TrustVector HQ helps companies selling connected products in the EU understand, measure and close their CRA compliance gap — before the regulator does it for them. Automated scanning. Trust scoring. Audit-ready documentation.
The EU Cyber Resilience Act introduces mandatory cybersecurity obligations for any company placing connected hardware or software on the European market. Non-compliance carries criminal liability and market withdrawal.
Most engineering teams have no visibility into the full dependency tree of their product, have never generated an SBOM, and have no formal vulnerability disclosure process. Each of these is now a legal requirement.
Vulnerability reporting to ENISA becomes mandatory from 11 September 2026 — 15 months before full enforcement. Companies must have incident response and notification processes operational by then.
Automated codebase scanning mapped to all CRA controls. Every gap gets a trust score and a severity rating.
Machine-readable, audit-ready Software and Cryptography Bills of Materials in CycloneDX or SPDX format.
Real-time mapping against the CISA Known Exploited Vulnerability catalogue. No blind spots.
Prioritised fix list integrating with Jira, GitHub Issues, or Azure DevOps.
Templates, workflows and filing support so your 24-hour and 72-hour obligations are never missed.
Conformity declarations, technical files, risk registers — everything the regulator expects, pre-structured.
The CRA entered into force on 10 December 2024. It is the most significant cybersecurity legislation the EU has ever passed, affecting any company whose products connect to the internet, a network, or another device.
Full text at the Official Journal of the EU: OJ L 2024/2847. ENISA guidance at enisa.europa.eu.
| Class | Examples | Conformity Route |
|---|---|---|
| Default | Smart home devices, productivity software, consumer apps | Self-Assessment |
| Class I | Identity management, browsers, password managers, VPNs, firewalls, routers | 3rd Party Audit or Standard |
| Class II | Operating systems, hypervisors, industrial control systems, smartcards | Mandatory 3rd Party Audit |
| Critical | HSMs, smart meter gateways, tamper-resistant hardware | EU Cybersecurity Certificate |
| Most serious violations | €15M / 2.5% |
| Other non-compliance | €10M / 2% |
| Incorrect or misleading info | €5M / 1% |
The CRA's requirements are structured across Annex I (essential cybersecurity requirements for the product) and Annex II (vulnerability handling obligations). Plain-language interpretation of each major control area.
Annex I and Annex II of Regulation (EU) 2024/2847 at eur-lex.europa.eu. ENISA supporting guidance at enisa.europa.eu/topics/cyber-resilience-act.
| Ref | Control | What It Means | What You Must Do | Priority |
|---|---|---|---|---|
| A-I.1 | No Known Exploitable Vulnerabilities | Products must ship free of known exploitable vulnerabilities. Requires pre-market vulnerability assessment against CVE databases and the CISA KEV catalogue. | SBOM generation, CVE scanning, KEV cross-reference before every release | Critical |
| A-I.2 | Secure by Default Configuration | Default settings must be the most secure option. No default passwords, no unnecessary open ports, no pre-enabled features the user did not request. | Configuration baseline review, automated hardening checks in CI/CD | Critical |
| A-I.3 | Confidentiality of Data | Data at rest and in transit must be protected using appropriate encryption. State-of-the-art cryptographic mechanisms expected — captured in the CBOM. | CBOM generation, encryption algorithm inventory, TLS version audit | Critical |
| A-I.4 | Integrity of Data & Software | Mechanisms must verify that software and data have not been tampered with. Code signing, secure boot and update verification are typical implementations. | Code signing pipeline, secure boot verification, update integrity checks | High |
| A-I.5 | Access Control & Least Privilege | Products must enforce appropriate access controls. Users and components should operate with minimum privileges necessary. Authentication mechanisms must be robust. | IAM review, privilege mapping, authentication strength audit | High |
| A-I.6 | Attack Surface Minimisation | Products must expose only what is necessary. Unused services, interfaces and ports must be disabled. Every exposed interface must be justified. | Port/service inventory, interface review, network exposure mapping | High |
| A-I.7 | Resilience Against Denial of Service | Products must remain available under expected attack scenarios including DoS/DDoS. Rate limiting, resource quotas and graceful degradation must be implemented. | Load testing, rate limiting review, availability architecture assessment | Medium |
