EU Cyber Resilience Act — For Every Product with Digital Elements.

EU Cyber Resilience Act.Automated Compliance.

The EU Cyber Resilience Act doesn't negotiate. Miss a single 24h early warning or 72h full notification, and you face fines up to €15 million or 2.5% of global turnover—plus recalls, legal exposure, and reputational damage. Cramio automates SBOMs, tracks every CVE, and submits to ENISA on time. Built for manufacturers, importers, and distributors across the EU.

Affected by CRA:
IoT manufacturersSoftware & SaaSHardware OEMsImportersDistributors
Or take the 2-min quiz →
Why cramio:EU-firstWe don't collect your source code24h/72h built-inENISA SRP ready
🇪🇺
CRA Reporting Deadline11 September 2026
174Days
:
04Hours
:
12Min
:
04Sec
Full conformity11 Dec 2027
Complete Feature Showcase
SBOM Generation,
CVE Monitoring,
Compliance Reporting.

Everything you need to meet EU vulnerability reporting requirements with automated intelligence, verified evidence, and rapid 24h/72h reporting workflows.

SBOM from CI
Ingest CycloneDX and SPDX SBOMs from your CI pipeline across your entire product portfolio.
Real-time CVE monitoring
Continuous scanning against NVD and CISA KEV with exploit correlation.
Active exploit detection
Detect when a vulnerability becomes actively exploited and triggers CRA reporting.
Compliant reporting
24h early warning, 72h full notification, and final report orchestration with receipts.
Legacy product tracking
Products already on market stay compliant with continuous monitoring and audits.
DevOps integrations
GitHub, GitLab, Jenkins, and Kubernetes webhooks for CI/CD integration.
Active Compliance Feed
Kubernetes Cluster: EU-West-3Actively Exploited
CVE-2026-1148
Legal Stopwatch: 17h 42m until Early Warning due.
Routing: Germany CSIRT · ENISA SRP mirror
CRA Article 14(2)CycloneDX + SPDXImmutable audit
Compliance Risk
High Priority
Full Notification due in 71h 58m · Alerts: 50% · 75% · 90%
Evidence Vault
78%
142 actions verified · SHA-256 intact
Built for manufacturers and importers across the EU
GitHubGitLabENISACISA
Trusted by EU teams

Built for manufacturers who can't miss a deadline

GitHub, GitLab, ENISA, and CISA refer to ecosystems and authorities we align with — not third-party endorsements.

“Cramio cut our 24h/72h report preparation from days to hours. We have one place for SBOMs, CVEs, and ENISA submissions — and the Evidence Vault gives our legal team exactly what they need.”

Compliance Lead

EU industrial software manufacturer

40%
Faster report preparation
illustrative vs. manual workflows
100%
SRP-ready payloads
schema + receipt capture when SRP is configured
24h
Deadline tracking
timers and escalation alerts
CRA Timeline

Sept 2026 Reporting. Dec 2027 Full Enforcement.

Reporting is the operational inflection point. You have 7 months to prepare your SBOMs, incident response, and SRP readiness before the first deadlines hit.

September 11, 2026174d 4h 12m
Vulnerability reporting begins
24-hour early warning for actively exploited vulnerabilities and 72-hour full notification requirements start.
December 11, 2027630d 4h 12m
Full CRA enforcement
CE marking and conformity obligations apply across the product lifecycle.
Ongoing requirement
Continuous compliance
Legacy products already on market must maintain reporting and evidence throughout support.
What cramio does

Three steps from detection to proof of diligence.

1
2
3

Discover & assess

Auto-build and maintain SBOMs. Run continuous risk assessments across design, build, and runtime.

  • Vendor and OSS due diligence with ownership tags.
  • Legacy product coverage for pre-2027 obligations.

Monitor & correlate

Track vulnerabilities and detect when they become actively exploited — the CRA trigger for notification.

  • CISA KEV + exploit intel correlation.
  • Global incident stopwatch with escalation alerts.

Report & prove

Generate 24h/72h SRP notifications, then the final report, and retain an immutable evidence trail.

  • One-click SRP submissions with receipts.
  • Hash-chained evidence vault for audit defense.
Deployment Options

Hybrid SaaS, self-hosted, or white-label — Enterprise and custom deployments.

Hybrid SaaS
Enterprise option: managed control plane with customer-controlled build/SBOM runners (contact sales for rollout).
Self-hosted
Deploy cramio in your own VPC or air-gapped environment — available for Enterprise; we provide deployment guidance.
White-label
Offer CRA compliance under your brand — Enterprise roadmap with custom domain and branding.
Key capabilities

Move Fast. Stay Compliant. Every Step Automated.

Standards-ready documentation

Reporting in 2026, full product requirements in 2027, and harmonized standards developed with CEN/CENELEC/ETSI — cramio keeps your dossier ready for notified-body review, with versioned SBOMs, VEX statements, and SRP receipts packaged on demand.

CEN/CENELEC/ETSI
Three-Tier Pricing

Simple, transparent pricing for every business.

From startups to enterprise. No hidden fees, no surprises.

