All Frameworks
Framework

Cyber Resilience Act compliance, fully automated

The CRA mandates cybersecurity for all products with digital elements sold in the EU. Matproof covers security by design, vulnerability handling, SBOM management, ENISA reporting, and conformity assessment.

Request a demo

Key Features

Security by Design (Annex I)

Track and document essential cybersecurity requirements from product design through delivery. Secure defaults, attack surface minimisation, and access control - all evidenced.

Vulnerability Handling (Annex I.2)

Systematic vulnerability identification, documentation, and remediation. Coordinated disclosure processes with full audit trail and SBOM integration.

SBOM Management (Annex I.2(9))

Generate and maintain Software Bills of Materials. Track all components, libraries, and dependencies. Cross-reference against known vulnerability databases automatically.

ENISA/CSIRT Reporting (Art. 14)

Meet the 24h early warning, 72h notification, and 14-day final report deadlines. Pre-built templates, automated workflows, and deadline tracking.

Conformity Assessment (Art. 32)

Self-assessment for default products, guided third-party assessment for Class I/II. EU Declaration of Conformity generation and CE marking documentation.

Support Period Management (Art. 13(7))

Track product support periods (minimum 5 years), security update delivery, and end-of-life transitions. Automated alerts and compliance documentation.

Why Matproof

Covers all CRA essential cybersecurity requirements
Automated SBOM generation and vulnerability tracking
Pre-built ENISA/CSIRT reporting templates with deadline tracking
100% EU data residency (hosted in Germany)

Customer stories

Teams that stopped dreading audit season.

"
85%less prep time

Matproof saved us months of audit preparation. We connected our tools on Monday and had DORA-mapped evidence by Friday. Our auditor was impressed by the depth of the audit trail.

KS

Katharina Steinbach

Head of Compliance · Novalend GmbH

"
4 wksto compliance

We were staring down a DORA deadline with three frameworks to cover. Matproof got us audit-ready in under four weeks. The policy generator alone was worth the subscription.

FB

Florian Bergmann

CTO · Paymatic AG

"
100+controls automated

The cross-framework mapping is genuinely brilliant. We already had ISO 27001 — Matproof showed us exactly what DORA added on top without duplicating controls. No consultant could do this in the same time.

DA

Dr. Annika Brandt

CISO · Kreditwerk Digital

"
0audit findings

Our last audit finished with zero findings. First time in company history. Matproof's continuous monitoring caught a configuration drift two weeks before the auditors arrived.

MV

Maximilian Vogt

VP Engineering · Finova Technologies

"
1 dayArt. 28 register

Vendor risk was the section we dreaded most for DORA Article 28. Matproof auto-generated our entire ICT third-party register from existing contracts. What took our legal team weeks took Matproof an afternoon.

JH

Julia Hoffmann

Legal & Compliance · FinLeap Connect

"
3 frameworksone platform

Three frameworks — DORA, ISO 27001, SOC 2 — running in parallel on one platform. Matproof's shared evidence library means we collect evidence once and it satisfies all three. The efficiency is remarkable.

TK

Thomas Kessler

Head of IT Risk · Solaris SE

Ready to get started?

Ready to get started?

See how Matproof automates compliance for your organization.

Request a demo

What is the Cyber Resilience Act (CRA)?

The Cyber Resilience Act (Regulation 2024/2847) is an EU regulation establishing horizontal cybersecurity requirements for products with digital elements - encompassing both hardware and software sold on the European market. Published in the Official Journal on November 20, 2024, it addresses the growing cybersecurity risks posed by connected products, from smart home devices and routers to operating systems and industrial control software.

The CRA fills a significant regulatory gap: while existing EU frameworks address network and information security (NIS2) and sector-specific resilience (DORA), no horizontal regulation previously required cybersecurity to be built into products at the design stage. The CRA mandates that manufacturers, importers, and distributors ensure products meet essential cybersecurity requirements throughout their lifecycle, including ongoing vulnerability handling and security updates.

Key obligations include security by design and default (Annex I Part I), systematic vulnerability handling (Annex I Part II), Software Bill of Materials (SBOM) maintenance, rapid vulnerability reporting to ENISA and national CSIRTs, free security updates for the product's support period (minimum 5 years), and conformity assessment with CE marking. Products are classified into default, Class I, Class II, and critical categories, with increasing assessment rigour.

