View.

Whether you ship one product or a hundred, every compliance score and deadline lives in the same dashboard.

Fits What You Already Use

Imports SBOMs from Snyk, Sonatype, Trivy, or your own pipeline. Nothing to rip and replace.

Always Watching

NVD, CISA KEV, and GitHub Advisories are checked continuously. You hear about new threats before your morning standup.

Not a Consulting Invoice

Traditional CRA assessments can cost tens of thousands in consulting fees. Complaro is free.

For Your README

CRA Compliance Badge

Show your CRA readiness on your GitHub README. The badge updates daily.

CRA Readiness badge for Complaro/cra-scanner

GitHub Repository

Markdown

![CRA Readiness](https://complaro.com/api/badge?repo=Complaro/cra-scanner)

About

Who We Are

Complaro is a Copenhagen-based team focused exclusively on EU Cyber Resilience Act tooling. We build open source tools including cra-scanner, a free CLI for CRA readiness assessment, and this platform for teams that need continuous compliance management.

About us

Member of

FAQ

Your Questions, Answered

Answers to your most common questions about the CRA and Complaro.

The CRA (Regulation 2024/2847) is an EU regulation requiring manufacturers of products with digital elements to meet cybersecurity requirements throughout the product lifecycle. It covers vulnerability handling, SBOM provision, and incident reporting to ENISA.

Reporting obligations start 11 September 2026. All other requirements (vulnerability handling, SBOM, documentation, conformity assessment) apply from 11 December 2027.

Any manufacturer placing a product with digital elements on the EU market, including commercial software, IoT devices, and open-source projects with a commercial activity. SaaS is generally out of scope unless it involves embedded or downloadable components.

A Software Bill of Materials is a machine-readable inventory of all components in your software. The CRA requires it under Article 13(5) and Annex I Part II(1) so that downstream users and market surveillance authorities can identify vulnerable components.

Complaro helps automate the three hardest parts: classifying your products under CRA Annex III/IV, continuously scanning for known vulnerabilities, and generating pre-filled ENISA-format incident reports when actively exploited vulnerabilities are discovered. The platform scores your readiness across five CRA compliance dimensions.

Interactive Tool

Is My Product in Scope?

Answer a few questions to find out if the CRA applies to your product and what category it falls under.

Question 1 of 6

Does your product contain software or firmware?

Contact

Get in Touch

Questions about CRA compliance or Complaro? We'd love to hear from you.

100% Free

Full CRA compliance tooling.
No cost. No limits.

SBOM analysis. Vulnerability scanning. ENISA reports. Compliance dashboard. CI/CD integrations. All of it. Zero cost.