Know your Global Compliance Risk in 60 seconds.

Know your Global Compliance Risk in 60 seconds.

EU CRA

EU CRA

Cybersecurity & Digital

Regulation (EU) 2024/2847 — Cyber Resilience Act
Regulation (EU) 2024/2847 — Cyber Resilience Act

December 2027 Is Closer Than You Think. Can You Prove Every Product With Digital Elements Meets 21 Essential Cybersecurity Requirements?

December 2027 Is Closer Than You Think. Can You Prove Every Product With Digital Elements Meets 21 Essential Cybersecurity Requirements?

December 2027 Is Closer Than You Think. Can You Prove Every Product With Digital Elements Meets 21 Essential Cybersecurity Requirements?

The CRA mandates lifecycle cybersecurity for every product with digital elements on the EU market—SBOM documentation, vulnerability reporting, conformity assessments, and CE marking. Reporting obligations start September 2026. Full compliance by December 2027. Penalties reach €15 million or 2.5% of global turnover. Certivo automates CRA evidence collection from supplier cybersecurity declarations to audit-ready technical documentation.

The CRA mandates lifecycle cybersecurity for every product with digital elements on the EU market—SBOM documentation, vulnerability reporting, conformity assessments, and CE marking. Reporting obligations start September 2026. Full compliance by December 2027. Penalties reach €15 million or 2.5% of global turnover. Certivo automates CRA evidence collection from supplier cybersecurity declarations to audit-ready technical documentation.

The CRA mandates lifecycle cybersecurity for every product with digital elements on the EU market—SBOM documentation, vulnerability reporting, conformity assessments, and CE marking. Reporting obligations start September 2026. Full compliance by December 2027. Penalties reach €15 million or 2.5% of global turnover. Certivo automates CRA evidence collection from supplier cybersecurity declarations to audit-ready technical documentation.

See How Certivo Automates CRA Compliance

See How Certivo Automates CRA Compliance

21

21

21

Essential cybersecurity requirements in Annex I

24 hrs

24 hrs

24 hrs

Maximum vulnerability reporting window to ENISA

€15M

€15M

€15M

Maximum penalty for non-compliance (or 2.5% global turnover)

Regulation Overview

Jurisdiction

Jurisdiction

Jurisdiction

European Union / European Economic Area

European Union / European Economic Area

Regulatory Body

Regulatory Body

Regulatory Body

European Commission / ENISA (enforcement via national market surveillance authorities)

European Commission / ENISA (enforcement via national market surveillance authorities)

Regulation Number

Regulation Number

Regulation Number

Regulation (EU) 2024/2847

Regulation (EU) 2024/2847

Effective Date

Effective Date

Effective Date

Entered into force December 10, 2024 (full application December 11, 2027)

Entered into force December 10, 2024 (full application December 11, 2027)

Official Source

Official Source

Official Source

https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act

Key Threshold

Key Threshold

Key Threshold

All products with digital elements placed on the EU market

All products with digital elements placed on the EU market

What is the Cyber Resilience Act?

What is the Cyber Resilience Act?

What is the Cyber Resilience Act?

The EU Cyber Resilience Act is the first horizontal regulation imposing mandatory cybersecurity requirements on all products with digital elements sold in the EU. For supply chain and compliance teams, this means collecting, validating, and maintaining cybersecurity evidence across every component, supplier, and software dependency in your product portfolio.

The CRA requires manufacturers to meet 21 essential cybersecurity requirements covering secure-by-design development, vulnerability handling, and lifecycle support. Products must carry CE marking to prove CRA conformity. Manufacturers must maintain SBOMs, report actively exploited vulnerabilities to ENISA within 24 hours, and retain technical documentation for 10 years.

CRA compliance requires component-level cybersecurity evidence from every supplier in your chain. Third-party components cannot compromise product security—and the manufacturer bears responsibility for proving it.

