⚡ EU Cyber Resilience Act

Veilige software bouwen voor

Interlynk's AI-native SBOM-platform automatiseert veilige softwareontwikkeling om te voldoen aan wereldwijde regelgeving.

Boek demo

NEXT CRA DEADLINE

Mandatory Vulnerability Reporting

Begins September 11, 2026

000DAYS
00HOURS
00MINUTES

until 24-hour reporting obligations take effect

NEXT CRA DEADLINE

Mandatory Vulnerability Reporting

Begins September 11, 2026

000DAYS
00HOURS
00MINUTES

until 24-hour reporting obligations take effect

NEXT CRA DEADLINE

Mandatory Vulnerability Reporting

Begins September 11, 2026

000DAYS
00HOURS
00MINUTES

until 24-hour reporting obligations take effect

Veelgestelde vragen

Meer vragen? Neem nu contact met ons op.

Auto-SBOM Generatie

Maak SBOM's onmiddellijk in industrienormen zoals SPDX en CycloneDX.
Maak SBOM's onmiddellijk in industrienormen zoals SPDX en CycloneDX.

24 Hours

Vulnerability reporting window
Vulnerability reporting window

10 Years

SBOM retention
requirement
SBOM retention
requirement

90%

Products eligible for self-assessment
Products eligible for self-assessment

CRA Compliance Timeline

Who Does the CRA Affect?

Manufacturers

Anyone who develops, manufactures, or has products with digital elements designed and developed under their name or trademark.

Importers

Entities established in the EU that place a product with digital elements bearing a third-country manufacturer's name on the EU market.

Distributors

Any party in the supply chain — other than the manufacturer or importer — who makes a product with digital elements available in the EU market.

Meer vragen? Neem nu contact met ons op.

Meer vragen? Neem nu contact met ons op.

Product Classification Under CRA

Auto-SBOM Generatie

Maak SBOM's onmiddellijk in industrienormen zoals SPDX en CycloneDX.
Maak SBOM's onmiddellijk in industrienormen zoals SPDX en CycloneDX.

Important Class I

Password managers, antivirus, VPNs, network interfaces
Password managers, antivirus, VPNs, network interfaces

Important Class II

Firewalls, IDS/IPS, hypervisors, container runtimes
Firewalls, IDS/IPS, hypervisors, container runtimes

Critical

Hardware security modules, smart meter gateways, smartcards
Hardware security modules, smart meter gateways, smartcards

Veelgestelde vragen

Meer vragen? Neem nu contact met ons op.
☑️ Machine-readable SBOM format (CycloneDX or SPDX)
☑️ Include all top-level dependencies
☑️ Accurate version numbers for all components
☑️ Unique identifiers for each component
☑️ 10-year retention requirement for documentation
☑️ Regular updates when components change
☑️ Secure sharing mechanisms with authorized parties
☑️ Integration with vulnerability monitoring systems
☑️ Machine-readable SBOM format (CycloneDX or SPDX)
☑️ Include all top-level dependencies
☑️ Accurate version numbers for all components
☑️ Unique identifiers for each component
☑️ 10-year retention requirement for documentation
☑️ Regular updates when components change
☑️ Secure sharing mechanisms with authorized parties
☑️ Integration with vulnerability monitoring systems
☑️ Machine-readable SBOM format (CycloneDX or SPDX)
☑️ Include all top-level dependencies
☑️ Accurate version numbers for all components
☑️ Unique identifiers for each component
☑️ 10-year retention requirement for documentation
☑️ Regular updates when components change
☑️ Secure sharing mechanisms with authorized parties
☑️ Integration with vulnerability monitoring systems
{
  "bomFormat": "CycloneDX",
  "specVersion": "1.5",
  "serialNumber": "urn:uuid:...",
  "version": 1,
  "metadata": {
    "timestamp": "2026-01-15T10:00:00Z",
    "tools": [{
      "vendor": "Interlynk",
      "name": "SBOM Generator"
    }]
  },
  "components": [
    {
      "type": "library",
      "name": "example-lib",
      "version": "2.1.0",
      "purl": "pkg:npm/example-lib@2.1.0"
    }
  ]
}

Vulnerability Reporting Obligations

The CRA introduces strict timelines for reporting actively exploited vulnerabilities and severe incidents to ENISA and your CSIRT.

