⚡ EU Cyber Resilience Act

Sichere Software erstellen für

Die AI-native SBOM-Plattform von Interlynk automatisiert die sichere Softwareentwicklung, um den globalen Vorschriften zu entsprechen.

Buch-Demo

NEXT CRA DEADLINE

Mandatory Vulnerability Reporting

Begins September 11, 2026

000DAYS
00HOURS
00MINUTES

until 24-hour reporting obligations take effect

NEXT CRA DEADLINE

Mandatory Vulnerability Reporting

Begins September 11, 2026

000DAYS
00HOURS
00MINUTES

until 24-hour reporting obligations take effect

NEXT CRA DEADLINE

Mandatory Vulnerability Reporting

Begins September 11, 2026

000DAYS
00HOURS
00MINUTES

until 24-hour reporting obligations take effect

Häufig gestellte Fragen

Weitere Fragen? Kontaktieren Sie uns jetzt.

Auto-SBOM-Erstellung

Erstellen Sie SBOMs sofort in branchenüblichen Formaten wie SPDX und CycloneDX.
Erstellen Sie SBOMs sofort in branchenüblichen Formaten wie SPDX und CycloneDX.

24 Hours

Vulnerability reporting window
Vulnerability reporting window

10 Years

SBOM retention
requirement
SBOM retention
requirement

90%

Products eligible for self-assessment
Products eligible for self-assessment

CRA Compliance Timeline

Who Does the CRA Affect?

Manufacturers

Anyone who develops, manufactures, or has products with digital elements designed and developed under their name or trademark.

Importers

Entities established in the EU that place a product with digital elements bearing a third-country manufacturer's name on the EU market.

Distributors

Any party in the supply chain — other than the manufacturer or importer — who makes a product with digital elements available in the EU market.

Weitere Fragen? Kontaktieren Sie uns jetzt.

Weitere Fragen? Kontaktieren Sie uns jetzt.

Product Classification Under CRA

Auto-SBOM-Erstellung

Erstellen Sie SBOMs sofort in branchenüblichen Formaten wie SPDX und CycloneDX.
Erstellen Sie SBOMs sofort in branchenüblichen Formaten wie SPDX und CycloneDX.

Important Class I

Password managers, antivirus, VPNs, network interfaces
Password managers, antivirus, VPNs, network interfaces

Important Class II

Firewalls, IDS/IPS, hypervisors, container runtimes
Firewalls, IDS/IPS, hypervisors, container runtimes

Critical

Hardware security modules, smart meter gateways, smartcards
Hardware security modules, smart meter gateways, smartcards

Häufig gestellte Fragen

Weitere Fragen? Kontaktieren Sie uns jetzt.
☑️ Machine-readable SBOM format (CycloneDX or SPDX)
☑️ Include all top-level dependencies
☑️ Accurate version numbers for all components
☑️ Unique identifiers for each component
☑️ 10-year retention requirement for documentation
☑️ Regular updates when components change
☑️ Secure sharing mechanisms with authorized parties
☑️ Integration with vulnerability monitoring systems
☑️ Machine-readable SBOM format (CycloneDX or SPDX)
☑️ Include all top-level dependencies
☑️ Accurate version numbers for all components
☑️ Unique identifiers for each component
☑️ 10-year retention requirement for documentation
☑️ Regular updates when components change
☑️ Secure sharing mechanisms with authorized parties
☑️ Integration with vulnerability monitoring systems
☑️ Machine-readable SBOM format (CycloneDX or SPDX)
☑️ Include all top-level dependencies
☑️ Accurate version numbers for all components
☑️ Unique identifiers for each component
☑️ 10-year retention requirement for documentation
☑️ Regular updates when components change
☑️ Secure sharing mechanisms with authorized parties
☑️ Integration with vulnerability monitoring systems
{
  "bomFormat": "CycloneDX",
  "specVersion": "1.5",
  "serialNumber": "urn:uuid:...",
  "version": 1,
  "metadata": {
    "timestamp": "2026-01-15T10:00:00Z",
    "tools": [{
      "vendor": "Interlynk",
      "name": "SBOM Generator"
    }]
  },
  "components": [
    {
      "type": "library",
      "name": "example-lib",
      "version": "2.1.0",
      "purl": "pkg:npm/example-lib@2.1.0"
    }
  ]
}

Vulnerability Reporting Obligations

The CRA introduces strict timelines for reporting actively exploited vulnerabilities and severe incidents to ENISA and your CSIRT.

