Your biggest customer is about to ask for your CRA attestation.

From 11 September 2026, EU law requires every company selling software or connected products in the EU to report actively exploited vulnerabilities within 24 hours — and it applies to products already on the market, not just new releases. Large buyers have started demanding CRA attestations from their suppliers ahead of the date.

Get CRA-ready in a two-week sprint: a GitLab pipeline that generates your evidence automatically, the full document pack, and the 24-hour reporting runbook.

Book a 20-minute scoping callFounding cohort: 5 teams, September delivery

cra:scan-gate — release pipeline
$ make demo-fail-kev
==> [4/4] KEV gate
  KEV GATE: FAIL — 1 CVE in the CISA Known
  Exploited Vulnerabilities catalogue:
    CVE-2023-4911  libc6 2.36-9  [High]

  release blocked · exit code 1
  evidence still archived:
  dist/evidence/kev_result.json

Deadlines

The clock

11 Sept 2026

Article 14 reporting live: 24h early warning, 72h notification, 14-day final report, via ENISA's Single Reporting Platform. Applies to every in-scope product currently sold in the EU.

Q4 2026

Supply-chain pressure: large manufacturers (Honeywell, for instance, publicly requires it of suppliers) are demanding CRA attestations or compliance roadmaps from vendors this year.

11 Dec 2027

Full obligations: essential security requirements, technical documentation, CE marking, Declaration of Conformity.

€15M or 2.5% of turnover

Penalties reach €15 million or 2.5% of worldwide turnover.

Scope

Does this apply to you? The 60-second check

  1. 1. Do you sell software or a device that customers install or run themselves (on-prem, self-hosted, desktop, mobile, embedded, SDK/plugin)?

    Libraries, SDKs and plugins count — components placed on the market separately are in scope.

  2. 2. Do you sell it into the EU (any customer, any channel)?

    Any making available on the EU market in the course of a commercial activity triggers the regulation.

  3. 3. Is it sold commercially — licences, subscriptions with a self-hosted tier, or paid support that funds development?

    Non-commercial open source stays out; monetised or support-funded distribution is in.

  4. 4. Is it under your name or brand (including white-labelled products you rebrand)?

    Rebranding or substantially modifying someone else's product makes you its manufacturer.

  5. 5. Not a medical device, vehicle system, aviation, marine or defence product?

    Those live under their own sectoral regimes instead of the CRA.

Five yeses → the CRA applies to you, and the 24-hour reporting clock starts 11 September 2026 — including for versions you’ve already shipped.

Book the 20-minute scoping call →

The offer

The sprint — two weeks, fixed price

01

Week 1 — scope and pipeline.

A scoping memo (in/out of scope, product class, conformity route, support period) — the first page of your technical documentation. Then the CI component into your GitLab pipeline: every release automatically generates a CycloneDX SBOM, gates on known exploited vulnerabilities, signs artefacts, and files a dated evidence bundle.

02

Week 2 — documents and drill.

A working session to fill the pack: risk assessment mapped to Annex I, coordinated vulnerability disclosure policy + security.txt, vulnerability-handling SOP, user security information, technical documentation skeleton, Declaration of Conformity draft. Then the reporting runbook — decision tree, pre-filled report forms, the 24/72h/14-day clock as a checklist — and one tabletop dry-run with your team.

03

The obligations register.

You end with an obligations register: every CRA duty as a row with an owner, a recurrence, and a link to live evidence. One click when a customer, distributor, or authority asks.

The difference

Why this isn't a template zip

Anyone can generate a policy with AI. What customers and market-surveillance authorities ask for is evidence — and evidence has to be produced continuously, per release, and stand up when the 24-hour clock starts. The pipeline makes compliance a side effect of shipping; the documents just describe what your pipeline already proves.

evidence/manifest.json — signed, per release
{
  "product":  { "version": "1.4.2" },
  "pipeline": { "url": "…/pipelines/47" },
  "tools":    { "syft":  "1.46.0",
                "grype": "0.115.0",
                "cosign": "v3.1.1" },
  "results":  { "component_count": 3078,
                "kev_gate": "pass" },
  "files":    [ sha256 for every file… ]
}

Pricing

Pricing

CRA-Ready Sprint

€2,950

fixed

Book the scoping call

Self-serve kit

€349

pipeline component + document pack, no workshop — waitlist

Join the waitlist

Micro and small companies: EU co-financing exists for exactly this. The SECURE programme distributed its first €5M (grants up to €30,000 at 50% co-financing) in early 2026, and further call windows are expected from its remaining budget — the windows are short, so being application-ready matters. The sprint's outputs (scoping memo, gap list, project plan) double as the application skeleton. We'll cover it in the scoping call.

Who's behind this

Shaun Paul Baldacchino Calleja — infrastructure and security practitioner in the EU (Malta): 15+ years running production estates in a regulated industry, ISO 27001 practitioner, GIAC GWAPT, GitLab CI/Terraform/GCP daily. I build the pipelines I sell.

Book a 20-minute scoping call

We'll tell you honestly — if you're out of scope, the call is free and short.

Book the call

Questions

FAQ

Is this legal advice?

No — it's engineering and documentation aligned to the regulation's requirements. For legal interpretation questions we refer you to counsel.

We're Class I/II or a critical product.

The sprint covers self-assessment routes; if you need a notified body we'll say so in the scoping call and refer you.

What if we're on GitHub, not GitLab?

GitHub Actions variant on request — tell us on the call.

Will the deadline slip?

The reporting date is written into the regulation itself and the Commission's implementation materials (guidance, reporting platform, dry-runs) are already rolling out. Betting on a delay is betting your customer relationships.

Independent service. Not affiliated with or endorsed by the European Commission, ENISA, or any regulator. Not legal advice.