Key Components / Sub-Frameworks

Obligation

13 requirements covering security by design, access control, data protection, resilience

Annex I, Section 1

Essential product cybersecurity requirements

Annex I, Section 1

Essential product cybersecurity requirements

Obligation

13 requirements covering security by design, access control, data protection, resilience

Obligation

8 requirements covering disclosure, patching, SBOM maintenance

Annex I, Section 2

Vulnerability handling requirements

Annex I, Section 2

Vulnerability handling requirements

Obligation

8 requirements covering disclosure, patching, SBOM maintenance

Obligation

Determines conformity assessment pathway

Product Classification

Default, Important (Class I/II), Critical

Product Classification

Default, Important (Class I/II), Critical

Obligation

Determines conformity assessment pathway

Obligation

Required before CE marking and market placement

Conformity Assessment

Self-assessment or third-party (notified body)

Conformity Assessment

Self-assessment or third-party (notified body)

Obligation

Required before CE marking and market placement

Obligation

Machine-readable, top-level dependencies minimum, provided to authorities on request

SBOM Requirement

Software Bill of Materials

SBOM Requirement

Software Bill of Materials

Obligation

Machine-readable, top-level dependencies minimum, provided to authorities on request

Obligation

24-hour initial report, 72-hour follow-up, 14-day final report

Vulnerability Reporting

Notification to ENISA and national CSIRTs

Vulnerability Reporting

Notification to ENISA and national CSIRTs

Obligation

24-hour initial report, 72-hour follow-up, 14-day final report

CRA Vulnerability Reporting Obligations Begin September 11, 2026Is Your Supply Chain Ready?

CRA Vulnerability Reporting Obligations Begin September 11, 2026Is Your Supply Chain Ready?

CRA Vulnerability Reporting Obligations Begin September 11, 2026Is Your Supply Chain Ready?

CRA Vulnerability Reporting Obligations Begin September 11, 2026Is Your Supply Chain Ready?

Manufacturers must report actively exploited vulnerabilities to ENISA within 24 hours starting September 2026—18 months before full CRA application. If your suppliers cannot provide vulnerability data, component SBOMs, and security attestations today, you will not be ready.

Manufacturers must report actively exploited vulnerabilities to ENISA within 24 hours starting September 2026—18 months before full CRA application. If your suppliers cannot provide vulnerability data, component SBOMs, and security attestations today, you will not be ready.

Manufacturers must report actively exploited vulnerabilities to ENISA within 24 hours starting September 2026—18 months before full CRA application. If your suppliers cannot provide vulnerability data, component SBOMs, and security attestations today, you will not be ready.

Manufacturers must report actively exploited vulnerabilities to ENISA within 24 hours starting September 2026—18 months before full CRA application. If your suppliers cannot provide vulnerability data, component SBOMs, and security attestations today, you will not be ready.

Key Compliance Requirements

Key Compliance Requirements

Who Must Comply

Who Must Comply

  • Manufacturers of hardware and software products with digital elements sold in the EU

  • Importers placing products with digital elements on the EU market

  • Distributors making products with digital elements available in the EU

  • Non-EU companies selling through EU importers or authorized representatives

  • Companies integrating third-party components into products with digital elements

  • Open-source stewards commercially distributing software in the EU market

Get a CRA Compliance Assessment

Get a CRA Compliance Assessment

Key Thresholds

All products with digital elements

In scope if product connects directly or indirectly to a device or network

All products with digital elements

In scope if product connects directly or indirectly to a device or network

24 hours

Maximum time to report actively exploited vulnerabilities to ENISA

24 hours

Maximum time to report actively exploited vulnerabilities to ENISA

72 hours

Follow-up vulnerability report deadline

72 hours

Follow-up vulnerability report deadline

10 years

Minimum technical documentation retention (or support period, whichever is longer)

10 years

Minimum technical documentation retention (or support period, whichever is longer)

Core Obligations

Core Obligations

1

Vulnerability Reporting

Report actively exploited vulnerabilities and severe incidents to ENISA and national CSIRTs

DEADLINE

Within 24 hours of awareness (from September 11, 2026)

