About cramio

The compliance infrastructure for EU product security.

cramio is built for PSIRT leaders, compliance officers, and engineering teams who need to meet EU Cyber Resilience Act obligations without slowing down product development. We provide a single control plane for SBOM intelligence, vulnerability management, incident response, and evidence-grade reporting — from detection to ENISA submission.

24h

Early warning SLA

72h

Full notification SLA

14d

Final report deadline

Why we exist

The CRA changes everything for product teams.

The EU Cyber Resilience Act (Regulation 2024/2847) introduces mandatory cybersecurity requirements for all products with digital elements sold in the EU market. Starting in September 2026, manufacturers must report actively exploited vulnerabilities within 24 hours and maintain continuous vulnerability handling throughout the product lifecycle.

For most organizations, this means building entirely new processes: SBOM generation and maintenance, CVE monitoring, incident classification, tiered reporting to ENISA, and immutable evidence retention for audits.

cramio was built because we saw product security teams struggling to map CRA requirements to their existing toolchains. Vulnerability scanners don't understand reporting deadlines. Ticketing systems don't produce ENISA-compatible submissions. Spreadsheets can't prove chain of custody.

We built the missing layer: a purpose-built compliance platform that connects your SBOM pipeline, vulnerability feeds, and incident workflows into a single system of record that regulators and notified bodies can trust.

Runner architecture

Customer-side agents generate SBOMs locally and send only metadata and findings to the control plane. Your source code never leaves your infrastructure.

CRA-first workflows

State machine-driven incident management aligned to CRA Article 14 reporting windows: 24h early warning, 72h full notification, and 14-day final report.

Audit-grade evidence

SHA-256 hash-chained Evidence Vault with cryptographic receipts. Every report, assessment, and submission is immutably recorded for regulator review.

What we deliver

Automated SBOM ingestion from CycloneDX and SPDX formats with component-level tracking.

Continuous CVE monitoring against NVD, CISA KEV, and OSV databases with CRA reportability classification.

24h/72h/14d reporting workflows with automated SRP payload generation and submission tracking.

Evidence Vault with hash-chained audit trails for regulators, notified bodies, and internal governance.

VEX statement management to reduce false positives and communicate exploitability status.

CI/CD integrations with GitHub, GitLab, Jenkins, and Kubernetes for pipeline-native SBOM ingestion.

Supplier notification workflows for coordinated vulnerability disclosure under CRA obligations.

AI-assisted vulnerability assessment and report generation to accelerate analyst workflows.

Our values

Transparency

We show exactly what data we process, how we store it, and who has access. No black boxes.

Sovereignty

EU-first hosting. Your compliance data stays in the jurisdictions you choose, not ours.

Speed

CRA deadlines are measured in hours, not weeks. Every feature is optimized for time-to-compliance.

Trust

Immutable evidence, cryptographic integrity, and audit trails that regulators can independently verify.

Company

Headquarters

Berlin, Germany

EU/EEA coverage with regional hosting options

Focus

EU Cyber Resilience Act compliance

SBOM management, vulnerability handling, CRA reporting

Contact

hello@cramio.eu

Schedule a conversation →