The Cyber Resilience Act (Regulation (EU) 2024/2847) makes cybersecurity a legal requirement for every product with digital elements sold in the EU. Venvera is CRA compliance software that turns the regulation into a scoped, trackable programme: which products are in scope, what a manufacturer must build and prove, and how to be conformant before the deadline instead of pulling products from the market after it.
The Cyber Resilience Act is the first EU-wide law setting mandatory cybersecurity requirements for products with digital elements: hardware and software placed on the EU market. It entered into force on 10 December 2024. Scope follows the product and your role: a product with digital elements is broadly any software or hardware whose intended or reasonably foreseeable use includes a data connection to a device or network, so it reaches well beyond IoT into firmware, operating systems, libraries and software sold as a product. Manufacturers carry the essential requirements (Annex I): secure design, vulnerability handling, an SBOM, security updates across a support period of at least five years, conformity assessment and CE marking. Importers and distributors verify that work. The reporting duties for actively exploited vulnerabilities and severe incidents apply from 11 September 2026; the full obligations apply from 11 December 2027. Venvera runs all of this as CRA compliance software: it maps the essential requirements and vulnerability-handling duties to controls, tracks conformity and the SBOM, and reuses the evidence you already hold for NIS2, DORA and ISO 27001.

Scope is a product-and-role test, and getting the class wrong changes the whole conformity route. Venvera walks you through it: which products count as products with digital elements, how each is classified (default, important class I or II, or critical), and whether you act as manufacturer, importer or distributor for each. The determination is documented, dated and re-runnable when your product line or the implementing acts change.

The core manufacturer duty is that products ship secure. Venvera tracks the Annex I Part I requirements as controls with evidence: a secure-by-default configuration, no known exploitable vulnerabilities, protection against unauthorised access, confidentiality and integrity of data, data minimisation, availability and denial-of-service resilience, a limited attack surface, and the ability to be updated. Which requirements apply, and how, is driven by a documented per-product risk assessment that Venvera holds alongside the controls.

Annex I Part II is a process, not a one-off. Venvera tracks the vulnerability-handling machinery: a software bill of materials in a machine-readable format, a published coordinated vulnerability disclosure policy, a handling process that remediates without delay and ships advisories, regular security testing, and a determined support period of at least five years with updates available throughout. Evidence expiry keeps the SBOM and testing current instead of letting them rot.

From 11 September 2026, an actively exploited vulnerability or a severe incident must be reported to the CSIRT coordinator and ENISA through the single reporting platform: early warning within 24 hours, notification within 72 hours, and a final report to follow. Venvera runs these clocks on the same reporting engine as your NIS2 and DORA deadlines, so the duty is visible, timed and evidenced rather than a scramble when a CVE lands.

Most CRA controls are not new work. Secure development, vulnerability management, risk assessment, incident reporting, supplier and component due diligence, and security testing all overlap controls you already evidence for NIS2, DORA, ISO 27001 and SOC 2. Venvera maps them, so the moment you prove one it satisfies its CRA equivalent. Evidence Autopilot then chases only the genuinely CRA-specific gaps, from the right domain contacts, and re-asks when evidence expires.

Conformity is the paperwork that lets you sell. Venvera tracks the route to it: the conformity assessment procedure for your product class, the technical documentation drawn up before market placement and retained for ten years, the EU declaration of conformity, the CE marking, and the clear user information including the support period end date. A gap assessment scores your organisation across every CRA area and hands back a prioritised remediation plan with owners and effort, tracked to the 11 December 2027 date.

Start with a free gap report across every CRA area - 10 minutes, no email to start.
✓ Every paid plan: audit-ready in 90 days, or your money back
10 minutes · no email to start · no credit card · yours to keep