8 Modules for EU CRA Compliance: SBOM to Conformity Doc
8 modules cover every EU CRA obligation: SBOM from CI/CD, ENISA 24h incident reporting, 50+ security controls, and EU declaration of conformity at one click.
Kunnus is a purpose-built CRA compliance platform designed for manufacturers of products with digital elements. Unlike generic GRC tools, every feature in Kunnus is specifically engineered for the requirements of the EU Cyber Resilience Act: from automated SBOM generation in CycloneDX and SPDX formats, through continuous vulnerability monitoring mapped to your product components, to one-click audit documentation packages. The platform covers the entire compliance lifecycle: product classification according to CRA risk categories, gap analysis against all essential cybersecurity requirements, evidence collection linked to specific controls, and ENISA-ready incident reporting workflows. With Kunnus, what used to take weeks of manual effort can be accomplished in hours, reducing compliance costs by 70% while ensuring nothing is missed.
Product Inventory
Manage your entire product portfolio with hierarchical structure, variants, and versions. Classify products per CRA requirements automatically.
Hierarchical Structure
Organize products into families, variants, and versions with full parent-child relationships.
CRA Classification
Guided wizard to classify products as Default, Class I, Class II, or Critical per CRA requirements.
Bulk Import
Import products via CSV or connect to existing PLM systems for automatic synchronization.
Component Tracking
Track shared components across products to understand vulnerability impact.
Version Control
Maintain version history for audit trails and compliance documentation.
Advanced Search
Filter and search across your entire product portfolio with powerful queries.
Key Benefits
- Complete visibility into your product portfolio
- Automatic CRA classification with guided wizards
- Track component usage across all products
- Maintain audit-ready version history
- Import existing data from PLM systems
Product Hierarchy
SBOM Management
Import, store, and analyze Software Bills of Materials in CycloneDX and SPDX formats. Track component dependencies across products.
Multi-Format Support
Import SBOMs in CycloneDX (JSON/XML) and SPDX (JSON/YAML/RDF) formats.
Dependency Tree
Visualize complete dependency trees with transitive dependency tracking.
Auto-Generation
Connect CI/CD pipelines to automatically generate and update SBOMs.
License Analysis
Identify license obligations and potential conflicts across components.
Export & Share
Export SBOMs in standard formats for customers and regulatory bodies.
Change Alerts
Get notified when component dependencies change or new versions are available.
Key Benefits
- Support for all major SBOM formats
- Automatic vulnerability correlation
- License compliance tracking
- CI/CD integration for continuous updates
- Customer-ready export formats
Component Tree
CycloneDX v1.5Vulnerability Tracking
Detect vulnerabilities automatically, track SLAs, meet CRA Article 14 ENISA notification requirements, and manage risk acceptance workflows.
Auto-Detection
Automatically match SBOM components against NVD, OSV, and GitHub Advisory databases.
SLA Tracking
Track time-to-acknowledge, assess, and remediate with configurable SLA targets per severity.
ENISA Notifications
CRA Article 14 compliant: 24-hour deadline tracking for actively exploited vulnerabilities.
Risk Acceptance
Formal approval workflows for accepting risk with audit trail and expiration tracking.
Impact Analysis
See which products are affected and track per-product remediation strategies.
CVD Management
Manage coordinated vulnerability disclosure with security researchers.
Key Benefits
- CRA Article 14 ENISA notification support
- Configurable SLA targets per severity level
- Formal risk acceptance with approval workflows
- Real-time vulnerability detection from multiple sources
- Per-product impact and remediation tracking
CVE-2024-1234
CriticalCompliance Assessment
Run CRA conformity assessments against pre-built frameworks. Map Annex I requirements to evidence, model threats with STRIDE, and walk an assessment from draft to approval.
CRA Compliance Engine
Pre-built CRA Essential Requirements (Annex I Parts I + II) with every requirement traceable to evidence and controls.
Assessment Frameworks
CRA, ISO 27001, IEC 62443, and custom frameworks. Per-product scoping with reusable templates.
Threat Modeling (STRIDE)
Built-in STRIDE wizard. Identify, score, and mitigate Spoofing, Tampering, Repudiation, Information Disclosure, DoS and Elevation of Privilege.
Approval Workflow
Draft → Review → Approved with separate Approver role, sign-off comments, and a full audit trail.
Per-Product Scope
Assess products individually or share an assessment across a variant family. Component-level inheritance for SBOMs and controls.
Gap Analysis
Missing-evidence and control-gap reports per assessment, so you know exactly what's blocking conformity.
