European Union

The EU Cyber Resilience Act, in practice

The CRA attaches cybersecurity obligations to products with digital elements sold in the EU market: hardware and software alike. Manufacturers must build securely, know their components, handle vulnerabilities throughout the support period, and be able to prove all three. Its main obligations take full effect on a fixed, published timeline, which makes now the preparation window.

Who this applies to Manufacturers and publishers of software or connected products placed on the EU market, wherever the company itself is based, plus importers and distributors with their own duties.
What it asks for
Know your components
A machine-readable software bill of materials covering at least the top-level dependencies of the product.
Handle vulnerabilities for the support period
Identify, remediate, and document vulnerabilities, with coordinated disclosure and security updates.
Ship without known exploitable vulnerabilities
Products must be placed on the market without known exploitable vulnerabilities and with secure defaults.
Evidence for conformity assessment
Technical documentation demonstrating the above, maintained and ready for market surveillance.
How SecuNexa and BOMNexa map to it
SBOM obligation
SecuDep and BOMNexa generate machine-readable CycloneDX SBOMs from real build artifacts, with completeness declared honestly through known-unknowns.
Vulnerability handling
Nine engines identify vulnerabilities across the product; the dashboard tracks handling with an audit trail; BOMNexa re-evaluates shipped versions as new disclosures land.
No known exploitable vulnerabilities at release
Known-exploited flags ride with findings, and release gates can block builds carrying them.
Technical documentation
Signed, reproducible reports and inventories per release give conformity files substance that survives scrutiny.

Tools do not make you compliant; they make compliance provable. SecuNexa and BOMNexa supply the technical evidence described on this page. Governance, process, and legal interpretation belong to your compliance function, and this page is not legal advice.

Frequently asked questions
When do CRA obligations actually apply?

The regulation is in force with a phased timeline: reporting obligations arrive first, and the main obligations follow on a fixed deadline. Check the official timeline for the current dates. Preparation, especially SBOM and vulnerability-handling capability, is a present-tense project.

We sell software, not devices. Are we in scope?

Very likely yes: the CRA covers products with digital elements broadly, including standalone software placed on the EU market, with limited exclusions. Confirm your product classification with counsel.

Walk through your EU Cyber Resilience Act (CRA) evidence gaps with us, live.
Request a demo