EU Cyber Resilience Act Compliance
Download the ArmorCode Feature Focus: five capabilities that turn EU Cyber Resilience Act (CRA) compliance into a repeatable operating model.
EU Cyber Resilience Act (CRA) Compliance
In this Feature Focus brief, you’ll find:
- The five platform capabilities that make CRA repeatable and audit-ready, from PDE classification to ENISA disclosure
- How ArmorCode reasons over one unified risk context, so teams assemble disclosures from a single source of record
- How CRA maps to every role, with Anya’s Remediation Agent building the disclosure record alongside the work
Real CRA readiness needs a platform, not a point tool
The CRA gives manufacturers as little as 24 hours to report an actively exploited vulnerability to ENISA, yet the evidence that the report needs is scattered across SIEMs, threat feeds, CISA KEV alerts, scanner findings, asset inventories, and SBOMs. The market’s answer has been a wave of partial point tools and GRC bolt-ons, but each only sees a slice, and real CRA requirements need a unified platform.
ArmorCode brings CRA-relevant data, status, and evidence onto the same platform that already powers exposure management across the SDLC, so readiness becomes a repeatable, audit-ready operating model built on the risk context you already have.
Reporting clock
24h → 72h → 14d
Early warning, vulnerability notification, and then final report to ENISA, starting the moment an exploit goes active.
Penalties
€15M or 2.5%
Fines up to 15 million euros or 2.5 percent of global annual turnover, whichever is higher.
Market access
EU withdrawal
Authorities can restrict or withdraw non-compliant products from the EU market.
What are the five capabilities that make EU Cyber Resilience Act compliance repeatable?
From classifying products with digital elements to disclosing on ENISA’s clock and proving it to auditors, these are the five capabilities offered by ArmorCode that turn CRA requirements into a repeatable operating model.
- Unified data model purpose-built for CRA
CRA’s core artifacts are modeled as native fields, not tags or workarounds. Classification, status, and evidence live where the work happens. - Exploit-aware risk prioritization
Exploit status drives the risk score, and active exploitation starts the clock. Confirmed exploits rise to the top, so disclosure stays on time. - Disclosure workflows wired to ENISA timelines
The 24-hour, 72-hour, and 14-day clocks are tracked as data with auto-calculated due dates. The cascade runs as a workflow, not as a spreadsheet. - Continuous SBOM, supply chain, and lifecycle evidence
Continuous SBOM and VEX in CycloneDX, refreshed from every release. Inventories stay current instead of frozen at a point in time. - Audit-ready governance, exceptions, and SLAs
One-click reports, immutable audit trails, and SLA breach alerts. Proof is continuously available, not gathered at the last minute.
Get every capability, the disclosure cascade, and the role-by-role operating model in one PDF.
Frequently Asked Questions About Cyber Resilience Act Compliance
Q: When do EU Cyber Resilience Act reporting obligations begin?
A: The European Union Cyber Resilience Act mandates that beginning September 11, 2026, manufacturers placing products with digital elements on the EU market must report actively exploited vulnerabilities to ENISA within 24 hours, follow with a vulnerability notification within 72 hours, and deliver a final report within 14 days.
Q: What are the CRA disclosure timelines to ENISA?
A: The disclosure cascade is a 24-hour early warning for an actively exploited vulnerability, a 72-hour vulnerability notification, and a final report within 14 days. The 24-hour clock starts the moment exploitation evidence is known.
Q: What are the penalties for CRA non-compliance?
A: CRA Non-compliance carries fines of up to 15 million euros or 2.5 percent of global annual turnover, along with loss of EU market access.
Q: What are the five ArmorCode CRA capabilities?
A: A unified data model purpose-built for CRA, exploit-aware risk prioritization, disclosure workflows wired to ENISA timelines, continuous SBOM, supply chain, and lifecycle evidence, and audit-ready governance with exceptions and SLAs.
Q: Does the CRA apply if we’re not based in the EU?
A: Yes. The CRA applies to any manufacturer that places a product with digital elements on the EU market, regardless of where the company is headquartered. If your hardware or software reaches EU customers, the reporting timelines and obligations apply to you the same way they apply to an EU-based vendor. Not sure whether a specific product is in scope? Check it in minutes with the ArmorCode CRA Readiness Scorecard.
