Counting down to Compliance

Penalties reach EUR 15 million or 2.5% of global turnover. The CRA Compliance Kit covers the core requirements in a single pip install.

Days Left
5
Open Modules
78
Tests Passing
0
Dependencies

What You Get

ModuleRequirementLicense
identity.pyDevice trust, access control (Art. 10)MIT
firmware.pyCVE matching, version gating (Art. 13)MIT
input_guard.pyInput sanitisation (Art. 10)MIT
action_guard.pyAction blacklist (Art. 10)MIT
sbom/generator.pyCycloneDX SBOM (Art. 13)MIT
provenance.pyAudit chain (commercial)Licensed
guardian.pyHealth scoring (commercial)Licensed
baselines.pyAnomaly detection (commercial)Licensed
signing.pyRequest signing (commercial)Licensed

Install in One Command

pip install cra-compliance-kit
from cra_kit.identity import DeviceIdentityService, TrustTier
identity = DeviceIdentityService()
identity.enroll_device("sensor-01", "temp_sensor", trust_tier=TrustTier.ENVIRONMENTAL)

from cra_kit.firmware import FirmwareHealthService
fw = FirmwareHealthService()
check = fw.check_device("sensor-01", "gateway", "1.5.3")

from cra_kit.input_guard import InputClassifier
safe, findings = InputClassifier().is_safe(user_input)

from cra_kit.action_guard import PhysicalActionGuard
result = PhysicalActionGuard().check_action("format_storage")

# python -m sbom.generator --product "MyDevice" --output sbom.xml

View on PyPI

Choose Your Tier

Annual subscription. All tiers include MIT core modules + SBOM generator. Commercial modules unlocked at Professional and above.

Developer
£500 /year
  • 5 MIT modules (identity, firmware, input_guard, action_guard)
  • CycloneDX 1.5 SBOM generator
  • 1 commercial module key
  • CVE matching engine
  • PyPI install, no dependencies
  • Email support
Enterprise
£7,500 /year
  • Everything in Professional
  • Custom SLA with response times
  • Integration support (CI/CD pipeline)
  • Compliance audit documentation pack
  • Dedicated onboarding session
  • White-label licensing available
  • Volume discounts for multi-product
Contact Us

CRA Compliance by the Numbers

1,638
CISA KEV CVEs Tracked
19
New Exploited CVEs (Last 30 Days)
24h
ENISA Reporting Window
€15M
Maximum CRA Penalty

Sources: CISA Known Exploited Vulnerabilities Catalog (July 2026). EU Regulation 2024/2847 (Cyber Resilience Act), entered into force December 10, 2024. Reporting obligations apply from September 11, 2026.

Frequently Asked Questions

What is the EU Cyber Resilience Act (CRA)?

The EU Cyber Resilience Act (Regulation 2024/2847) requires manufacturers of products with digital elements to report actively exploited vulnerabilities to ENISA within 24 hours of awareness. It applies to all hardware and software sold in the European Union, with penalties reaching €15 million or 2.5% of annual global turnover. The CRA entered into force on December 10, 2024, with reporting obligations starting September 11, 2026.

What is an SBOM and why does CRA require it?

A Software Bill of Materials (SBOM) is a machine-readable inventory of every software component in your product — libraries, frameworks, and dependencies. CRA Article 13 requires manufacturers to maintain SBOMs in CycloneDX or SPDX format so that vulnerabilities can be traced to specific components. Without an SBOM, you cannot determine whether a newly discovered CVE affects your product, making CRA compliance impossible.

What is the CISA KEV catalog?

The Cybersecurity and Infrastructure Security Agency (CISA) maintains the Known Exploited Vulnerabilities (KEV) catalog — a list of CVEs that are actively being exploited in the wild. As of July 2026, the catalog contains 1,638 entries with 19 new additions in the last 30 days. The CRA Compliance Kit monitors the KEV catalog daily and matches entries against your SBOM, triggering the 24-hour ENISA notification clock when a match is found.

What are the CRA reporting deadlines?

CRA Article 14 establishes a three-stage reporting timeline: (1) Initial ENISA notification within 24 hours of becoming aware of an actively exploited vulnerability; (2) A status update within 72 hours detailing remediation progress; (3) A final report within 14 days documenting resolution or ongoing mitigation. Missing any deadline can trigger penalties under the CRA enforcement framework.

What is a VEX statement?

A Vulnerability Exploitability eXchange (VEX) is a CycloneDX-compatible document that declares whether a product is affected by a specific CVE. It communicates one of four statuses: not_affected, affected, fixed, or under_investigation. VEX statements are the standard way to demonstrate CRA due diligence — they provide auditable evidence that you assessed a vulnerability and documented your response within the regulatory deadline.

How does the CRA Compliance Kit work?

The CRA Compliance Kit is a Python package installable via pip install cra-compliance-kit. It provides 9 modules: device identity and access control (identity.py), CVE matching and version gating (firmware.py), input sanitisation (input_guard.py), action blacklisting (action_guard.py), CycloneDX SBOM generation (sbom/generator.py), plus 4 commercial modules for audit chains, health scoring, anomaly detection, and request signing. It ships with zero external dependencies.