The CRA follows a phased implementation: vulnerability reporting obligations apply from September 11, 2026, and the full regulation applies from December 11, 2027. This gives manufacturers time to adapt their product development processes, establish vulnerability handling workflows, and prepare for conformity assessments.

Who Needs CRA Compliance?

The CRA applies to all economic operators involved in placing products with digital elements on the EU market. A product with digital elements is any software or hardware product and its remote data processing solutions that include a direct or indirect logical or physical connection to a device or network:

Manufacturers

  • Hardware manufacturers (IoT devices, routers, smart home products)
  • Software developers (applications, operating systems, firmware)
  • Embedded systems manufacturers (industrial controllers, automotive ECUs)
  • SaaS providers where software is a product component
  • Open-source software stewards (commercial foundations)
  • Companies integrating third-party components into products

Importers and Distributors

  • EU importers of non-EU manufactured products
  • Distributors placing products on the EU market
  • Online marketplaces selling products with digital elements
  • System integrators assembling products from components
  • Resellers of software and hardware products
  • White-label product distributors

Notably, pure SaaS services that do not involve placing a product on the market are generally excluded from CRA scope (they may fall under NIS2 instead). However, if the SaaS includes downloadable software components, firmware, or IoT device integration, those elements are in scope. Open-source software developed in a non-commercial context is also excluded, though open-source software stewards (e.g. commercial foundations maintaining critical libraries) have specific obligations under Article 25.

CRA Key Requirements

1. Essential Cybersecurity Requirements (Annex I Part I)

Products must be designed, developed, and produced to ensure an appropriate level of cybersecurity based on their risks. This includes: no known exploitable vulnerabilities at time of placing on market, secure default configuration with no default passwords, protection of data confidentiality and integrity, minimisation of data processing, access control mechanisms, attack surface minimisation, security-relevant information recording, and a secure update mechanism. Products must also be resilient against denial-of-service attacks.

2. Vulnerability Handling (Annex I Part II)

Manufacturers must establish and maintain a systematic process for identifying, documenting, and remediating vulnerabilities throughout the product lifecycle. This includes regular security testing, timely remediation through free security updates, a coordinated vulnerability disclosure policy for external researchers, public disclosure of fixed vulnerabilities with CVE identifiers, mechanisms for sharing vulnerability information, and a secure update distribution mechanism. Patches must be delivered free of charge and without undue delay.

3. SBOM Management (Annex I.2(9))

Manufacturers must generate and maintain a Software Bill of Materials (SBOM) documenting all top-level dependencies, components, libraries, and third-party code included in their products. The SBOM enables rapid vulnerability assessment when new CVEs are published, supply chain transparency, and regulatory reporting. It must be kept current throughout the product's support period and made available to market surveillance authorities upon request.

4. Vulnerability Reporting to ENISA (Article 14)

When a manufacturer becomes aware of an actively exploited vulnerability or a severe security incident, they must report to the designated CSIRT and ENISA following strict timelines: an early warning within 24 hours of becoming aware, a detailed vulnerability notification within 72 hours including severity assessment and remediation status, and a final report within 14 days. Users must also be notified without undue delay about the vulnerability and available corrective measures.

5. Conformity Assessment and CE Marking (Articles 28-32)

Before placing a product on the EU market, manufacturers must conduct a conformity assessment, prepare an EU Declaration of Conformity (Annex V), and affix the CE marking. Default products can use self-assessment (Annex VI Part I). Class I products (Annex III - e.g. identity management, VPNs, firewalls) require conformity to harmonised standards or third-party assessment. Class II products (Annex IV - e.g. operating systems, smart meters) require mandatory third-party assessment. Critical products need EU type examination.

6. Product Support Period (Article 13(7))

Manufacturers must define and communicate the product support period during which they will provide security updates - at minimum 5 years or the expected product lifetime, whichever is longer. During this period, all security updates must be provided free of charge and delivered without undue delay. The support period must be clearly communicated to users at the time of purchase. Manufacturers must also plan and execute responsible end-of-life transitions when support ends.

7. Technical Documentation (Annex VII)

Manufacturers must maintain comprehensive technical documentation covering: product description and intended purpose, cybersecurity risk assessment, design and development information including architecture and data flows, information about vulnerability handling processes, applied harmonised standards or common specifications, conformity assessment results, and evidence of how essential requirements are fulfilled. Documentation must be retained for 10 years or the support period, whichever is longer.

