What is the EU Cyber Resilience Act?

The CRA (Regulation 2024/2847) is an EU regulation requiring manufacturers of products with digital elements to meet cybersecurity requirements throughout the product lifecycle. It covers vulnerability handling, SBOM provision, and incident reporting to ENISA.

When does the CRA take effect?

Reporting obligations start 11 September 2026. All other requirements (vulnerability handling, SBOM, documentation, conformity assessment) apply from 11 December 2027.

Who does the CRA apply to?

Any manufacturer placing a product with digital elements on the EU market, including commercial software, IoT devices, and open-source projects with a commercial activity. SaaS is generally out of scope unless it involves embedded or downloadable components.

What is an SBOM and why does the CRA require it?

A Software Bill of Materials is a machine-readable inventory of all components in your software. The CRA requires it under Article 13(5) and Annex I Part II(1) so that downstream users and market surveillance authorities can identify vulnerable components.

How does Complaro help with CRA compliance?

Complaro helps automate the three hardest parts: classifying your products under CRA Annex III/IV, continuously scanning for known vulnerabilities, and generating pre-filled ENISA-format incident reports when actively exploited vulnerabilities are discovered.

Reporting deadline: September 11, 2026

Automate CRA Compliance Before the Deadline

Complaro is the only CRA compliance platform with automated ENISA Article 14 vulnerability reporting, open source tooling, and transparent pricing. Go from SBOM to compliance readiness in minutes.

Start Free Try cra-scanner (free CLI)

What Complaro Automates

The EU Cyber Resilience Act (Regulation 2024/2847) requires manufacturers to manage cybersecurity across the entire product lifecycle. Complaro automates the hardest parts.

SBOM Analysis

Upload CycloneDX or SPDX SBOMs. We parse every component, resolve package URLs, and map your full dependency tree automatically.

Vulnerability Scanning

Continuous monitoring against OSV.dev, GitHub Security Advisories, and CISA KEV. Ecosystem-aware version matching eliminates false positives.

ENISA Reporting

Pre-filled Article 14 reports for the 24-hour, 72-hour, and 14-day deadlines. One-click generation when actively exploited vulnerabilities are found.

Product Classification

Classify your products under CRA Annex III (Important) or Annex IV (Critical). Know your conformity assessment path before the deadline.

Three Steps to CRA Compliance

Upload Your SBOM

Upload a CycloneDX or SPDX file, or let cra-scanner discover SBOMs in your repository. We extract every component with name, version, and package URL. No SBOM yet? Our guide on generating SBOMs walks you through it in 5 minutes.

Continuous Vulnerability Monitoring

Every component is matched against OSV.dev, GitHub Security Advisories, and the CISA Known Exploited Vulnerabilities catalog. Version-aware matching using semver (npm, Cargo, Go) and PEP 440 (Python) eliminates false positives. You get alerted the moment a new vulnerability affects your product.

Automated ENISA Reports

When an actively exploited vulnerability is discovered, Complaro generates pre-filled ENISA Article 14 reports in the correct format. The 24-hour early warning, 72-hour incident notification, and 14-day final report are populated with vulnerability details, affected product information, severity assessment, and recommended corrective measures.

Why Teams Choose Complaro

Built specifically for the CRA, not adapted from generic compliance tooling.

ENISA Article 14 Reporting

The only platform that generates pre-filled ENISA reports in the 24h/72h/14-day format. Our competitors don't offer this.

Open Source Foundation

cra-scanner is free and MIT-licensed on PyPI. Assess your CRA readiness without vendor lock-in.

Transparent Pricing

Free tier for one product. SME at EUR 299/month. Mid-market at EUR 899/month. No hidden costs, no "contact us" gates.

Complaro vs. Manual CRA Compliance

Task	Manual Process	With Complaro
SBOM generation & analysis	Hours per product per release	Upload and parsed in seconds
Vulnerability monitoring	Weekly manual checks across NVD, OSV, GHSA	Continuous, automated, real-time alerts
ENISA 24h early warning	Scramble to find data, draft from scratch	Pre-filled, one-click generation
Product classification	Read 100+ pages of CRA annexes	Guided questionnaire, instant result
CRA readiness assessment	Hire a consultant for EUR 10,000+	Free with cra-scanner CLI
Ongoing compliance tracking	Spreadsheets and calendar reminders	Dashboard with readiness scores

CRA Compliance Timeline

December 10, 2024

CRA entered into force

June 11, 2026

Conformity assessment bodies begin operations

September 11, 2026

Vulnerability reporting obligations begin (ENISA Article 14)

December 11, 2027

Full compliance required (CE marking, documentation, all essential requirements)

CRA Compliance Automation FAQ

How long does it take to get started with Complaro?

Under 5 minutes. Sign up, upload your first SBOM, and get your CRA readiness score immediately. No installation, no onboarding call required.

Do I need to generate an SBOM first?

If you already have a CycloneDX or SPDX SBOM, upload it directly. If not, use cra-scanner to discover SBOMs in your repository, or follow our SBOM generation guide to create one in minutes.

What vulnerability databases does Complaro use?

OSV.dev (primary, with ecosystem-aware matching), GitHub Security Advisories (fallback), and CISA Known Exploited Vulnerabilities catalog (for ENISA reporting triggers). We do not rely on NVD keyword matching, which produces excessive false positives.

Does Complaro generate actual ENISA reports?

Yes. Complaro generates pre-filled reports for all three ENISA Article 14 stages: the 24-hour early warning, 72-hour incident notification, and 14-day final report. Reports include vulnerability details, affected product information, severity assessment, and recommended corrective measures.

Is cra-scanner free?

Yes. cra-scanner is a fully open source MIT-licensed CLI tool on PyPI. It works standalone without a Complaro account. The platform adds continuous monitoring, team collaboration, and automated ENISA reporting.

What CRA product categories does Complaro support?

All three: Default (self-assessment), Important (Annex III Class I and II), and Critical (Annex IV). The platform guides you through classification and identifies the correct conformity assessment path.

Start Your CRA Compliance Journey Today

The September 2026 ENISA reporting deadline is approaching. Every week you wait is a week less to prepare.

Get Started Free Read the Compliance Checklist