Meet EU Cyber Resilience Act requirements in one pip install.
Penalties reach EUR 15 million or 2.5% of global turnover. The CRA Compliance Kit covers the core requirements in a single pip install.
| Module | Requirement | License |
|---|---|---|
identity.py | Device trust, access control (Art. 10) | MIT |
firmware.py | CVE matching, version gating (Art. 13) | MIT |
input_guard.py | Input sanitisation (Art. 10) | MIT |
action_guard.py | Action blacklist (Art. 10) | MIT |
sbom/generator.py | CycloneDX SBOM (Art. 13) | MIT |
provenance.py | Audit chain (commercial) | Licensed |
guardian.py | Health scoring (commercial) | Licensed |
baselines.py | Anomaly detection (commercial) | Licensed |
signing.py | Request signing (commercial) | Licensed |
pip install cra-compliance-kit
from cra_kit.identity import DeviceIdentityService, TrustTier
identity = DeviceIdentityService()
identity.enroll_device("sensor-01", "temp_sensor", trust_tier=TrustTier.ENVIRONMENTAL)
from cra_kit.firmware import FirmwareHealthService
fw = FirmwareHealthService()
check = fw.check_device("sensor-01", "gateway", "1.5.3")
from cra_kit.input_guard import InputClassifier
safe, findings = InputClassifier().is_safe(user_input)
from cra_kit.action_guard import PhysicalActionGuard
result = PhysicalActionGuard().check_action("format_storage")
# python -m sbom.generator --product "MyDevice" --output sbom.xml
Annual subscription. All tiers include MIT core modules + SBOM generator. Commercial modules unlocked at Professional and above.
Sources: CISA Known Exploited Vulnerabilities Catalog (July 2026). EU Regulation 2024/2847 (Cyber Resilience Act), entered into force December 10, 2024. Reporting obligations apply from September 11, 2026.
The EU Cyber Resilience Act (Regulation 2024/2847) requires manufacturers of products with digital elements to report actively exploited vulnerabilities to ENISA within 24 hours of awareness. It applies to all hardware and software sold in the European Union, with penalties reaching €15 million or 2.5% of annual global turnover. The CRA entered into force on December 10, 2024, with reporting obligations starting September 11, 2026.
A Software Bill of Materials (SBOM) is a machine-readable inventory of every software component in your product — libraries, frameworks, and dependencies. CRA Article 13 requires manufacturers to maintain SBOMs in CycloneDX or SPDX format so that vulnerabilities can be traced to specific components. Without an SBOM, you cannot determine whether a newly discovered CVE affects your product, making CRA compliance impossible.
The Cybersecurity and Infrastructure Security Agency (CISA) maintains the Known Exploited Vulnerabilities (KEV) catalog — a list of CVEs that are actively being exploited in the wild. As of July 2026, the catalog contains 1,638 entries with 19 new additions in the last 30 days. The CRA Compliance Kit monitors the KEV catalog daily and matches entries against your SBOM, triggering the 24-hour ENISA notification clock when a match is found.
CRA Article 14 establishes a three-stage reporting timeline: (1) Initial ENISA notification within 24 hours of becoming aware of an actively exploited vulnerability; (2) A status update within 72 hours detailing remediation progress; (3) A final report within 14 days documenting resolution or ongoing mitigation. Missing any deadline can trigger penalties under the CRA enforcement framework.
A Vulnerability Exploitability eXchange (VEX) is a CycloneDX-compatible document that declares whether a product is affected by a specific CVE. It communicates one of four statuses: not_affected, affected, fixed, or under_investigation. VEX statements are the standard way to demonstrate CRA due diligence — they provide auditable evidence that you assessed a vulnerability and documented your response within the regulatory deadline.
The CRA Compliance Kit is a Python package installable via pip install cra-compliance-kit. It provides 9 modules: device identity and access control (identity.py), CVE matching and version gating (firmware.py), input sanitisation (input_guard.py), action blacklisting (action_guard.py), CycloneDX SBOM generation (sbom/generator.py), plus 4 commercial modules for audit chains, health scoring, anomaly detection, and request signing. It ships with zero external dependencies.