EU Cyber Resilience Act (CRA) Compliance Software¶
If you manufacture or distribute products with digital elements in the European Union, the Cyber Resilience Act (CRA) is now your most important regulatory obligation. Manual compliance is slow, expensive, and error-prone. CRA compliance software automates risk assessments, generates declarations of conformity, and keeps your engineering and legal teams aligned — without the spreadsheet chaos.
The Compliance Problem¶
The CRA applies to any product with digital elements — hardware, software, IoT devices, and components — placed on the EU market. Manufacturers, importers, and distributors are all in scope. The regulation enters full force in 2027, and the penalties are severe: up to €15 million or 2.5 % of global annual turnover for non-compliance.
The core challenge is that most organisations lack a repeatable, auditable process for:
- Performing cybersecurity risk assessments per product variant
- Maintaining a Software Bill of Materials (SBOM)
- Tracking and disclosing vulnerabilities within mandatory 24-hour windows
- Producing and maintaining EU Declarations of Conformity (DoC)
- Linking cybersecurity compliance to CE marking obligations
Doing this manually across dozens of product lines is unsustainable. Spreadsheets go out of date, engineering reports and legal documents end up in different folders, and when a regulator asks to see your technical file, you scramble to piece it together. The cost of getting it wrong goes beyond fines — market access restrictions can halt revenue entirely.
Who Must Comply with the CRA?¶
The regulation casts a wide net. You are directly affected if you are:
- A manufacturer of hardware, software, or IoT products that are placed on the EU market
- An importer bringing digital products into the European Economic Area
- A distributor making such products available on the EU market
- A manufacturer of components (chips, modules, embedded software) whose finished product relies on yours
There are limited exceptions for certain medical devices, aviation products, and motor vehicles that are already covered by sector-specific regulations. Everything else with a digital element is in scope.
Product Categories in Scope¶
- Standalone software — mobile apps, desktop applications, SaaS platforms, operating systems
- Connected hardware — smart home devices, wearables, industrial controllers, networking equipment
- IoT and IIoT devices — sensors, gateways, actuators, and the software that runs on them
- Components and sub-assemblies — chips, modules, embedded firmware used in finished products
- Critical products with heightened scrutiny — smart meters, identity document readers, network security appliances, and products handling sensitive data face additional conformity assessment requirements under Annex II
If your product is in any of these categories, you must complete a cybersecurity risk assessment and affix CE marking based on CRA compliance before placing it on the EU market.
The Cost of Non-Compliance¶
Penalties under the CRA are designed to bite:
- Up to €15 million or 2.5 % of global annual turnover, whichever is higher, for the most serious infringements
- Market surveillance authorities can force product recalls and withdraw products from the market
- Non-compliant products cannot receive CE marking, effectively barring them from the EU single market
- Directors and officers face personal liability exposure in some member states
The financial risk alone justifies investing in structured compliance software. The reputational damage of a public recall or a regulatory penalty is harder to quantify but often far more costly.
CRA Key Requirements at a Glance¶
| Requirement | What It Means |
|---|---|
| Cybersecurity Risk Assessment | Identify risks, document mitigations, and align with essential requirements in Annex I |
| SBOM (Software Bill of Materials) | Maintain a machine-readable inventory of all software components and dependencies |
| Vulnerability Reporting | Report actively exploited vulnerabilities to ENISA within 24 hours of awareness |
| Security Updates & Support Period | Guarantee minimum support lifetime and deliver security updates automatically |
| CE Marking & Declaration of Conformity | Demonstrate conformity to harmonised standards before affixing CE mark; CRA compliance is now a prerequisite for CE marking |
The CRA does not operate in isolation. CE marking is the gateway to the EU single market, and under the new legislative framework, cybersecurity is an integral part of the conformity assessment. You cannot CE mark without demonstrating CRA compliance, and vice versa. Any software solution you adopt should cover both.
What CRA Compliance Software Automates¶
Modern CRA compliance platforms replace manual document workflows with structured, auditable processes:
-
Automated Risk Assessments — Guided questionnaires and control libraries aligned to CRA Annex I essential requirements, with auto-generated risk treatment plans. Each assessment produces a timestamped, version-controlled output suitable for inclusion in your technical documentation.
-
SBOM Generation & Management — Import CycloneDX or SPDX SBOMs from your CI/CD pipeline and track component vulnerabilities over time. The software flags known vulnerabilities against the CVE database and logs your remediation decisions with supporting evidence.
-
Vulnerability Tracking & Reporting — Centralised dashboard for triaging, documenting, and submitting reports within regulatory timeframes. Alerts trigger when a vulnerability reaches the required severity threshold, and the platform generates the structured report in ENISA-compatible format.
-
Declaration of Conformity Production — Generate EU DoCs with the correct legislative references, product identifiers, and authorised representative details — ready for CE marking submission. The document reflects the current risk assessment state and can be regenerated when products are updated.
