CRA compliance infrastructure for developers
The EU Cyber Resilience Act requires vulnerability reporting within 24 hours, SBOMs for every release, and conformity documentation kept for 10 years. Scanning tools handle detection. Nobody handles the compliance workflow. Krava does.
Score: 72/100 needs work
SBOM 23/25 3 deps missing license info
Vulnerabilities 20/30 2 high-severity CVEs in transitive deps
Licenses 14/15 1 unknown license (check manually)
Disclosure 5/15 no security.txt found
Updates 10/15 support period not declared
---
! CVE-2026-31245 in lodash@4.17.20 (high, fix available: 4.17.22)
! CVE-2026-28190 in express@4.18.1 (high, fix available: 4.21.0)
? Unknown license in custom-parser@2.1.0
CRA deadline: Sept 11, 2026 (reporting) | Dec 11, 2027 (full compliance)
What the Cyber Resilience Act actually requires
If you sell software products in the EU (mobile apps, desktop software, SDKs, libraries, firmware, IoT devices), the CRA applies to you. Pure SaaS is excluded (that falls under NIS2). Penalties are up to EUR 15 million or 2.5% of global revenue.
24-hour vulnerability reporting
When you discover an actively exploited vulnerability, you must notify your national CSIRT and ENISA within 24 hours. A follow-up within 72 hours. A final report within 14 days of the fix.
Software Bill of Materials
Every product needs a machine-readable SBOM (CycloneDX or SPDX) covering at minimum all top-level dependencies, their versions, licenses, and unique identifiers. Provided to authorities on request.
Coordinated vulnerability disclosure
You must have a published policy and a contact point for security researchers to report vulnerabilities. This means a security.txt, an intake process, and a triage workflow.
Conformity assessment
Before placing your product on the EU market, you need a conformity assessment. About 90% of products can self-assess. The rest need a notified body. Either way, you need documentation.
Technical documentation for 10 years
Risk assessments, design information, SBOM, vulnerability handling procedures, conformity results, and an EU declaration of conformity. Kept available for market surveillance authorities.
Security updates for the support period
You must declare a support period and provide free security updates for its entire duration. Vulnerabilities must be addressed without delay. Updates must be verifiable.
The gap nobody fills
Trivy, Grype, and Syft generate SBOMs and scan for vulnerabilities. Snyk and FOSSA do the same at enterprise prices. They all handle the scanning side. None of them handle the compliance workflow: the 24-hour reporting timelines, the ENISA submission templates, the vulnerability disclosure management, or the conformity documentation. You run the scan, get a JSON file, and then figure out the rest yourself.
Krava is the layer between your scanner and the regulator. It takes scan results from whichever tool you use, tracks your compliance status against CRA requirements, manages your vulnerability disclosure process, enforces reporting deadlines, and generates the documentation that market surveillance authorities will ask for.
Get early access
We are building the GitHub Action and compliance dashboard now. Sign up and we will let you know when it is ready.