CRA Software

CRA Software to Manage Cyber Resilience Act Compliance

What CRA software needs to deliver — and how Kunnus, built as a platform, covers SBOM, vulnerability handling, ENISA reporting, technical documentation and the EU declaration of conformity in one place.

Quick Answer

CRA software is a tool manufacturers use to manage their obligations under the EU Cyber Resilience Act (Regulation (EU) 2024/2847): product inventory and risk classification, SBOM generation, vulnerability monitoring with 24-hour ENISA reporting, Annex VII technical documentation, and the EU declaration of conformity — per product, across the entire support period.

What Must a CRA Tool Cover?

The CRA defines obligations across the full product lifecycle. A CRA tool that only solves one slice — SBOM generation, for example — leaves the remaining obligations manual. These six capabilities make up the complete scope:

Product inventory & risk classification

Every product with digital elements, classified against Annex III: default category, important (Class I/II), or critical. The classification decides the conformity assessment route — self-assessment or notified body.

SBOM per product (CycloneDX & SPDX)

A machine-readable Software Bill of Materials is part of the Annex I vulnerability-handling requirements. The tool must generate, version and update SBOMs per product — not once, but with every release.

Vulnerability monitoring & 24h ENISA reporting

New CVEs must be matched to affected products continuously. For actively exploited vulnerabilities, the early warning to ENISA is due within 24 hours — from September 11, 2026, also for products already on the market.

Annex VII technical documentation

Product description, design and development documentation, risk assessment, standards applied, test reports — structured per Annex VII and kept current across the product's life.

EU declaration of conformity

The Article 28 output: a declaration per product, backed by the technical documentation. It is the document that carries your EU market access from December 11, 2027.

Ten-year audit trail

Technical documentation and the declaration must be retained for at least ten years. Market surveillance can ask at any point — the tool must produce complete evidence on demand.

CRA Software vs. Manual Compliance — What Actually Changes?

Manual CRA compliance works with spreadsheets, shared drives and calendar reminders. It holds up to roughly 10 product variants — beyond that, the effort grows super-linearly. The comparison per obligation — the right column is what CRA software like Kunnus takes over:

ObligationManual (spreadsheets)With CRA software
SBOM per product releaseHours per release, repeated for every variantGenerated per build artifact, flows to all affected variants
CVE monitoringDaily manual review of advisories against component listsAutomatic CVE-to-SBOM matching with product-aware alerts
ENISA 24h early warningDeadline risk — the clock starts on awareness, not on office hoursPrepared workflows: affected products, templates, submission path
Annex VII documentationSame skeleton copy-pasted and drifting per productOne structure, product-specific evidence rendered in
Ten-year retentionFolder structures that erode with every re-orgVersioned audit trail with attribution
Scaling to many variantsSuper-linear effort growth beyond ~10 variantsVariant inheritance — the 51st variant takes hours, not weeks

Cost view: our Business Case calculator models both paths with your product count, component situation and team rates — including the manual-SBOM penalty per supplier component. EU CRA Business Case & ROI calculator

How Should Manufacturers Choose CRA Software?

The CRA tooling market is young and moving fast. Five criteria separate a complete solution from a point tool:

  1. 1

    Full obligation scope, not just SBOM

    SBOM generators and CI/CD security tools cover the artifact layer. The CRA also demands risk assessment, reporting processes, Annex VII documentation and the declaration of conformity — check the full list above against any vendor.

  2. 2

    Built for the EU regulation, not adapted to it

    Generic GRC suites bolt CRA onto frameworks built for other laws. A CRA-native data model (Annex III classes, support periods, Article 14 deadlines) removes the mapping work.

  3. 3

    European hosting and data sovereignty

    Your SBOMs and vulnerability data describe your attack surface. Hosting in Europe under EU jurisdiction is a hard requirement for many manufacturers — ask where the data lives.

    How Kunnus hosts in Germany & Europe
  4. 4

    Scales across product variants

    If your portfolio has dozens of variants, per-product manual entry defeats the purpose. Look for shared-component tracking and variant inheritance.

  5. 5

    Reporting readiness before September 2026

    The Article 14 reporting obligations start earliest — September 11, 2026, including for products already on the market. The tool must support the 24h/72h/14-day cascade now, not on the 2027 deadline.

Kunnus: CRA Software, Built as a Platform

Kunnus is a CRA-native compliance platform for manufacturers of products with digital elements, hosted in Europe. It manages the obligations, executes the workflows and hands your team the tooling: product inventory with Annex III classification, SBOM management (CycloneDX & SPDX), continuous vulnerability monitoring, ENISA reporting, Annex VII documentation and the EU declaration of conformity — with a ten-year audit trail.

Frequently Asked Questions About CRA Software

What is CRA software?+

CRA software is a compliance tool for the EU Cyber Resilience Act (Regulation (EU) 2024/2847). It manages the manufacturer obligations per product: risk classification, SBOM generation, vulnerability handling with ENISA reporting, Annex VII technical documentation and the EU declaration of conformity, retained over a ten-year period.

Is an SBOM tool enough for CRA compliance?+

No. An SBOM is one requirement inside Annex I Part II. The CRA additionally demands a cybersecurity risk assessment, a vulnerability handling process, reporting to ENISA within 24 hours, technical documentation per Annex VII and a declaration of conformity per Article 28. SBOM-only tools cover the artifact layer, not the obligations around it.

When do manufacturers need CRA software in place?+

The reporting obligations under Article 14 apply from September 11, 2026 — including for products already on the market. Full obligations apply to every product placed on the EU market from December 11, 2027. Working backwards from a 9–12 month compliance project, tooling decisions belong in 2026.

What does CRA software cost compared to manual compliance?+

The driver is portfolio size. Manual compliance carries per-product costs that repeat with every release and every supplier component without an SBOM. Our Business Case calculator models both paths against fines of up to €15 million or 2.5% of global turnover for non-compliance.

Can CRA software replace the conformity assessment?+

No. Software prepares and maintains the evidence — risk assessment, SBOM, documentation, declaration. For important products (Class I without fully applied harmonized standards, and Class II), a notified body must still be involved. The software's job is making that assessment fast and repeatable.

Does CRA software make sense for small manufacturers?+

Yes, with the right sizing. The CRA applies regardless of company size; micro and small enterprises get relief measures (simplified documentation, support programs) but not exemption. For a small portfolio the tool mainly removes the reporting and documentation risk — the obligations that carry fines.

See Kunnus in Action — 10 Minutes, No Login

The walkthrough shows the platform on a realistic manufacturer portfolio: inventory, SBOMs, a live CVE hit and the path to the declaration of conformity.

Start the Walkthrough

Prefer a guided session? Schedule a demo with our team.