Skip to main content
ResiPlan
EU regulatory compliance

CRA Compliance Suite: 7 modules for December 2027

Prepare your digital product portfolio for the Cyber Resilience Act. From PDE inventory to Annex I matrix, ResiPlan covers the full CRA chain in a single platform.

Applicable from 11 December 2027 — fines up to €15M or 2.5% of global turnover

7 integrated modules, one CRA source of truth

Every module connects to the others: SBOM feeds vulnerability scoring, Annex I matrix produces the Declaration of Conformity, CRA incidents trigger ENISA notifications.

CRA Art. 6, 13

PDE Registry

Inventory every Product with Digital Elements under CRA scope: classification (non-critical / important I / II / critical), conformity assessment route, CE marking state, lifecycle state.

CRA Art. 14.1 + NIS2 Art. 21.2.d

SBOM Management

Import and parse CycloneDX / SPDX Software Bills of Materials. Cross-reference every component with CVE databases. Track supplier SBOMs for supply-chain risk visibility.

CRA Art. 14.2 + RFC 9116

Coordinated Vulnerability Disclosure

Public intake portal (security.txt + web form) with anonymous submission, triage workflow (8 states), and 30-day CVSS ≥ 7 patch SLA tracking.

CRA Art. 13.8

Security Updates Lifecycle

Patch history with linked CVEs. EOL tracker with 5-year or 15-year clock per product classification. Customer notification log.

CRA Annex I

Annex I Requirements Matrix

Assess each product against the 13 essential cybersecurity requirements of Annex I. Attach evidence (test reports, pentest, code reviews) and compute readiness score.

CRA Annex VII

Market Surveillance Readiness

Pre-assembled audit dossiers per product. Mock audit mode. 15-business-day response timer when a real request arrives from DGCCRF, FPS Economy, etc.

All CRA articles + DORA + NIS2

AI Contract Gap Analysis

Existing feature extended with CRA: upload a supplier contract, get instant gap report against 8 CRA clauses (SBOM, support period, ENISA notification, etc.).

CRA Timeline 2025-2027

Obligations phase in progressively.

10/12/2024

Entry into force

Regulation officially adopted. Starts 36-month grace period for most provisions.

11/06/2026

Reporting obligations active

CVD policy publication + actively exploited vulnerability notification (ENISA) become mandatory 21 months after entry into force.

11/12/2027

Full applicability

All CRA requirements apply: CE marking, Declaration of Conformity, Annex I essential requirements, 5/15-year support period, market surveillance.

20 months to be ready. Start today.

CRA sanctions reach €15M or 2.5% of global turnover. Start with a free trial and discover your readiness level in under an hour.

CRA Compliance Suite — ResiPlan | PDE, SBOM, CVD, Annex I