Practical tools for
product security compliance
The Cyber Resilience Act is coming. We're building free tools and resources to help you understand what it means for your products—and what it will actually cost.
What is the Cyber Resilience Act?
The Cyber Resilience Act (CRA) is EU legislation that sets cybersecurity requirements for products with digital elements. If you make, import, or distribute software or connected devices in the EU market, this will affect you.
Who's affected?
- • Manufacturers of software and IoT devices
- • Importers and distributors in the EU
- • Open source projects with commercial involvement
Key requirements
- • Vulnerability handling and disclosure processes
- • Software Bill of Materials (SBOM)
- • Security updates for the product lifetime
Timeline: The CRA entered into force in late 2024. Most requirements apply from December 2027. That sounds far away, but building the necessary processes takes time.
Tools
Free calculators and utilities to help you plan
Vulnerability Cost Calculator
Estimate the real cost of managing security vulnerabilities—SBOM alerts, CVD reports, and periodic reviews. Understand the labor investment before you're surprised by it.
Try it free →CRA Scope Assessment
Find out if your product falls under the Cyber Resilience Act and which category applies. Answer a few questions to understand your compliance obligations.
Check your product →Getting Started
Practical steps you can take today
Know your dependencies
Start generating SBOMs for your products. Tools like Syft, CycloneDX, and SPDX make this straightforward. You can't manage what you don't measure.
Set up vulnerability tracking
Monitor your dependencies for known vulnerabilities. GitHub Dependabot, Snyk, or Grype can alert you when issues are discovered in libraries you use.
Document your process
Write down how you handle vulnerability reports. Who triages? What's the SLA for fixes? How do you inform customers? CRA requires this to be formalized.
Resources
Official documentation and further reading