EU Cyber Resilience Act — For Every Product with Digital Elements.

EU Cyber Resilience Act.Automated Compliance.

The EU Cyber Resilience Act doesn't negotiate. Miss a single 24h early warning or 72h full notification, and you face fines up to €15 million or 2.5% of global turnover—plus recalls, legal exposure, and reputational damage. Cramio automates SBOMs, tracks every CVE, and submits to ENISA on time. Built for manufacturers, importers, and distributors across the EU.

Affected by CRA:

IoT manufacturersSoftware & SaaSHardware OEMsImportersDistributors

Or take the 2-min quiz →

Why cramio:EU-firstWe don't collect your source code24h/72h built-inENISA SRP ready

🇪🇺

CRA Reporting Deadline11 September 2026

174Days

04Hours

12Min

04Sec

Full conformity11 Dec 2027

Complete Feature Showcase

SBOM Generation,

CVE Monitoring,

Compliance Reporting.

Everything you need to meet EU vulnerability reporting requirements with automated intelligence, verified evidence, and rapid 24h/72h reporting workflows.

SBOM from CI

Ingest CycloneDX and SPDX SBOMs from your CI pipeline across your entire product portfolio.

Real-time CVE monitoring

Continuous scanning against NVD and CISA KEV with exploit correlation.

Active exploit detection

Detect when a vulnerability becomes actively exploited and triggers CRA reporting.

Compliant reporting

24h early warning, 72h full notification, and final report orchestration with receipts.

Legacy product tracking

Products already on market stay compliant with continuous monitoring and audits.

DevOps integrations

GitHub, GitLab, Jenkins, and Kubernetes webhooks for CI/CD integration.

Active Compliance Feed

Kubernetes Cluster: EU-West-3Actively Exploited

CVE-2026-1148

Legal Stopwatch: 17h 42m until Early Warning due.

Routing: Germany CSIRT · ENISA SRP mirror

CRA Article 14(2)CycloneDX + SPDXImmutable audit

Compliance Risk

High Priority

Full Notification due in 71h 58m · Alerts: 50% · 75% · 90%

Evidence Vault

78%

142 actions verified · SHA-256 intact

Built for manufacturers and importers across the EU

GitHubGitLabENISACISA

Trusted by EU teams

Built for manufacturers who can't miss a deadline

GitHub, GitLab, ENISA, and CISA refer to ecosystems and authorities we align with — not third-party endorsements.

“Cramio cut our 24h/72h report preparation from days to hours. We have one place for SBOMs, CVEs, and ENISA submissions — and the Evidence Vault gives our legal team exactly what they need.”

Compliance Lead

EU industrial software manufacturer

40%

Faster report preparation

illustrative vs. manual workflows

100%

SRP-ready payloads

schema + receipt capture when SRP is configured

24h

Deadline tracking

timers and escalation alerts

CRA Timeline

Sept 2026 Reporting. Dec 2027 Full Enforcement.

Reporting is the operational inflection point. You have 7 months to prepare your SBOMs, incident response, and SRP readiness before the first deadlines hit.

September 11, 2026174d 4h 12m

Vulnerability reporting begins

24-hour early warning for actively exploited vulnerabilities and 72-hour full notification requirements start.

December 11, 2027630d 4h 12m

Full CRA enforcement

CE marking and conformity obligations apply across the product lifecycle.

Ongoing requirement

Continuous compliance

Legacy products already on market must maintain reporting and evidence throughout support.

What cramio does

Three steps from detection to proof of diligence.

Discover & assess

Auto-build and maintain SBOMs. Run continuous risk assessments across design, build, and runtime.

Vendor and OSS due diligence with ownership tags.
Legacy product coverage for pre-2027 obligations.

Monitor & correlate

Track vulnerabilities and detect when they become actively exploited — the CRA trigger for notification.

CISA KEV + exploit intel correlation.
Global incident stopwatch with escalation alerts.

Report & prove

Generate 24h/72h SRP notifications, then the final report, and retain an immutable evidence trail.

One-click SRP submissions with receipts.
Hash-chained evidence vault for audit defense.

Deployment Options

Hybrid SaaS, self-hosted, or white-label — Enterprise and custom deployments.

Hybrid SaaS

Enterprise option: managed control plane with customer-controlled build/SBOM runners (contact sales for rollout).

Self-hosted

Deploy cramio in your own VPC or air-gapped environment — available for Enterprise; we provide deployment guidance.

White-label

Offer CRA compliance under your brand — Enterprise roadmap with custom domain and branding.

Key capabilities

Move Fast. Stay Compliant. Every Step Automated.

Standards-ready documentation

Reporting in 2026, full product requirements in 2027, and harmonized standards developed with CEN/CENELEC/ETSI — cramio keeps your dossier ready for notified-body review, with versioned SBOMs, VEX statements, and SRP receipts packaged on demand.

CEN/CENELEC/ETSI

Three-Tier Pricing

Simple, transparent pricing for every business.

From startups to enterprise. No hidden fees, no surprises.

Starter

Perfect for small product portfolios

€99/month

• Up to 10 products

• Automated SBOM generation

• CVE scanning & monitoring

• Standard CRA reporting

• Email support

• EU data hosting

Professional

For growing companies

€299/month

• Up to 50 products

• Advanced vulnerability analysis

• Legacy product tracking

• DevOps integrations

• API access

• Priority support

Enterprise

Custom solutions at scale

Custom

• Unlimited products

• Self-hosted or white-label

• Custom integrations

• Dedicated infrastructure

• SLA guarantees

• 24/7 support

Self-hosted, white-label, SLA. We'll tailor a plan.