2

SBOM Documentation

Maintain machine-readable SBOM listing at minimum top-level dependencies

DEADLINE

Available to authorities on request (from December 11, 2027)

3

Conformity Assessment

Self-assessment (Default) or third-party assessment (Important/Critical products)

DEADLINE

Before product placement on EU market

4

CE Marking

Affix CE marking after successful conformity assessment

DEADLINE

Required for market access from December 11, 2027

5

Technical Documentation

Complete technical file including risk assessment, SBOM, test results, conformity declaration

DEADLINE

Retained for 10 years after market placement

1

Vulnerability Reporting

Report actively exploited vulnerabilities and severe incidents to ENISA and national CSIRTs

DEADLINE

Within 24 hours of awareness (from September 11, 2026)

2

SBOM Documentation

Maintain machine-readable SBOM listing at minimum top-level dependencies

DEADLINE

Available to authorities on request (from December 11, 2027)

3

Conformity Assessment

Self-assessment (Default) or third-party assessment (Important/Critical products)

DEADLINE

Before product placement on EU market

4

CE Marking

Affix CE marking after successful conformity assessment

DEADLINE

Required for market access from December 11, 2027

5

Technical Documentation

Complete technical file including risk assessment, SBOM, test results, conformity declaration

DEADLINE

Retained for 10 years after market placement

CRA-Specific Pain Points

CRA-Specific Pain Points

The SBOM Black Hole
The SBOM Black Hole
The SBOM Black Hole

You need a machine-readable SBOM for every product. Your product contains 200 components from 40 suppliers. Twelve suppliers provide no software documentation. Eight provide outdated BOMs. The rest use incompatible formats. You have no unified view of what's actually in your products—let alone their vulnerability status.

The 24-Hour Reporting Countdown
The 24-Hour Reporting Countdown
The 24-Hour Reporting Countdown

A critical vulnerability is discovered in a third-party library embedded three tiers deep in your product. ENISA requires notification within 24 hours. You don't know which products are affected, which suppliers provided the component, or whether a patch exists. The clock is already running.

The Conformity Evidence Gap
The Conformity Evidence Gap
The Conformity Evidence Gap

Important Class II products require third-party conformity assessment. The notified body requests your technical documentation—risk assessments, SBOM, test reports, supplier security attestations. Your evidence is scattered across email threads, SharePoint folders, and supplier portals. Compiling the file takes weeks.

The Supply Chain Accountability Trap
The Supply Chain Accountability Trap
The Supply Chain Accountability Trap

The CRA holds manufacturers responsible for third-party component security. Your supplier's component fails a cybersecurity requirement—your product loses CE marking eligibility. Without systematic supplier cybersecurity declarations and component-level tracking, you cannot prove due diligence.

Certivo In Action

CRA Workflow

GET EVIDENCE IN

Collect Cybersecurity Declarations and SBOMs from Every Supplier—Without the Chasing

CORA launches targeted campaigns to collect supplier cybersecurity attestations, component SBOMs, vulnerability disclosures, and security update commitments. Automated follow-up in suppliers' native languages.

  • Launch CRA declaration campaigns to hundreds of suppliers with one click

  • CORA-powered outreach requesting SBOMs, security attestations, and patch commitments

  • Accept any format: CycloneDX, SPDX, PDF attestations, Excel inventories, freeform responses

  • Track response rates and escalate non-responders automatically

GET EVIDENCE IN

Collect Cybersecurity Declarations and SBOMs from Every Supplier—Without the Chasing

CORA launches targeted campaigns to collect supplier cybersecurity attestations, component SBOMs, vulnerability disclosures, and security update commitments. Automated follow-up in suppliers' native languages.

  • Launch CRA declaration campaigns to hundreds of suppliers with one click

  • CORA-powered outreach requesting SBOMs, security attestations, and patch commitments

  • Accept any format: CycloneDX, SPDX, PDF attestations, Excel inventories, freeform responses

  • Track response rates and escalate non-responders automatically

GET EVIDENCE IN

Collect Cybersecurity Declarations and SBOMs from Every Supplier—Without the Chasing

CORA launches targeted campaigns to collect supplier cybersecurity attestations, component SBOMs, vulnerability disclosures, and security update commitments. Automated follow-up in suppliers' native languages.

