NEWVenvera speaks your language: the full platform, in English, German, Spanish and Bulgarian.See what’s new →
Cyber Resilience Act compliance software

Security becomes a condition of sale on 11 December 2027.

The Cyber Resilience Act (Regulation (EU) 2024/2847) makes cybersecurity a legal requirement for every product with digital elements sold in the EU. Venvera is CRA compliance software that turns the regulation into a scoped, trackable programme: which products are in scope, what a manufacturer must build and prove, and how to be conformant before the deadline instead of pulling products from the market after it.

Applicability & classificationEssential requirementsVulnerability handlingSBOMCE marking & conformity24h/72h reporting

What is the CRA, and are your products in scope?

The Cyber Resilience Act is the first EU-wide law setting mandatory cybersecurity requirements for products with digital elements: hardware and software placed on the EU market. It entered into force on 10 December 2024. Scope follows the product and your role: a product with digital elements is broadly any software or hardware whose intended or reasonably foreseeable use includes a data connection to a device or network, so it reaches well beyond IoT into firmware, operating systems, libraries and software sold as a product. Manufacturers carry the essential requirements (Annex I): secure design, vulnerability handling, an SBOM, security updates across a support period of at least five years, conformity assessment and CE marking. Importers and distributors verify that work. The reporting duties for actively exploited vulnerabilities and severe incidents apply from 11 September 2026; the full obligations apply from 11 December 2027. Venvera runs all of this as CRA compliance software: it maps the essential requirements and vulnerability-handling duties to controls, tracks conformity and the SBOM, and reuses the evidence you already hold for NIS2, DORA and ISO 27001.

 app.venvera.com
/ CRA · scoped controls, one conformity view
/ CRA · scoped controls, one conformity view
2027
Full application deadline (11 Dec)
24
Controls, essential reqs to reporting
5 yr
Minimum support period, tracked
24h
Exploited-vulnerability early warning
Scope

Know if the CRA applies, product by product.

Scope is a product-and-role test, and getting the class wrong changes the whole conformity route. Venvera walks you through it: which products count as products with digital elements, how each is classified (default, important class I or II, or critical), and whether you act as manufacturer, importer or distributor for each. The determination is documented, dated and re-runnable when your product line or the implementing acts change.

  • Product-with-digital-elements applicability per product
  • Classification: default, important class I/II, or critical
  • Economic-operator role per product (manufacturer, importer, distributor)
  • A documented, dated scope you can show a market surveillance authority
 app.venvera.com
/ SCOPE · applicability and class, documented
/ SCOPE · applicability and class, documented
Essential requirements

Build to Annex I, and prove you did.

The core manufacturer duty is that products ship secure. Venvera tracks the Annex I Part I requirements as controls with evidence: a secure-by-default configuration, no known exploitable vulnerabilities, protection against unauthorised access, confidentiality and integrity of data, data minimisation, availability and denial-of-service resilience, a limited attack surface, and the ability to be updated. Which requirements apply, and how, is driven by a documented per-product risk assessment that Venvera holds alongside the controls.

  • Per-product cybersecurity risk assessment on file
  • Annex I Part I product-security properties as tracked controls
  • Secure-by-default and no-known-exploitable-vulnerabilities discipline
  • Availability, integrity and attack-surface requirements evidenced
 app.venvera.com
/ ESSENTIAL REQUIREMENTS · Annex I, evidenced
/ ESSENTIAL REQUIREMENTS · Annex I, evidenced
Vulnerability handling

SBOM, disclosure and updates across the support period.

Annex I Part II is a process, not a one-off. Venvera tracks the vulnerability-handling machinery: a software bill of materials in a machine-readable format, a published coordinated vulnerability disclosure policy, a handling process that remediates without delay and ships advisories, regular security testing, and a determined support period of at least five years with updates available throughout. Evidence expiry keeps the SBOM and testing current instead of letting them rot.

  • Software bill of materials (SBOM), maintained not one-off
  • Published coordinated vulnerability disclosure policy
  • Vulnerability handling with advisories and timely security updates
  • Support period (at least five years) determined and communicated
 app.venvera.com
/ VULNERABILITY HANDLING · SBOM to support period
/ VULNERABILITY HANDLING · SBOM to support period
Reporting

The 24-hour clock, on the same engine as NIS2 and DORA.

From 11 September 2026, an actively exploited vulnerability or a severe incident must be reported to the CSIRT coordinator and ENISA through the single reporting platform: early warning within 24 hours, notification within 72 hours, and a final report to follow. Venvera runs these clocks on the same reporting engine as your NIS2 and DORA deadlines, so the duty is visible, timed and evidenced rather than a scramble when a CVE lands.

  • Actively-exploited-vulnerability and severe-incident reporting tracked
  • 24-hour early warning and 72-hour notification clocks
  • One reporting engine shared with NIS2 and DORA duties
  • Affected-user notification captured as evidence
 app.venvera.com
/ REPORTING · timed, not scrambled
/ REPORTING · timed, not scrambled
Evidence once

The work you did for NIS2 and DORA counts here too.

Most CRA controls are not new work. Secure development, vulnerability management, risk assessment, incident reporting, supplier and component due diligence, and security testing all overlap controls you already evidence for NIS2, DORA, ISO 27001 and SOC 2. Venvera maps them, so the moment you prove one it satisfies its CRA equivalent. Evidence Autopilot then chases only the genuinely CRA-specific gaps, from the right domain contacts, and re-asks when evidence expires.

  • Overlapping controls auto-satisfied from NIS2, DORA, ISO 27001 and SOC 2
  • CRA-specific duties (SBOM, CE marking, ENISA reporting) never auto-claimed
  • Evidence Autopilot collects the deltas with no-login requests
  • Third-party component security shared with your supplier register
 app.venvera.com
/ CROSSWALK · one control, every framework it satisfies
/ CROSSWALK · one control, every framework it satisfies
Conformity

CE marking, the declaration and the documentation, tracked.

Conformity is the paperwork that lets you sell. Venvera tracks the route to it: the conformity assessment procedure for your product class, the technical documentation drawn up before market placement and retained for ten years, the EU declaration of conformity, the CE marking, and the clear user information including the support period end date. A gap assessment scores your organisation across every CRA area and hands back a prioritised remediation plan with owners and effort, tracked to the 11 December 2027 date.

  • Conformity assessment route selected per product class
  • Technical documentation (Annex VII) and EU declaration of conformity
  • CE marking and user information including support period end date
  • Board-ready readiness summary in one click
 app.venvera.com
/ CONFORMITY · CE marking to declaration
/ CONFORMITY · CE marking to declaration
Why switch

The spreadsheet or Venvera.

Spreadsheets
Venvera
Product scope & classification
A guess in a document
Applicability and class per product, dated and re-runnable
Essential requirements
Asserted, not evidenced
Annex I controls with evidence, driven by a risk assessment
SBOM & vulnerability handling
A one-off export that goes stale
Maintained SBOM, disclosure policy and testing with expiry
Reporting clocks
A date someone has to remember
24h/72h clocks on the same engine as NIS2 and DORA
Overlapping work
NIS2 and DORA evidence collected again
Prove once, satisfies the CRA equivalent
Conformity view
A static PDF from a consultant
Living gap assessment with a roadmap to 2027

The Cyber Resilience Act, answered.

Know where you stand on the CRA well before 2027.

Start with a free gap report across every CRA area - 10 minutes, no email to start.

Every paid plan: audit-ready in 90 days, or your money back

10 minutes · no email to start · no credit card · yours to keep