Our paid tools
CRA compliance and reporting, automated
The CRA-Experts content hub is and will stay 100% free. These two SaaS products are how we fund it. They are optional, but if you need a CRA compliance report solution, they're built by people who read the regulation cover-to-cover.
Launching 2026
CRA Compliance Manager
A single workspace to take a product from "we ship something digital" to a CE-marked, DoC-signed, audit-ready state. Continuous, not a one-shot consultancy.
- ★Auto-classification (Default / Class I / Class II)
- ★Continuous SBOM generation in CI (CycloneDX & SPDX)
- ★Gap analysis dashboard mapped to the 21 essential requirements
- ★Declaration of Conformity templates aligned with Annex V
- ★CE marking artefact generator
- ★Audit-ready evidence vault with 10-year retention
- ★Multi-product workspaces and team RBAC
- ★API + CI plugins (GitHub Actions, GitLab CI, Bitbucket Pipelines)
Beta · 2026
CRA Incident Reporter
Don't write the 24-hour notification at 3am with the SRP UI in front of you for the first time. The Incident Reporter wraps the entire workflow with templates, clocks, approvals, and an audit trail.
- ★Pre-formatted templates for the 24h / 72h / 14-day reports
- ★Automatic CSIRT routing per Member State
- ★Built-in clocks tied to the moment you flag awareness
- ★Multi-actor approval workflow (engineering → legal → comms)
- ★Immutable audit log + signed report archive
- ★Tabletop exercise mode for dry runs
Side by side
Which tool do I need?
| Feature | Compliance Manager | Incident Reporter |
|---|---|---|
| Free CRA assessment | ✓ | ✓ |
| Auto SBOM generation | ✓ | — |
| 21-requirement gap analysis | ✓ | — |
| Declaration of Conformity drafting | ✓ | — |
| CE marking artefact | ✓ | — |
| 24h / 72h / 14d reporting templates | — | ✓ |
| CSIRT routing | — | ✓ |
| Tabletop exercise mode | — | ✓ |
The deliverable
What a CRA compliance report includes
A complete CRA compliance report solution has to produce the evidence a notified body or market surveillance authority can ask for. Our Compliance Manager assembles that pack for you; here is what a finished report contains.
- ✓ Product classification. Default, Class I, or Class II, with the reasoning that determines your conformity-assessment route.
- ✓ Software bill of materials (SBOM). A machine-readable CycloneDX or SPDX SBOM, regenerated on every release.
- ✓ Gap analysis. Your product scored against all 21 essential cybersecurity requirements in Annex I.
- ✓ Vulnerability handling evidence. Disclosure policy, SBOM-driven scan results, and the 24h / 72h / 14d reporting trail.
- ✓ Declaration of Conformity. Drafted from the Annex V template, ready to sign.
- ✓ Technical documentation index. The Annex VII file structure, retained for 10 years and available on request.
New to this? Start with the CRA compliance guide and the SBOM requirements reference.
Free Compliance Assessment
Is Your Product CRA Ready?
Get a free personalised CRA compliance briefing for your specific product type, delivered to your inbox. No spam, no sales calls.
- ★ Understand your exact product category (default, Class I, or Class II)
- ★ Get a checklist of your specific obligations and deadlines
- ★ Receive guidance on SBOM, vulnerability management, and reporting
- ★ Early access to our CRA Compliance Manager tool (launching 2026)
- ★ Weekly CRA news digest: ENISA updates, regulatory guidance
Get Your Free CRA Brief
Takes 60 seconds · Completely free
🔒 No spam. Unsubscribe anytime. See our privacy policy.