Platform Features

Seven modules. Every CRA obligation covered.

CRATrust maps directly to the EU Cyber Resilience Act's requirements. Each module addresses specific articles so you always know which regulation you are satisfying.

CRA Articles 13, 14

SBOM Manager

Automated Software Bill of Materials generation and lifecycle management

The CRA requires manufacturers to identify and document all software components in their products. CRATrust's SBOM Manager integrates directly with your CI/CD pipeline to generate, store, and maintain SBOMs automatically on every build or release.

What you get

  • Automatic SBOM generation on each CI/CD pipeline run
  • CycloneDX 1.5 and SPDX 2.3 format support
  • Dependency tree visualisation
  • Component version tracking and diff alerts
  • SBOM export for regulatory submission
  • Integration with GitHub Actions, GitLab CI, Jenkins, and more
  • Multi-product SBOM inventory dashboard
Component Inventory Sample1,358 components · 4 products
Open Source Libraries847
Internal Codebase312
System Dependencies156
External APIs / SDKs43

Auto-updated on every CI/CD run · CycloneDX 1.5 + SPDX 2.3

CRA Article 14

Vulnerability Monitor

Continuous, real-time vulnerability surveillance across your entire component inventory

CRA Article 14 mandates that manufacturers actively monitor for vulnerabilities and report actively exploited ones to ENISA within 24 hours of becoming aware. CRATrust continuously scans your SBOMs against global vulnerability databases and alerts you instantly.

What you get

  • Real-time scanning against NVD, OSV, GitHub Advisory, and ENISA databases
  • CVSS scoring with CRA-specific risk prioritisation
  • 24-hour reporting window alerts and SLA tracking
  • Automated triage workflows
  • Historical vulnerability record for audit purposes
  • Slack, email, and webhook notifications
  • Vulnerability remediation guidance
  • VEX Manager: generate CycloneDX-compatible VEX statements to formally document that a CVE does not affect your product — reducing false positives and providing legal evidence of due diligence
Vulnerability Severity Distribution88 active · 6 resolved this week
88vulnerabilitiesmonitored
Critical
33%
High
1214%
Medium
2832%
Low
4551%

CVSS avg: 4.2 · Sources: NVD, OSV, ENISA

CRA Annex I Part II

CVD / VDP Manager

Coordinated Vulnerability Disclosure — required by CRA Annex I Part II, set up in minutes

CRA Annex I Part II requires every manufacturer to have a Coordinated Vulnerability Disclosure process. CRATrust generates your CVD policy, creates your security.txt, and provides a public intake form for security researchers to report vulnerabilities directly to you.

What you get

  • CVD policy generator — compliant with ISO 29147 and CRA Annex I Part II
  • security.txt file generator (RFC 9116) for your web properties
  • Public researcher intake form hosted on your behalf
  • Inbound vulnerability report queue with triage workflow
  • SLA tracking for researcher acknowledgement and resolution
  • Automated researcher communications and status updates
  • Audit trail of all disclosed vulnerabilities
CVD Report PipelineLast 90 days · all products
New reports received14
Acknowledged (< 72 hrs)13
Under investigation9
Resolved & published6

Public intake form active · security.txt auto-generated · RFC 9116 compliant

CRA Article 14, ENISA SRP

ENISA Reporting

Structured, compliant incident and vulnerability reports to ENISA, in one click

Meeting ENISA's reporting deadlines requires a structured, repeatable process. From 11 September 2026, manufacturers must report significant vulnerabilities and incidents via the ENISA Single Reporting Platform (SRP). CRATrust pre-fills all required fields from your SBOM and vulnerability data and exports SRP-aligned JSON ready for submission.

What you get

  • Pre-filled ENISA early warning report templates (24-hour)
  • 72-hour incident notification generation
  • 14-day final report compilation and archiving
  • SRP-aligned JSON export for direct platform submission
  • Submission history and audit trail
  • Multi-product batch reporting
  • Report status tracking dashboard
  • Legal review workflow integration
ENISA Deadline ComplianceLast 12 months · 47 incidents
96%on time

24 hours

Early Warning

94%on time

72 hours

Incident Notification

99%on time

30 days

Final Report

CRA Articles 28–33, Annex III, Annex V

CE Marking Navigator

Step-by-step guidance through CE marking requirements for products with digital elements

Products with digital elements sold in the EU require CE marking under the CRA. The process involves product classification under Annex III, conformity assessment, an Annex V Technical File, and an EU Declaration of Conformity. CRATrust's CE Marking Navigator guides your team through every step.

What you get

  • Product Classification Wizard — determines your Annex III class (Class I, Class II, Critical)
  • EU Declaration of Conformity generator — properly formatted, downloadable DoC
  • Annex V Technical File tracker — maps evidence to required documentation sections
  • Conformity assessment procedure guidance
  • Notified body requirement determination
  • CE marking label generator
  • Conformity record management
Product Risk Classification32 products assessed
Class I — Standard68%
Class II — Important24%
Critical8%

94%

Conformity rate

12

CE marks issued

2

Notified body required

CRA Article 31, Annex I, Annex V

SDL Evidence Store

Structured security artefact repository mapped to Annex I requirements and Annex V Technical Documentation

Store penetration test reports, threat models, SAST/DAST results, and other security artefacts as structured evidence mapped to Annex I requirements. Automatically feeds into your Annex V Technical Documentation. The CRA requires manufacturers to maintain detailed technical documentation for a minimum of 10 years after a product is placed on the market.

What you get

  • Structured evidence library mapped to CRA Annex I requirements
  • Upload and tag pen test reports, threat models, SAST/DAST results
  • Automatic population of Annex V Technical Documentation
  • Version control for all security artefacts
  • Access control and full audit trail
  • Document expiry and review reminders
  • 10-year retention management with bulk export
Document Library Overview249 documents · 10-year retention
Compliance Records82
Technical Documentation64
Security Advisories48
Audit Trails31
Policy Documents24

Retention managed automatically · Always audit-ready

All CRA Articles

AI Compliance Assistant

Plain-language answers to your CRA compliance questions, grounded in the regulation

The CRA is a complex, 60-article regulation with implementation guidance that continues to evolve. CRATrust's AI Compliance Assistant allows your team to ask natural language questions and receive answers grounded in the regulation text, with article references.

What you get

  • Natural language Q&A grounded in CRA text
  • Article-level citation for every answer
  • Product-specific obligation determination
  • Obligation gap analysis against your current posture
  • Compliance checklist generation
  • Integration with Documentation Centre
  • Regular updates as ENISA guidance evolves
CRA Obligation CoverageAcross all 60 articles
Security Requirements (Annex I)100%
SBOM & Component Identification100%
Vulnerability Reporting100%
CE Marking & Conformity95%
Post-market Surveillance95%
Technical Documentation (Art. 31)100%

Updated as ENISA guidance evolves · Article-level citations on every answer

Ready to automate your CRA compliance?

CRATrust is free during beta. Full access, no credit card.

Paid plans launch Q4 2026: beta users get an early adopter rate.

Join Free Beta

CRATrust Support

Typically replies in minutes

Hi there!

Ask us anything about CRA compliance. We're here to help.