Key Benefits
- Pre-built CRA framework, no setup required
- STRIDE threat modeling out of the box
- Approval workflow with audit trail
- Reuse assessments across product families
- Auditor-ready gap and evidence reports
CRA Compliance Dashboard
Organization-wide CRA compliance status at a glance. Track every product, identify gaps, and see exactly what needs attention. All in one central dashboard.
Product Compliance Overview
See every product's CRA readiness at a glance with color-coded progress bars and status indicators.
Per-Product Compliance Tracking
Track CRA compliance percentage per product, from 0% to 100% with clear approved, in-progress and pending states.
Vulnerability Severity Overview
Monitor open vulnerabilities across all products broken down by severity: Critical, High, Medium, Low.
SLA Status Monitoring
Track response SLAs for vulnerabilities in real-time: on track, at risk, or breached, so nothing slips through.
KPI Cards
At-a-glance metrics: total products, pending assessments, open vulnerabilities, and open issues.
Next Actions
Prioritized list of next steps: what needs your attention right now to stay on track for CRA compliance.
Key Benefits
- Organization-wide compliance visibility
- Per-product CRA readiness tracking
- Vulnerability severity at a glance
- SLA breach prevention
- Prioritized next-action recommendations
Products
6
total
Assess.
0
0%
Vulns
2
open
Issues
0
open
On Track
At Risk
Breached
Evidence & Reports
Collect and organize compliance evidence. Generate self-assessment reports and keep your team aligned with real-time alerts.
Evidence Repository
Centralized storage for all compliance documents with version control.
Auto-Collection
Connect CI/CD pipelines to automatically collect test results and scan reports.
Report Generation
One-click self-assessment reports (Konformitätserklärung) with templates.
Audit Packages
Export complete audit packages with all evidence and documentation.
Team Notifications
Real-time alerts via email, Slack, and Teams when action is needed.
Audit Trail
Complete history of all changes with who, what, when, and why.
Key Benefits
- Centralized evidence management
- Automated evidence collection
- One-click compliance reports
- Multi-channel team notifications
- Complete audit trail for compliance
Evidence Library
+ UploadSupplier Portal & Vendor Assessment
Send Magic-Link compliance requests to suppliers, run pre-built CRA vendor assessments, and review responses with Accept/Reject per criterion. No supplier account required.
Magic-Link Requests
Email a compliance request to any supplier. They open a secure one-time link and start answering. No account, no onboarding.
CRA Assessment Framework
Pre-built 14-criterion Vendor Security Assessment, configurable per supplier. Information Security Policy, SBOM, CVD, Incident Response and more.
Evidence Upload
Suppliers attach policies, ISO 27001/SOC 2/TISAX certificates and other documents directly in the portal. Required evidence is enforced before submission.
Compare View
Each criterion shows your current value next to what the supplier proposed. Decide per criterion: Accept or Reject with a comment.
Vendor Records
Central CRUD for vendor data with one-click import of common vendors. Risk levels, criticality, and review history in one place.
Audit Trail
Every request, response, accept, reject and comment is recorded with timestamps. Hand auditors a clean evidence package for the supply chain.
Key Benefits
- No supplier onboarding friction (Magic-Link, no account)
- Pre-built CRA Vendor Security Assessment, ready to use
- Per-criterion Accept/Reject with comment
- Required-evidence enforcement before submit
- Audit-ready supply-chain evidence
Does the vendor have a documented information security policy?
Platform Security
Enterprise security baked in: RBAC with 7 roles, multi-tenant architecture with organizations and workspaces, scoped API keys, and SSO/MFA. GDPR-compliant by design.
RBAC: 7 roles
Owner, Admin, Approver, Developer, Auditor, Viewer, Guest. Granular permissions per role, including read-only audit access.
Multi-Tenant Architecture
Organizations as the top-level boundary, workspaces inside for team and project separation. Full data isolation between tenants.
Scoped API Keys
Workspace-scoped keys with configurable expiry. One-time reveal. Owner and Admin only. For CI/CD and automation.
SSO/MFA
Single Sign-On and Multi-Factor Authentication in development for upcoming enterprise rollouts.
In-App Notifications
Real-time notification center with per-event preferences. Users decide what they want to hear about.
GDPR & Data Residency
EU-hosted, GDPR-compliant by design. Workspace-level data isolation for organizations with strict data-handling requirements.
Key Benefits
- Seven granular roles out of the box
- Full data isolation between tenants
- CI/CD-ready scoped API keys
- GDPR-compliant EU hosting
- Auditor-friendly read-only access