Skip to main content
ResiPlan
EU regulatory compliance

CRA Compliance Suite: 7 modules for December 2027

Prepare your digital product portfolio for the Cyber Resilience Act. From PDE inventory to Annex I matrix, ResiPlan covers the full CRA chain in a single platform.

Free 14-day trialTalk to an expert
Applicable from 11 December 2027 — fines up to €15M or 2.5% of global turnover

7 integrated modules, one CRA source of truth

Every module connects to the others: SBOM feeds vulnerability scoring, Annex I matrix produces the Declaration of Conformity, CRA incidents trigger ENISA notifications.

PDE Registry

CRA Art. 6, 13

Inventory every Product with Digital Elements under CRA scope: classification (non-critical / important I / II / critical), conformity assessment route, CE marking state, lifecycle state.

SBOM Management

CRA Art. 14.1 + NIS2 Art. 21.2.d

Import and parse CycloneDX / SPDX Software Bills of Materials. Cross-reference every component with CVE databases. Track supplier SBOMs for supply-chain risk visibility.

Coordinated Vulnerability Disclosure

CRA Art. 14.2 + RFC 9116

Public intake portal (security.txt + web form) with anonymous submission, triage workflow (8 states), and 30-day CVSS ≥ 7 patch SLA tracking.

Security Updates Lifecycle

CRA Art. 13.8

Patch history with linked CVEs. EOL tracker with 5-year or 15-year clock per product classification. Customer notification log.

Annex I Requirements Matrix

CRA Annex I

Assess each product against the 13 essential cybersecurity requirements of Annex I. Attach evidence (test reports, pentest, code reviews) and compute readiness score.

Market Surveillance Readiness

CRA Annex VII

Pre-assembled audit dossiers per product. Mock audit mode. 15-business-day response timer when a real request arrives from DGCCRF, FPS Economy, etc.

AI Contract Gap Analysis

All CRA articles + DORA + NIS2

Existing feature extended with CRA: upload a supplier contract, get instant gap report against 8 CRA clauses (SBOM, support period, ENISA notification, etc.).

CRA Timeline 2025-2027

Obligations phase in progressively.

10/12/2024

Entry into force

Regulation officially adopted. Starts 36-month grace period for most provisions.

11/06/2026

Reporting obligations active

CVD policy publication + actively exploited vulnerability notification (ENISA) become mandatory 21 months after entry into force.

11/12/2027

Full applicability

All CRA requirements apply: CE marking, Declaration of Conformity, Annex I essential requirements, 5/15-year support period, market surveillance.

20 months to be ready. Start today.

CRA sanctions reach €15M or 2.5% of global turnover. Start with a free trial and discover your readiness level in under an hour.

Free 14-day trialTalk to an expert
Feature
AI contract analysis
Automated CRA + DORA + NIS2 gap
Solution
Product Security
PDE manufacturers persona
Guide
8 CRA contract clauses
Practical drafting guide
CRA Compliance Suite — ResiPlan | PDE, SBOM, CVD, Annex I