Penalties for CRA Non-Compliance

The CRA establishes a tiered penalty framework enforced by national market surveillance authorities. Penalties are calculated as the higher of a fixed amount or a percentage of global annual turnover:

Up to EUR 15M / 2.5%

for non-compliance with essential cybersecurity requirements (Annex I) - the most severe category

Up to EUR 10M / 2%

for non-compliance with other manufacturer obligations including vulnerability reporting and conformity assessment

Up to EUR 5M / 1%

for providing incorrect, incomplete, or misleading information to market surveillance authorities or notified bodies

Market Withdrawal

authorities can order product withdrawal, recall, or restriction of availability on the EU market until compliance is achieved

Market surveillance authorities have broad powers including the ability to conduct product testing, request documentation, access premises, and issue binding corrective measures. Non-compliant products can be prohibited from the EU market entirely. For open-source software stewards, penalties are proportionate to their size and market share.

How to Prepare for CRA Compliance

With vulnerability reporting obligations starting September 11, 2026 and full application from December 11, 2027, manufacturers should begin preparation now:

  1. 1

    Product Inventory and Classification

    Create a comprehensive inventory of all products with digital elements. Classify each product according to CRA categories: default, Class I (Annex III), Class II (Annex IV), or critical. Identify the appropriate conformity assessment procedure for each product class.

  2. 2

    SBOM Generation and Dependency Mapping

    Implement automated SBOM generation for all products. Document all components, libraries, and dependencies. Cross-reference against CVE databases and set up continuous monitoring for newly disclosed vulnerabilities in your software supply chain.

  3. 3

    Vulnerability Handling Process

    Establish a systematic vulnerability handling process covering identification, documentation, remediation, and disclosure. Set up coordinated vulnerability disclosure channels. Build the capability to meet 24h/72h/14d ENISA reporting timelines. Test the process with simulated vulnerability scenarios.

  4. 4

    Security by Design Integration

    Integrate CRA essential cybersecurity requirements into your product development lifecycle. Implement secure default configurations, access control, attack surface minimisation, and secure update mechanisms. Conduct security testing throughout development, not just before release.

  5. 5

    Conformity Assessment Preparation

    Prepare technical documentation per Annex VII. For Class I/II products, engage notified bodies for third-party assessment. Prepare the EU Declaration of Conformity and CE marking documentation. Ensure your quality management system supports ongoing conformity.

  6. 6

    Support Period and Update Infrastructure

    Define support periods for all products (minimum 5 years). Build secure update delivery infrastructure. Establish processes for end-of-life planning and user communication. Ensure you can deliver free security patches throughout the support period.

Frequently Asked Questions about the CRA

What is the Cyber Resilience Act?

The CRA (Regulation 2024/2847) is an EU regulation establishing horizontal cybersecurity requirements for products with digital elements. It mandates security by design, vulnerability handling, SBOM management, and incident reporting to ENISA. Vulnerability reporting starts September 2026, full application from December 2027.

Who needs to comply with the CRA?

The CRA applies to manufacturers, importers, and distributors of products with digital elements placed on the EU market. This includes any hardware or software product with a network connection. Pure SaaS services are generally excluded unless they include downloadable components.

What are the CRA vulnerability reporting timelines?

Manufacturers must send an early warning to the designated CSIRT within 24 hours of becoming aware of an actively exploited vulnerability, a detailed notification within 72 hours, and a final report within 14 days. Users must also be notified without undue delay.

What is an SBOM and why does the CRA require it?

A Software Bill of Materials is a detailed inventory of all software components in a product. The CRA requires SBOMs to enable vulnerability tracking, supply chain transparency, and faster incident response when vulnerabilities are discovered in third-party components.

How does the CRA classify products?

Default products use self-assessment. Class I products (e.g. VPNs, firewalls) require conformity to standards or third-party assessment. Class II products (e.g. operating systems) require mandatory third-party assessment. Critical products need EU type examination.

What is the minimum support period under the CRA?

Manufacturers must provide free security updates for at least 5 years or the expected product lifetime, whichever is longer. The support period must be clearly communicated to users at the time of purchase.