EU Cyber Resilience Act compliance, without the panic .
Reporting obligations start 11 September 2026. Full applicability 11 December 2027. Start with a free CRA Readiness Check — get your class, top-5 obligations, and a deadline countdown in 60 seconds. Upgrade when you're ready to track Annex I, ingest SBOMs, monitor CVEs, and draft ENISA notifications.
No credit card · sign up, classify your product, get the verdict
- Annex I checklist tailored to your product class
- SBOM ingest from CI (CycloneDX 1.5 / SPDX 2.3 / package-lock / Gemfile.lock)
- OSV + NVD + CISA KEV vuln monitoring
- Multi-window 24h / 72h / 14d / 1mo ENISA reporting
Start with the free CRA Readiness Check
Five questions, one verdict, five obligations to act on first. Find out whether the CRA applies, which class your product falls into, and how much time you have — before you commit to a plan.
Start the free check-
1
Product name + your role (manufacturer / importer / distributor)
-
2
Best-guess CRA class (we explain Annex III/IV in plain English)
-
3
EU market status + placed-on-market date
-
4
Get your verdict + top-5 obligations + deadline countdown
-
5
Upgrade to Growth (CRA Lite) or Scale (Full CRA) when you're ready
Who CRA hits hardest
If you ship software with digital elements into the EU, the CRA applies. We focus on the cohorts that struggle most:
Small EU software vendors
SaaS, dev tools, internal tools sold to enterprise. Annex I + SBOM + vulnerability disclosure policy. Sales-cycle accelerator.
Embedded / IoT product companies
Hardware shipping firmware. Important Class I/II under Annex III. Mandatory third-party assessment.
Agencies maintaining client products
You ship, you're a manufacturer. CE marking + EU Declaration of Conformity per product.
What ships day one
Annex III/IV questionnaire walks you to default / important class I / important class II / essential. Right conformity-assessment route every time.
All 22 Annex I cybersecurity requirements seeded with priority calibrated to your product class. Per-article EUR-Lex links.
Drag-drop CycloneDX, SPDX, package-lock.json, Gemfile.lock. Or pipe SBOMs from CI via per-product API token. Idempotency keys + 50 MB cap + parse-error capping.
Daily delta sync from OSV + NVD + CISA KEV. KEV-flagged ('actively exploited in the wild') pinned to top of every dashboard.
Article 14 cascade in your Incident view: 24h early warning, 72h notification, 14d vuln final report, 1 month severe-incident final report. Anchored to the right timestamps.
Generate the SRP payload as JSON or PDF. Mark as submitted with the actual submission timestamp. Audit trail for the regulator.
AI-drafted CRA Article 14(8) duty-to-inform-users email. Two-model fallback (Anthropic → OpenAI → Gemini → manual scaffold) — never empty.
EU Declaration of Conformity (Article 28), CE marking record (Article 29), Annex II user instructions, Article 31 technical documentation. One click each.
Article 13 vulnerability disclosure policy + vuln response SLA grid + last-90-day aggregate. Send the URL to procurement teams.
From free verdict to full CRA tracking
Start with the free Readiness Check on Starter. Stack CRA Lite on Growth or pick Scale for full CRA — SBOM, vulnerability monitoring, and ENISA-ready reporting included.
CRA Lite
Annex I classification + basic CRA checklist. Right for products that need to confirm scope and document the basics.
- Annex I product classification (default / important class I & II / essential)
- CRA checklist + audit log
- Manual evidence vault
- Up to 5 seats
CRA Full
Everything CRA, including SBOM ingest, OSV/NVD/KEV vulnerability monitoring, ENISA reporting, and the public CRA Trust Center tab.
- Everything in CRA Lite
- SBOM ingest (manual + CI API, CycloneDX 1.5 + SPDX 2.3)
- Vuln monitoring (OSV + NVD + CISA KEV)
- Multi-window incident reporting + ENISA draft
- Public Trust Center CRA tab
- Article 13 vulnerability disclosure policy
Starter (free forever) ships the CRA Readiness Check — verdict + top-5 obligations + deadline countdown for one product. Sign up free →
Already on a Complair AI Act tier? Add CRA from your workspace. Growth bundles CRA Lite. Scale and Business bundle Full CRA.
Common questions
We sell SaaS — does the CRA apply to us?
If your SaaS includes downloadable components (CLI, SDK, browser extension, on-prem connector), yes. Pure-cloud SaaS without any shipped code generally falls outside CRA — though specific edge cases exist. The CRA classification questionnaire walks you through it.
Our product was placed on the market before 11 December 2027 — are we exempt?
Mostly. Products placed before that date are subject to full CRA obligations only after a substantial modification. Reporting obligations under Article 14 still apply from 11 September 2026 regardless. Complair tracks this transitional rule per product.
We don't have an SBOM tool yet — can we still use Complair?
Yes. Drag-drop a package-lock.json or Gemfile.lock and we synthesize the SBOM. Or use our GitHub Action / GitLab CI snippet to push a CycloneDX SBOM on every release tag.
What about Annex IV essential products?
Essential products require a European cybersecurity certification scheme. Complair tracks the obligations and produces the technical documentation; the certification itself is performed by an authorized body.
Is CRA reporting via ComplAir an automated pipeline to ENISA?
We render the SRP payload as JSON and PDF. You submit out-of-band to the ENISA portal and click 'I confirm submission' with the actual timestamp. Programmatic webhook submission is on the roadmap once ENISA publishes a stable public API.
11 September 2026 is closer than it looks
Inventory your products, run the classifier, ship a draft customer-notification flow today.