Security & privacy

Built for regulated manufacturers.

No source code collection

We process SBOMs and security findings you upload or send from CI — not your source tree.

Data minimization for SRP

Submit only CRA-required incident and vulnerability facts.

EU data residency

Regional data controls for regulated buyers.

Data flow assurance

SBOMs are typically produced in your CI or build pipeline, then ingested into cramio. Findings are normalized so only data needed for CRA workflows is stored in your tenant. For strict data-sovereignty needs, Enterprise supports self-hosted or hybrid deployment.

Inside the Dashboard

Here's what you get when you sign in.

Every feature on this page lives in your Cramio dashboard. Here's how they fit together — from registering your first product to proving compliance in an audit.

Product Inventory

Register products and upload SBOMs

Add every digital product subject to the CRA — IoT devices, firmware, embedded software, or standalone applications. Upload CycloneDX or SPDX SBOMs, or connect your CI pipeline so Cramio automatically ingests SBOMs from your build process. Each product gets a full component inventory with supplier, license, and dependency tracking.

CycloneDXSPDXComponent treeLicense auditSupplier tracking

Vulnerability Scanning

Continuous CVE monitoring with exploit detection

Scan every component against the NVD and CISA Known Exploited Vulnerabilities catalog. Cramio correlates exploit intelligence in real time, so you know instantly when a vulnerability goes from theoretical to actively exploited — the CRA trigger for mandatory reporting. Filter by severity, product, or status and drill into CVSS scores, affected versions, and remediation guidance.

NVD sync

Real-time

CISA KEV

Correlated

Exploit intel

Automated

CVSS scoring

v3.1 / v4

Incident Response

Live countdown timers for every reporting window

When a vulnerability is confirmed as actively exploited, Cramio creates an incident and starts the legal clock. You see live countdown bars for the 24-hour early warning, 72-hour full notification, and 14-day final report — with escalation alerts at 50%, 75%, and 90% so nothing slips. Every action taken during an incident is automatically logged to the Evidence Vault.

24h Early Warning72% elapsed

72h Full Notification35% elapsed

14d Final Report12% elapsed

ENISA SRP Reporting

One-click CRA reports with AI-assisted drafting

Create CRA Article 14(2) reports directly from the dashboard. Select the affected product and vulnerability, choose the report type (24h early warning, 72h full notification, or 14d final report), and optionally let AI draft the initial content from your SBOM and scan data. Reports follow the exact schema required by the Single Reporting Platform, and every submission receipt is captured and stored.

24h early warning72h full notification14d final reportAI-assisted draftingSRP receipt capture

VEX Suppression

Declare exploitability status to prevent over-reporting

Not every CVE affects your product. Create VEX (Vulnerability Exploitability eXchange) statements to formally document that a vulnerability is not affected, already fixed, or under investigation. VEX statements appear on both the product and vulnerability views, reducing noise and focusing your team on real threats.

Not Affected

Affected

Fixed

Investigating

Evidence Vault

Tamper-proof audit trail

Every incident action, report submission, and VEX statement is automatically recorded in a SHA-256 hash-chained vault. Chain integrity is checked when entries are loaded; a break indicates tampering. Your dashboard shows total entries, integrity status, and recent activity at a glance.

Chain intact

CRA Readiness Assessment

Know your compliance score

A real-time assessment calculates your readiness across 10 compliance checks — SBOM coverage, vulnerability resolution, incident response, ENISA reporting, VEX usage, evidence vault health, and team setup. You get a letter grade (A-F), a percentage score, and specific recommendations with direct links to fix each gap.

82%

Good standing

Compliance Dashboard

Everything in one view — compliance score, active incidents, and live alerts

Your main dashboard brings it all together: a CRA compliance score ring weighted across SBOM coverage, vulnerability resolution, incident response, and report submissions. Active incidents with live countdown bars sit alongside the evidence vault status, critical vulnerability alerts, and quick links to your most recent products and reports. Real-time notifications keep your team informed as deadlines approach and new vulnerabilities are detected.

Products

Open Vulns

Incidents

Reports

Core workflows — products, SBOMs, scans, incidents, reports, vault, and assessment — are available in the dashboard. Enterprise deployment modes are scoped with sales.

FAQ

Frequently asked questions

CRA deadlines, data, and getting started.

Ready for 2026

EU Cyber Resilience Act.Automated Compliance.

Built for manufacturers who can't miss a deadline

Sept 2026 Reporting. Dec 2027 Full Enforcement.

Three steps from detection to proof of diligence.

Discover & assess

Monitor & correlate

Report & prove

Hybrid SaaS, self-hosted, or white-label — Enterprise and custom deployments.

Move Fast. Stay Compliant. Every Step Automated.

Automatic SRP reporting

Evidence Vault

Continuous risk assessment

SBOM & OSS diligence

VEX suppression

Legacy fleet inventory

Standards-ready documentation

Simple, transparent pricing for every business.

Built for regulated manufacturers.

Here's what you get when you sign in.

Register products and upload SBOMs

Continuous CVE monitoring with exploit detection

Live countdown timers for every reporting window

One-click CRA reports with AI-assisted drafting

Declare exploitability status to prevent over-reporting

Tamper-proof audit trail

Know your compliance score

Everything in one view — compliance score, active incidents, and live alerts

Frequently asked questions

Start free — be CRA-ready before the deadline.