Starter
Perfect for small product portfolios
€99/month
Up to 10 products
Automated SBOM generation
CVE scanning & monitoring
Standard CRA reporting
Email support
EU data hosting
Professional
For growing companies
€299/month
Up to 50 products
Advanced vulnerability analysis
Legacy product tracking
DevOps integrations
API access
Priority support
Enterprise
Custom solutions at scale
Custom
Unlimited products
Self-hosted or white-label
Custom integrations
Dedicated infrastructure
SLA guarantees
24/7 support

Self-hosted, white-label, SLA. We'll tailor a plan.

Security & privacy

Built for regulated manufacturers.

No source code collection
We process SBOMs and security findings you upload or send from CI — not your source tree.
Data minimization for SRP
Submit only CRA-required incident and vulnerability facts.
EU data residency
Regional data controls for regulated buyers.
Data flow assurance
SBOMs are typically produced in your CI or build pipeline, then ingested into cramio. Findings are normalized so only data needed for CRA workflows is stored in your tenant. For strict data-sovereignty needs, Enterprise supports self-hosted or hybrid deployment.
Inside the Dashboard

Here's what you get when you sign in.

Every feature on this page lives in your Cramio dashboard. Here's how they fit together — from registering your first product to proving compliance in an audit.

1
Product Inventory

Register products and upload SBOMs

Add every digital product subject to the CRA — IoT devices, firmware, embedded software, or standalone applications. Upload CycloneDX or SPDX SBOMs, or connect your CI pipeline so Cramio automatically ingests SBOMs from your build process. Each product gets a full component inventory with supplier, license, and dependency tracking.

CycloneDXSPDXComponent treeLicense auditSupplier tracking
2
Vulnerability Scanning

Continuous CVE monitoring with exploit detection

Scan every component against the NVD and CISA Known Exploited Vulnerabilities catalog. Cramio correlates exploit intelligence in real time, so you know instantly when a vulnerability goes from theoretical to actively exploited — the CRA trigger for mandatory reporting. Filter by severity, product, or status and drill into CVSS scores, affected versions, and remediation guidance.

NVD sync
Real-time
CISA KEV
Correlated
Exploit intel
Automated
CVSS scoring
v3.1 / v4
3
Incident Response

Live countdown timers for every reporting window

When a vulnerability is confirmed as actively exploited, Cramio creates an incident and starts the legal clock. You see live countdown bars for the 24-hour early warning, 72-hour full notification, and 14-day final report — with escalation alerts at 50%, 75%, and 90% so nothing slips. Every action taken during an incident is automatically logged to the Evidence Vault.

24h Early Warning72% elapsed
72h Full Notification35% elapsed
14d Final Report12% elapsed
4
ENISA SRP Reporting

One-click CRA reports with AI-assisted drafting

Create CRA Article 14(2) reports directly from the dashboard. Select the affected product and vulnerability, choose the report type (24h early warning, 72h full notification, or 14d final report), and optionally let AI draft the initial content from your SBOM and scan data. Reports follow the exact schema required by the Single Reporting Platform, and every submission receipt is captured and stored.

24h early warning72h full notification14d final reportAI-assisted draftingSRP receipt capture
5
VEX Suppression

Declare exploitability status to prevent over-reporting

Not every CVE affects your product. Create VEX (Vulnerability Exploitability eXchange) statements to formally document that a vulnerability is not affected, already fixed, or under investigation. VEX statements appear on both the product and vulnerability views, reducing noise and focusing your team on real threats.

Not Affected
Affected
Fixed
Investigating
Evidence Vault

Tamper-proof audit trail

Every incident action, report submission, and VEX statement is automatically recorded in a SHA-256 hash-chained vault. Chain integrity is checked when entries are loaded; a break indicates tampering. Your dashboard shows total entries, integrity status, and recent activity at a glance.

Chain intact
CRA Readiness Assessment

Know your compliance score

A real-time assessment calculates your readiness across 10 compliance checks — SBOM coverage, vulnerability resolution, incident response, ENISA reporting, VEX usage, evidence vault health, and team setup. You get a letter grade (A-F), a percentage score, and specific recommendations with direct links to fix each gap.

B
82%
Good standing
7
Compliance Dashboard

Everything in one view — compliance score, active incidents, and live alerts

Your main dashboard brings it all together: a CRA compliance score ring weighted across SBOM coverage, vulnerability resolution, incident response, and report submissions. Active incidents with live countdown bars sit alongside the evidence vault status, critical vulnerability alerts, and quick links to your most recent products and reports. Real-time notifications keep your team informed as deadlines approach and new vulnerabilities are detected.

12
Products
3
Open Vulns
1
Incidents
8
Reports

Core workflows — products, SBOMs, scans, incidents, reports, vault, and assessment — are available in the dashboard. Enterprise deployment modes are scoped with sales.

FAQ

Frequently asked questions

CRA deadlines, data, and getting started.

Ready for 2026

Start free — be CRA-ready before the deadline.

Sign up to run a free CRA readiness assessment, then activate your trial to automate 24h/72h compliance workflows.