CRA Software to Manage Cyber Resilience Act Compliance
What CRA software needs to deliver — and how Kunnus, built as a platform, covers SBOM, vulnerability handling, ENISA reporting, technical documentation and the EU declaration of conformity in one place.
Quick Answer
CRA software is a tool manufacturers use to manage their obligations under the EU Cyber Resilience Act (Regulation (EU) 2024/2847): product inventory and risk classification, SBOM generation, vulnerability monitoring with 24-hour ENISA reporting, Annex VII technical documentation, and the EU declaration of conformity — per product, across the entire support period.
What Must a CRA Tool Cover?
The CRA defines obligations across the full product lifecycle. A CRA tool that only solves one slice — SBOM generation, for example — leaves the remaining obligations manual. These six capabilities make up the complete scope:
Product inventory & risk classification
Every product with digital elements, classified against Annex III: default category, important (Class I/II), or critical. The classification decides the conformity assessment route — self-assessment or notified body.
SBOM per product (CycloneDX & SPDX)
A machine-readable Software Bill of Materials is part of the Annex I vulnerability-handling requirements. The tool must generate, version and update SBOMs per product — not once, but with every release.
Vulnerability monitoring & 24h ENISA reporting
New CVEs must be matched to affected products continuously. For actively exploited vulnerabilities, the early warning to ENISA is due within 24 hours — from September 11, 2026, also for products already on the market.
Annex VII technical documentation
Product description, design and development documentation, risk assessment, standards applied, test reports — structured per Annex VII and kept current across the product's life.
EU declaration of conformity
The Article 28 output: a declaration per product, backed by the technical documentation. It is the document that carries your EU market access from December 11, 2027.
Ten-year audit trail
Technical documentation and the declaration must be retained for at least ten years. Market surveillance can ask at any point — the tool must produce complete evidence on demand.
CRA Software vs. Manual Compliance — What Actually Changes?
Manual CRA compliance works with spreadsheets, shared drives and calendar reminders. It holds up to roughly 10 product variants — beyond that, the effort grows super-linearly. The comparison per obligation — the right column is what CRA software like Kunnus takes over:
| Obligation | Manual (spreadsheets) | With CRA software |
|---|---|---|
| SBOM per product release | Hours per release, repeated for every variant | Generated per build artifact, flows to all affected variants |
| CVE monitoring | Daily manual review of advisories against component lists | Automatic CVE-to-SBOM matching with product-aware alerts |
| ENISA 24h early warning | Deadline risk — the clock starts on awareness, not on office hours | Prepared workflows: affected products, templates, submission path |
| Annex VII documentation | Same skeleton copy-pasted and drifting per product | One structure, product-specific evidence rendered in |
| Ten-year retention | Folder structures that erode with every re-org | Versioned audit trail with attribution |
| Scaling to many variants | Super-linear effort growth beyond ~10 variants | Variant inheritance — the 51st variant takes hours, not weeks |
Cost view: our Business Case calculator models both paths with your product count, component situation and team rates — including the manual-SBOM penalty per supplier component. EU CRA Business Case & ROI calculator
How Should Manufacturers Choose CRA Software?
The CRA tooling market is young and moving fast. Five criteria separate a complete solution from a point tool:
- 1
Full obligation scope, not just SBOM
SBOM generators and CI/CD security tools cover the artifact layer. The CRA also demands risk assessment, reporting processes, Annex VII documentation and the declaration of conformity — check the full list above against any vendor.
- 2
Built for the EU regulation, not adapted to it
Generic GRC suites bolt CRA onto frameworks built for other laws. A CRA-native data model (Annex III classes, support periods, Article 14 deadlines) removes the mapping work.
- 3
European hosting and data sovereignty
Your SBOMs and vulnerability data describe your attack surface. Hosting in Europe under EU jurisdiction is a hard requirement for many manufacturers — ask where the data lives.
How Kunnus hosts in Germany & Europe - 4
Scales across product variants
If your portfolio has dozens of variants, per-product manual entry defeats the purpose. Look for shared-component tracking and variant inheritance.
- 5
Reporting readiness before September 2026
The Article 14 reporting obligations start earliest — September 11, 2026, including for products already on the market. The tool must support the 24h/72h/14-day cascade now, not on the 2027 deadline.
Kunnus: CRA Software, Built as a Platform
Kunnus is a CRA-native compliance platform for manufacturers of products with digital elements, hosted in Europe. It manages the obligations, executes the workflows and hands your team the tooling: product inventory with Annex III classification, SBOM management (CycloneDX & SPDX), continuous vulnerability monitoring, ENISA reporting, Annex VII documentation and the EU declaration of conformity — with a ten-year audit trail.
Frequently Asked Questions About CRA Software
What is CRA software?+
CRA software is a compliance tool for the EU Cyber Resilience Act (Regulation (EU) 2024/2847). It manages the manufacturer obligations per product: risk classification, SBOM generation, vulnerability handling with ENISA reporting, Annex VII technical documentation and the EU declaration of conformity, retained over a ten-year period.
Is an SBOM tool enough for CRA compliance?+
No. An SBOM is one requirement inside Annex I Part II. The CRA additionally demands a cybersecurity risk assessment, a vulnerability handling process, reporting to ENISA within 24 hours, technical documentation per Annex VII and a declaration of conformity per Article 28. SBOM-only tools cover the artifact layer, not the obligations around it.
When do manufacturers need CRA software in place?+
The reporting obligations under Article 14 apply from September 11, 2026 — including for products already on the market. Full obligations apply to every product placed on the EU market from December 11, 2027. Working backwards from a 9–12 month compliance project, tooling decisions belong in 2026.
What does CRA software cost compared to manual compliance?+
The driver is portfolio size. Manual compliance carries per-product costs that repeat with every release and every supplier component without an SBOM. Our Business Case calculator models both paths against fines of up to €15 million or 2.5% of global turnover for non-compliance.
Can CRA software replace the conformity assessment?+
No. Software prepares and maintains the evidence — risk assessment, SBOM, documentation, declaration. For important products (Class I without fully applied harmonized standards, and Class II), a notified body must still be involved. The software's job is making that assessment fast and repeatable.
Does CRA software make sense for small manufacturers?+
Yes, with the right sizing. The CRA applies regardless of company size; micro and small enterprises get relief measures (simplified documentation, support programs) but not exemption. For a small portfolio the tool mainly removes the reporting and documentation risk — the obligations that carry fines.
See Kunnus in Action — 10 Minutes, No Login
The walkthrough shows the platform on a realistic manufacturer portfolio: inventory, SBOMs, a live CVE hit and the path to the declaration of conformity.
Prefer a guided session? Schedule a demo with our team.