  • Launch CRA declaration campaigns to hundreds of suppliers with one click

  • CORA-powered outreach requesting SBOMs, security attestations, and patch commitments

  • Accept any format: CycloneDX, SPDX, PDF attestations, Excel inventories, freeform responses

  • Track response rates and escalate non-responders automatically

MAKE SENSE OF IT

Know Instantly Which Products Meet CRA Essential Requirements—and Which Don't

CORA-driven compliance intelligence parses supplier SBOMs and cybersecurity declarations, validates component data against known vulnerability databases, and flags conformity gaps automatically.

  • CORA-enabled analysis extracts component identifiers, versions, dependencies, and security properties

  • Automatic validation against CRA's 21 essential cybersecurity requirements

  • Real-time alerts when new vulnerabilities affect components in your products

  • Product-level conformity status with gap analysis for each essential requirement

MAKE SENSE OF IT

Know Instantly Which Products Meet CRA Essential Requirements—and Which Don't

CORA-driven compliance intelligence parses supplier SBOMs and cybersecurity declarations, validates component data against known vulnerability databases, and flags conformity gaps automatically.

  • CORA-enabled analysis extracts component identifiers, versions, dependencies, and security properties

  • Automatic validation against CRA's 21 essential cybersecurity requirements

  • Real-time alerts when new vulnerabilities affect components in your products

  • Product-level conformity status with gap analysis for each essential requirement

MAKE SENSE OF IT

Know Instantly Which Products Meet CRA Essential Requirements—and Which Don't

CORA-driven compliance intelligence parses supplier SBOMs and cybersecurity declarations, validates component data against known vulnerability databases, and flags conformity gaps automatically.

  • CORA-enabled analysis extracts component identifiers, versions, dependencies, and security properties

  • Automatic validation against CRA's 21 essential cybersecurity requirements

  • Real-time alerts when new vulnerabilities affect components in your products

  • Product-level conformity status with gap analysis for each essential requirement

PROVE COMPLIANCE OUT

Generate Technical Documentation and Conformity Evidence in Hours, Not Months

Produce audit-ready technical files, conformity declarations, and customer-facing CRA documentation instantly from validated supplier data.

  • One-click technical documentation packages aligned with Annex VII requirements

  • Pre-structured conformity assessment evidence for notified body review

  • Customer-specific CRA compliance packages with full traceability

  • Complete audit trail for every validation, supplier response, and compliance decision

PROVE COMPLIANCE OUT

Generate Technical Documentation and Conformity Evidence in Hours, Not Months

Produce audit-ready technical files, conformity declarations, and customer-facing CRA documentation instantly from validated supplier data.

  • One-click technical documentation packages aligned with Annex VII requirements

  • Pre-structured conformity assessment evidence for notified body review

  • Customer-specific CRA compliance packages with full traceability

  • Complete audit trail for every validation, supplier response, and compliance decision

PROVE COMPLIANCE OUT

Generate Technical Documentation and Conformity Evidence in Hours, Not Months

Produce audit-ready technical files, conformity declarations, and customer-facing CRA documentation instantly from validated supplier data.

  • One-click technical documentation packages aligned with Annex VII requirements

  • Pre-structured conformity assessment evidence for notified body review

  • Customer-specific CRA compliance packages with full traceability

  • Complete audit trail for every validation, supplier response, and compliance decision

One Supplier Submission. Validation Against All 21 Essential Requirements. Audit-Ready in Hours.

One Supplier Submission. Validation Against All 21 Essential Requirements. Audit-Ready in Hours.

One Supplier Submission. Validation Against All 21 Essential Requirements. Audit-Ready in Hours.

One Supplier Submission. Validation Against All 21 Essential Requirements. Audit-Ready in Hours.