24h

Early warning notification

72 hrs

Full vulnerability notification

14 days

Final report after correction

1 Month

Severe incident report

Reports must be submitted via the CRA Single Reporting Platform managed by ENISA, with simultaneous notification to your national CSIRT.

Reports must be submitted via the CRA Single Reporting Platform managed by ENISA, with simultaneous notification to your national CSIRT.

How Interlynk Helps

We map every CRA requirement to a concrete platform capability — so you can demonstrate compliance, not just claim it.
CRA Requirement
Interlynk Capability
SBOM creation & maintenance
Automated SBOM Management
Vulnerability identification
Continuous vulnerability monitoring
Dependency tracking
Open Source Management
Security update management
Supplier monitoring
Technical documentation
SBOM export in CycloneDX / SPDX
10-year retention
SBOM lifecycle management
CRA Requirement
Interlynk Capability
SBOM creation & maintenance
Automated SBOM Management
Vulnerability identification
Continuous vulnerability monitoring
Dependency tracking
Open Source Management
Security update management
Supplier monitoring
Technical documentation
SBOM export in CycloneDX / SPDX
10-year retention
SBOM lifecycle management

Häufig gestellte Fragen

More questions? Contact us now.

The CRA is an EU regulation establishing mandatory cybersecurity requirements for products with digital elements sold in the European Union. It covers hardware and software, requiring secure-by-design development, vulnerability handling, and ongoing security updates throughout the product lifecycle.

The CRA entered into force in December 2024. Vulnerability reporting obligations begin in September 2026, and full application of all requirements starts in December 2027.

Pure SaaS is generally outside the CRA's direct scope, but software components and remote data processing solutions intended to support a product with digital elements are covered. The line is nuanced and depends on whether the software is integral to the product's function.

The CRA requires SBOMs in a commonly used machine-readable format. CycloneDX and SPDX are the two industry-standard formats that meet this requirement and are supported by Interlynk out of the box.

Non-commercial open-source software is exempt. However, open-source components integrated into commercial products are not — manufacturers remain responsible for the security of all components they ship, including open-source dependencies.

Penalties can reach up to €15 million or 2.5% of global annual turnover, whichever is higher, for the most serious violations. Lesser breaches carry lower but still substantial fines.

NIS2 targets operators of essential and important services, focusing on organizational cybersecurity. The CRA targets products themselves, regulating manufacturers of hardware and software placed on the EU market.

Yes. Any company — regardless of headquarters location — that places products with digital elements on the EU market must comply with the CRA. Non-EU manufacturers typically appoint an EU-based authorized representative.

Vertrauen von über 100 Organisationen

Sehen Sie Ihr SBOM richtig gemacht

Sehen Sie Ihr SBOM richtig gemacht

Interlynk automatisiert SBOMs, verwaltet Open-Source-Risiken, überwacht,Lieferanten und bereitet Sie auf das post-quanten Zeitalter vor, alles auf einer vertrauenswürdigen Plattform.

Anmelden

Anmelden

Lösung

SBOM-Automatisierung

Open-Source-Management

Lieferantenüberwachung

Post-Quantum-Bereitschaft

Cyber Resilience Act

Ressourcen

Blogs

Open-Source-Toolkit

Nachrichten

Vergleichen mit Dependency Track

Firma

Über uns

Datenschutzerklärung

Dokumentation

Interlynk
© 2026 Interlynk Inc. Alle Rechte vorbehalten

Lösung

SBOM-Automatisierung

Open-Source-Management

Lieferantenüberwachung

Post-Quantum-Bereitschaft

Cyber Resilience Act

Ressourcen

Blogs

Open-Source-Toolkit

Nachrichten

Vergleichen mit Dependency Track

Firma

Über uns

Datenschutzerklärung

Dokumentation

Interlynk
© 2026 Interlynk Inc. Alle Rechte vorbehalten

Lösung

SBOM-Automatisierung

Open-Source-Management

Lieferantenüberwachung

Post-Quantum-Bereitschaft

Cyber Resilience Act

Ressourcen

Blogs

Open-Source-Toolkit

Nachrichten

Vergleichen mit Dependency Track

Firma

Über uns

Datenschutzerklärung

Dokumentation

Interlynk
© 2026 Interlynk Inc. Alle Rechte vorbehalten