| A-I.8 | Data Minimisation | Products must collect only the personal data they genuinely need. Intersects significantly with GDPR Article 5. Data flows must be documented and justified. | Data flow mapping, privacy impact assessment, telemetry audit | Medium |
| A-I.9 | Secure Update Mechanism | Products must support secure, authenticated software updates for their expected support lifetime. Updates must be free of charge. End of support date must be clearly communicated. | Update pipeline security review, EOL policy documentation, signed update delivery | Critical |
| A-I.10 | Auditability & Security Logging | Security-relevant events must be logged to support incident investigation. Logs must be tamper-protected. Retention periods must be defined and enforced. | Log architecture review, tamper-evidence controls, SIEM integration check | High |
| Ref | Obligation | What It Requires | TrustVector HQ Support |
|---|---|---|---|
| A-II.1 | SBOM Maintenance | Maintain and continuously update a machine-readable Software Bill of Materials covering all components including third-party and open source dependencies, in CycloneDX or SPDX format. | Automated SBOM generation on every build |
| A-II.2 | Vulnerability Disclosure Policy | A publicly accessible coordinated vulnerability disclosure policy must be in place, with a designated contact point for security researchers. Must link from product documentation. | VDP template, contact form setup, security.txt implementation |
| A-II.3 | Remediation Without Delay | Vulnerabilities must be addressed "without undue delay." ENISA guidance and industry norms (30/60/90 days by severity) apply as reference points. | Prioritised remediation backlog, SLA tracking dashboard |
| A-II.4 | ENISA Notification | Actively exploited vulnerabilities and significant incidents must be reported: early warning within 24 hours, full notification within 72 hours, final report within 14 days. | Notification templates, ENISA portal workflow, incident tracking |
| A-II.5 | Security Patches Distribution | Security patches must be distributed promptly and made available free of charge. Patch release processes must be documented. Users must be notified of available patches. | Patch release process documentation, user notification workflow |
From 11 September 2026, manufacturers must notify ENISA of actively exploited vulnerabilities and incidents with significant impact. Missing these windows is itself a CRA violation.
Notification is triggered by: (1) an actively exploited vulnerability being used by attackers in the wild, or (2) a security incident that has or could have a significant impact on your product's users.
ENISA is establishing a Single Reporting Platform for CRA notifications. Until operational, the NIS2 reporting channels and national CSIRTs serve as interim route.
For Ireland-based companies, the national CSIRT is operated by the National Cyber Security Centre (NCSC Ireland). They are the primary national contact point and coordinate with ENISA.
Whether you are just starting to understand your CRA obligations or preparing for a formal audit, TrustVector HQ has a structured service for that stage. We work as an extension of your team — not a report that sits on a shelf.
A structured assessment of your current posture against all CRA Annex I and Annex II requirements. Delivered as a prioritised findings report with executive summary and technical detail pack.
Our scanner runs across your codebase and dependency graph, mapping findings to CRA controls in real time. Integrates with your existing CI/CD pipeline so compliance is continuous, not periodic.
We build and maintain the documentation set that regulators expect: technical files, risk registers, conformity declarations, vulnerability disclosure policies and security advisories.
When an incident occurs, the clock starts immediately. We provide templates, workflows and hands-on support to meet your 24-hour and 72-hour ENISA obligations.
CRA compliance requires alignment from the board to the engineering team. We run structured briefings tailored to each audience — board risk briefings, developer workshops and CISO strategy sessions.
Compliance is not a project — it is an ongoing obligation. Our retainer keeps your posture current as your codebase evolves, new vulnerabilities emerge and the regulatory landscape develops.
Our platform maps findings across multiple frameworks simultaneously. A single scan produces findings relevant to CRA, NIS2, ISO 27001 and DORA in one pass — so your compliance investment is never siloed.
Tell us about your product and your current compliance position. We will respond within one business day with an initial assessment and proposed engagement approach — at no cost and with no obligation.
We respond within one business day. Your information will not be shared with third parties.