Certivo collects supplier cybersecurity declarations and SBOMs, extracts component-level data, validates against CRA essential requirements and known vulnerabilities, and generates conformity-ready documentation automatically. When new vulnerabilities emerge, Certivo reassesses your portfolio and alerts you—before ENISA reporting deadlines hit.

Certivo collects supplier cybersecurity declarations and SBOMs, extracts component-level data, validates against CRA essential requirements and known vulnerabilities, and generates conformity-ready documentation automatically. When new vulnerabilities emerge, Certivo reassesses your portfolio and alerts you—before ENISA reporting deadlines hit.

Certivo collects supplier cybersecurity declarations and SBOMs, extracts component-level data, validates against CRA essential requirements and known vulnerabilities, and generates conformity-ready documentation automatically. When new vulnerabilities emerge, Certivo reassesses your portfolio and alerts you—before ENISA reporting deadlines hit.

SBOM Collection & Parsing

SBOM Collection & Parsing

21-Requirement Validation

21-Requirement Validation

Vulnerability Monitoring

Vulnerability Monitoring

Conformity Documentation

Conformity Documentation

CE Marking Support

CE Marking Support

See How to Automate Compliance

See How to Automate Compliance

Features Tabs

Features Tabs

Declaration Collection

SBOM Extraction & Parsing

Vulnerability Monitoring

Conformity Documentation

CE Marking Support

Declaration Collection

Certivo's automated campaigns achieve 95% response rates vs. 20-30% with manual outreach.

  • Targeted campaigns by product line, component type, or supplier tier

  • Multi-language outreach in suppliers' native languages

  • Intelligent follow-up sequences adapting to supplier behavior

  • Format-agnostic: CycloneDX, SPDX, PDF attestations, Excel, freeform responses

95%

Supplier Response Rate

SBOM Extraction & Parsing

Every supplier SBOM parsed to component and dependency level automatically—no manual data entry.

  • Deep extraction of component names, versions, licenses, and dependency trees

  • Parses CycloneDX, SPDX, and proprietary formats

  • Multi-language document processing for security attestations

  • Anomaly detection for incomplete, outdated, or inconsistent SBOMs

99.2%

Extraction Accuracy

Vulnerability Monitoring

Always validated against current vulnerability databases—not your last quarterly review.

  • Continuous monitoring against NVD, ENISA advisories, and vendor disclosures

  • Automatic product impact assessment when new CVEs are published

  • Proactive alerts identifying affected products and components

  • 24-hour reporting workflow support for ENISA notifications

Real

Time CVE Database Sync

Conformity Documentation

Generate CRA technical documentation packages in hours instead of 4-6 months.

  • One-click technical file assembly aligned with Annex VII

  • EU Declaration of Conformity templates meeting CRA formatting requirements

  • Supplier evidence chain with complete traceability per component

  • Gap analysis reports identifying missing evidence before notified body review

4 hours

To Audit-Ready Technical File

CE Marking Support

Pre-validated evidence packages streamline the path from assessment to CE marking.

  • Product classification guidance for Default, Important, and Critical categories

  • Conformity assessment pathway mapping based on product risk class

  • Harmonized standard alignment tracking as CRA standards are published

  • Post-market surveillance support with ongoing compliance monitoring

Continuous

Conformity Assurance

Declaration Collection

SBOM Extraction & Parsing

Vulnerability Monitoring

Conformity Documentation

CE Marking Support

Declaration Collection

Certivo's automated campaigns achieve 95% response rates vs. 20-30% with manual outreach.

  • Targeted campaigns by product line, component type, or supplier tier

  • Multi-language outreach in suppliers' native languages

  • Intelligent follow-up sequences adapting to supplier behavior

  • Format-agnostic: CycloneDX, SPDX, PDF attestations, Excel, freeform responses

95%

Supplier Response Rate

Declaration Collection

SBOM Extraction & Parsing

Vulnerability Monitoring

Conformity Documentation

CE Marking Support

Declaration Collection

Certivo's automated campaigns achieve 95% response rates vs. 20-30% with manual outreach.