-
Audit Trail & Version Control — Every assessment, document revision, and approval is timestamped and immutable for regulator inspection. When a notified body or market surveillance authority requests your technical file, you can produce a complete, chronologically ordered history of your compliance decisions.
-
Multi-Product Portfolio Management — Manage risk assessments and DoCs for every product variant from a single dashboard. Filter by product line, risk level, compliance status, or next review date.
-
Regulatory Change Monitoring — Track updates to harmonised standards, delegated acts, and ENISA guidance. When the regulatory baseline shifts, the platform flags affected assessments and guides you through the delta update process so your technical documentation remains current through the product lifecycle.
Comparison: CRA Compliance Platforms¶
| Feature | Sustalium | IriusRisk | OneTrust | SecurityGate |
|---|---|---|---|---|
| Primary Role | Generator — CRA Risk Assessment + DoC | Threat modelling platform | GRC platform | Risk management platform |
| CRA-Specific Workflow | Dedicated, end-to-end | Partial (supports generic threat models) | Generic GRC, requires customisation | Generic risk scoring |
| CE Marking Integration | Built-in (CRA + CE linking) | Not available | Not available | Not available |
| Automated Declaration of Conformity | Yes, per product variant | No | Via custom module | No |
| SBOM Integration | CycloneDX / SPDX import | Manual only | Via third-party tooling | Limited |
| Vulnerability Reporting (24h) | Built-in workflow + ENISA format | Not available | Customisable | Not available |
| Annex I Alignment | Full (all essential requirements mapped) | Partial | Requires manual mapping | Partial |
| Multi-Product Dashboard | Yes, product-line grouping | No | Yes | Yes |
| Audit Trail | Built-in, versioned | Per-session only | Per-enterprise config | Per-enterprise config |
| Pricing | €10 / document / month | Per-user, enterprise | Per-module, enterprise | Per-site, enterprise |
| Time to First Document | Minutes | Days-weeks | Weeks-months | Days |
Sustalium is purpose-built as a Generator for CRA compliance — delivering both cybersecurity risk assessments and legally compliant Declarations of Conformity. Unlike generic GRC or threat-modelling tools, Sustalium links every assessment outcome directly to CE marking requirements, eliminating the translation layer between engineering and compliance teams. For full details on how Sustalium addresses each CRA article, visit our EU CRA Statement page.
Pricing¶
Sustalium pricing is transparent and scales with your product portfolio:
- €10 per document per month — each document is a risk assessment or declaration of conformity for a single product variant
- No per-user licensing fees — your entire engineering, legal, and compliance team collaborates at no extra cost
- No long-term contracts — month-to-month with the option to pause or cancel at any time
- All features included — SBOM import, vulnerability reporting, CE marking linkage, multi-product dashboard, and full audit history
You only pay for what you produce. If you have 10 product variants, your monthly cost is €100 — regardless of how many team members collaborate. Each document is independently versioned, so revisions do not incur additional charges.
There are no setup fees, onboarding costs, or hidden minimums. You can start with a single product variant and expand your portfolio as your compliance program matures. Because Sustalium is cloud-based, there is nothing to install or maintain — your team gets started within minutes of signing up.
FAQ¶
Who does the CRA apply to? Manufacturers, importers, and distributors of products with digital elements sold in the EU. This includes connected hardware, standalone software, IoT devices, and components.
When does the CRA take effect? The regulation enters into force in 2027. Some provisions (vulnerability reporting) apply earlier. Start your compliance program now to avoid the rush.
Can I use a generic GRC tool for CRA compliance? You can, but generic tools lack CRA-specific workflows, CE marking linkage, and the structured outputs that regulators expect. Purpose-built software dramatically reduces the effort.
Does Sustalium generate legal documents? Sustalium produces a cybersecurity risk assessment and a Declaration of Conformity. These documents form part of your technical documentation for CE marking. You should have them reviewed by your legal team and notified body.
What if I need to update a risk assessment? Sustalium supports versioned updates with full audit history. Each revision is timestamped and linked to the previous version so your technical file remains current.
How do I integrate SBOMs with Sustalium? Upload CycloneDX or SPDX files directly, or connect your CI/CD pipeline for automatic import. The platform tracks component versions and cross-references CVEs automatically.
Do you offer a free trial? You can start generating documents immediately at €10 per document per month with no minimum commitment. There is no free tier, but you can cancel at any time.
What happens if my product changes after I complete an assessment? You create a new version of the risk assessment. Sustalium retains the previous version in the audit trail, so you can demonstrate how your risk posture evolved over time. Minor modifications do not require starting from scratch.
Is Sustalium suitable for non-EU manufacturers? Yes. Any manufacturer placing products on the EU market must comply with the CRA regardless of where the company is headquartered. Sustalium supports non-EU manufacturers with the authorised representative fields required by the regulation.
Ready to automate your CRA compliance workflow? Get started now — your first document takes minutes, not months. Your engineering team can continue building while Sustalium handles the compliance paperwork.