Available now
CRA readiness
CRA readiness for software teams shipping products into the EU.
Track product records, SBOM evidence, vulnerability workflows, incident reporting windows, customer notifications, and technical documentation for Cyber Resilience Act readiness.
CRA workflows use the same evidence library as Complair's questionnaire workspace, so product security evidence can be reused across buyer requests, reporting readiness, technical documentation, and trust-center proof.
Product record
AcmeHR API
Component evidence
SBOM uploaded
Vulnerability disclosure policy
Approved
Incident clock
No active incident
Technical documentation
Draft
Customer notification template
Needs review
Why CRA is different
CRA readiness is not just a policy exercise.
Software teams need product records, dependency evidence, vulnerability handling, reporting clocks, customer communications, and technical documentation that stays current.
Private beta
Available now
Manual workflow available
Private beta
Manual workflow available
Manual workflow available
Available now
Developer workflow
Product evidence close to engineering work.
CRA workflows combine uploaded evidence, product ownership, dependency records, vulnerability triage, and incident reporting clocks. Each feature below is labeled by current implementation status.
SBOM upload
Upload CycloneDX, SPDX, package-lock, or Gemfile.lock evidence to a product record.
Gemfile.lock/package-lock ingestion
Parse common package manifests as component evidence for engineering review.
API token per product
Programmatic SBOM upload can be scoped to a product token.
Incident clock
Track CRA reporting windows from recorded awareness dates with overdue scopes and next-deadline tracking.
ENISA-style reporting draft
Generate a structured reporting draft for human review before submission.
OSV/NVD/CISA KEV monitoring
Monitor affected components against vulnerability feeds and escalation rules where enabled.
Slack/email alerts
Notify owners when vulnerability or reporting work needs attention.
GitHub Action
CI snippet for SBOM upload from product repositories.
GitLab CI
CI snippet for SBOM upload from GitLab pipelines.
Buyer-facing CRA Evidence Pack
On-demand PDF + XLSX + README bundle per product: SBOM coverage, evidence map, vulnerability posture with KEV, and honest gap disclosure for stale SBOMs and unclassified components.
Cross-module readiness dashboard
Daily readiness score across AI Act, GDPR, NIS2, CRA, and vendors. Mint / lemon / coral bands with top three gaps per module.
Shared evidence library
CRA records use the same evidence library as buyer questionnaires.
SBOMs, vulnerability records, policies, technical documents, and customer notifications can be reused across CRA readiness, buyer reviews, AI governance, and trust-center proof.
Use the questionnaire workspaceEvidence reuse
Vulnerability Disclosure Policy
Buyer questionnaire + CRA trust-center tab
SBOM Upload for AcmeHR API
CRA product record + evidence map
Customer Notification Template
CRA incident packet + generated documents
Technical Documentation Draft
CRA readiness + buyer product proof
CRA add-on
Add CRA workflows when your software team needs them.
CRA Lite starts at €29/month for product classification and basic evidence workflows. CRA Full starts at €99/month for SBOM, vulnerability, and reporting readiness workflows.
Also answering buyer questionnaires?
Use the main Complair workspace to turn AI, security, GDPR, and compliance questions into approved answers with reusable evidence.
CRA incident and vulnerability reporting begins 11 September 2026; CRA full applicability is 11 December 2027. Dates are planning references and may change as guidance evolves.