  • Targeted campaigns by product line, component type, or supplier tier

  • Multi-language outreach in suppliers' native languages

  • Intelligent follow-up sequences adapting to supplier behavior

  • Format-agnostic: CycloneDX, SPDX, PDF attestations, Excel, freeform responses

95%

Supplier Response Rate

Related Regulations

Related Regulations

NIS2 Directive

CRA covers product security; NIS2 covers organizational security for essential entities

Combined Value

Unified supplier evidence collection for both product and entity-level requirements

NIS2 Directive

CRA covers product security; NIS2 covers organizational security for essential entities

Combined Value

Unified supplier evidence collection for both product and entity-level requirements

EU Radio Equipment Directive (RED)

RED delegated acts require cybersecurity for wireless products; CRA supersedes from 2027

Combined Value

Single compliance workflow covers transition from RED to CRA

EU Radio Equipment Directive (RED)

RED delegated acts require cybersecurity for wireless products; CRA supersedes from 2027

Combined Value

Single compliance workflow covers transition from RED to CRA

CE Marking (EU)

CRA compliance is prerequisite for CE marking of products with digital elements

Combined Value

CRA conformity evidence feeds directly into CE marking documentation

CE Marking (EU)

CRA compliance is prerequisite for CE marking of products with digital elements

Combined Value

CRA conformity evidence feeds directly into CE marking documentation

CMMC 2.0 (US)

Both require supply chain cybersecurity evidence; CMMC for defense, CRA for EU market

Combined Value

Multi-framework validation from one supplier submission

CMMC 2.0 (US)

Both require supply chain cybersecurity evidence; CMMC for defense, CRA for EU market

Combined Value

Multi-framework validation from one supplier submission

UN R155/R156

Automotive cybersecurity and software update requirements

Combined Value

Validates against CRA and automotive cybersecurity standards simultaneously

UN R155/R156

Automotive cybersecurity and software update requirements

Combined Value

Validates against CRA and automotive cybersecurity standards simultaneously

IEC 62443

Industrial cybersecurity standard; CRA harmonized standards expected to reference it

Combined Value

Pre-mapped evidence from IEC 62443 certifications supports CRA conformity

IEC 62443

Industrial cybersecurity standard; CRA harmonized standards expected to reference it

Combined Value

Pre-mapped evidence from IEC 62443 certifications supports CRA conformity

Managing CRA alongside related cybersecurity frameworks eliminates duplicate supplier requests. Certivo validates one submission against multiple frameworks.

Managing CRA alongside related cybersecurity frameworks eliminates duplicate supplier requests. Certivo validates one submission against multiple frameworks.

Managing CRA alongside related cybersecurity frameworks eliminates duplicate supplier requests. Certivo validates one submission against multiple frameworks.

Industries Most Impacted

Industries Most Impacted

Electronics Manufacturing

Electronics Manufacturing

Pain Point

Massive product portfolios with embedded software; Default + Important classification

Industrial & Heavy Equipment

Industrial & Heavy Equipment

Pain Point

Legacy OT components; IEC 62443 overlap; long product lifecycles

Automotive Manufacturing

Automotive Manufacturing

Pain Point

UN R155/CRA overlap; complex ECU supply chains; OEM flowdown

Aerospace & Defense

Aerospace & Defense

Pain Point

Stringent documentation; prime flowdown to sub-tier software suppliers

Medical Devices & Equipment

Medical Devices & Equipment

Pain Point

EU MDR/IVDR intersection; Class II/III software-driven devices

Semiconductor & High-Tech

Semiconductor & High-Tech

Pain Point

SaaS exclusions but on-premise/embedded products in scope; rapid release cycles

Consumer Goods

Consumer Goods

Pain Point

RoHS/CRA overlap for smart products; CE marking dependency

Cybersecurity Products

Cybersecurity Products

Pain Point

Important Class II by default; mandatory third-party assessment

Return on Investment

Return on Investment

80%
80%
80%
80%
Reduction in Compliance Labor
Reduction in Compliance Labor
Reduction in Compliance Labor
From Manual Evidence Assembly to Automated Documentation

CORA-powered regulatory intelligence collects, parses, and validates supplier cybersecurity evidence automatically. Your team focuses on conformity decisions—not chasing SBOMs and compiling technical files.

4 Hours
4 Hours
4 Hours
4 Hours
to Technical File
to Technical File
to Technical File
Conformity Documentation Acceleration

Generate complete, audit-ready CRA technical documentation packages in hours—not the months of manual compilation across suppliers and engineering teams.

Real-Time
Real-Time
Real-Time
Real-Time
Vulnerability Monitoring
Vulnerability Monitoring
Vulnerability Monitoring
Proactive CRA Compliance Assurance

When new CVEs are published, Certivo identifies affected products and components instantly. Know your exposure before ENISA reporting deadlines—not after.

Key Statistics

21

21

21

21

Essential cybersecurity requirements validated per product

Essential cybersecurity requirements validated per product

99.2%

99.2%

99.2%

99.2%

SBOM and declaration extraction accuracy

SBOM and declaration extraction accuracy

95%

95%

95%

95%

Supplier response rate with CORA-powered campaigns

Supplier response rate with CORA-powered campaigns

Frequently Asked Questions

What products are covered by the EU Cyber Resilience Act?

The CRA applies to all products with digital elements—hardware and software—that connect directly or indirectly to a device or network and are placed on the EU market. This includes IoT devices, embedded software, enterprise applications, industrial controls, and connected consumer products. Medical devices, vehicles, and aviation products covered by sector-specific regulations are excluded. Certivo helps manufacturers classify their product portfolios and identify which items fall within CRA scope.

What is the SBOM requirement under the CRA?

Manufacturers must create and maintain a machine-readable Software Bill of Materials listing at minimum top-level dependencies for every product with digital elements. The SBOM must be included in technical documentation and provided to market surveillance authorities on request. CORA-enabled analysis collects supplier SBOMs in any format—CycloneDX, SPDX, PDF, or freeform—and normalizes them into a unified, audit-ready inventory.

What are the penalties for CRA non-compliance?

Non-compliance with essential cybersecurity requirements can result in fines up to €15 million or 2.5% of global annual turnover, whichever is higher. Other violations carry fines up to €10 million or 2% of turnover. Providing false information to authorities can trigger fines up to €5 million or 1% of turnover. Authorities can also require product recalls and block market access.

How does Certivo help with CRA conformity assessments?

Certivo collects and validates the supplier-side evidence required for CRA conformity assessments—cybersecurity declarations, component SBOMs, vulnerability disclosures, and security update commitments. CORA-driven compliance intelligence maps collected evidence against the 21 essential requirements and generates pre-structured technical documentation packages aligned with Annex VII. This reduces conformity preparation from months to hours.

How does CRA relate to NIS2 and other EU cybersecurity regulations?

CRA addresses product-level cybersecurity. NIS2 addresses organizational cybersecurity for essential and important entities. Many companies must comply with both. The CRA also intersects with the Radio Equipment Directive (RED) for wireless products and sector-specific rules like UN R155 for automotive. Certivo validates supplier evidence against multiple cybersecurity frameworks simultaneously, eliminating duplicate collection campaigns.

Ready to Automate CRA Compliance?

Ready to Automate CRA Compliance?

Ready to Automate CRA Compliance?

Ready to Automate CRA Compliance?

See how Certivo's cybersecurity compliance software transforms CRA evidence management from reactive scrambling to proactive conformity assurance.

See how Certivo's cybersecurity compliance software transforms CRA evidence management from reactive scrambling to proactive conformity assurance.

See how Certivo's cybersecurity compliance software transforms CRA evidence management from reactive scrambling to proactive conformity assurance.

See how Certivo's cybersecurity compliance software transforms CRA evidence management from reactive scrambling to proactive conformity assurance.

Book a Demo

Book a Demo

Talk to an Expert

Talk to an Expert

🤝 Every account includes a dedicated compliance expert alongside CORA.