24h

Early warning notification

72 hrs

Full vulnerability notification

14 days

Final report after correction

1 Month

Severe incident report

Reports must be submitted via the CRA Single Reporting Platform managed by ENISA, with simultaneous notification to your national CSIRT.

Reports must be submitted via the CRA Single Reporting Platform managed by ENISA, with simultaneous notification to your national CSIRT.

How Interlynk Helps

We map every CRA requirement to a concrete platform capability — so you can demonstrate compliance, not just claim it.
CRA Requirement
Interlynk Capability
SBOM creation & maintenance
Automated SBOM Management
Vulnerability identification
Continuous vulnerability monitoring
Dependency tracking
Open Source Management
Security update management
Supplier monitoring
Technical documentation
SBOM export in CycloneDX / SPDX
10-year retention
SBOM lifecycle management
CRA Requirement
Interlynk Capability
SBOM creation & maintenance
Automated SBOM Management
Vulnerability identification
Continuous vulnerability monitoring
Dependency tracking
Open Source Management
Security update management
Supplier monitoring
Technical documentation
SBOM export in CycloneDX / SPDX
10-year retention
SBOM lifecycle management

Veelgestelde vragen

More questions? Contact us now.

The CRA is an EU regulation establishing mandatory cybersecurity requirements for products with digital elements sold in the European Union. It covers hardware and software, requiring secure-by-design development, vulnerability handling, and ongoing security updates throughout the product lifecycle.

The CRA entered into force in December 2024. Vulnerability reporting obligations begin in September 2026, and full application of all requirements starts in December 2027.

Pure SaaS is generally outside the CRA's direct scope, but software components and remote data processing solutions intended to support a product with digital elements are covered. The line is nuanced and depends on whether the software is integral to the product's function.

The CRA requires SBOMs in a commonly used machine-readable format. CycloneDX and SPDX are the two industry-standard formats that meet this requirement and are supported by Interlynk out of the box.

Non-commercial open-source software is exempt. However, open-source components integrated into commercial products are not — manufacturers remain responsible for the security of all components they ship, including open-source dependencies.

Penalties can reach up to €15 million or 2.5% of global annual turnover, whichever is higher, for the most serious violations. Lesser breaches carry lower but still substantial fines.

NIS2 targets operators of essential and important services, focusing on organizational cybersecurity. The CRA targets products themselves, regulating manufacturers of hardware and software placed on the EU market.

Yes. Any company — regardless of headquarters location — that places products with digital elements on the EU market must comply with the CRA. Non-EU manufacturers typically appoint an EU-based authorized representative.

Vertrouwd door 100+ organisaties

Zie uw SBOM goed gedaan

Zie uw SBOM goed gedaan

Interlynk automatiseert SBOM's, beheert risico's van open source, monitort,leveranciers en bereidt je voor op het post-kwantum tijdperk, allemaal op één vertrouwd platform.

Aanmelden

Aanmelden

Oplossing

SBOM Automatisering

Open Source Beheer

Leverancier Monitoring

Post-kwantum gereedheid

Cyber Resilience Act

Hulpbronnen

Blogs

Open Source Toolkits

Nieuws

Vergelijken met Dependency Track

Bedrijf

Over ons

Privacybeleid

Documentatie

Interlynk
© 2026 Interlynk Inc. Alle rechten voorbehouden

Oplossing

SBOM Automatisering

Open Source Beheer

Leverancier Monitoring

Post-kwantum gereedheid

Cyber Resilience Act

Hulpbronnen

Blogs

Open Source Toolkits

Nieuws

Vergelijken met Dependency Track

Bedrijf

Over ons

Privacybeleid

Documentatie

Interlynk
© 2026 Interlynk Inc. Alle rechten voorbehouden

Oplossing

SBOM Automatisering

Open Source Beheer

Leverancier Monitoring

Post-kwantum gereedheid

Cyber Resilience Act

Hulpbronnen

Blogs

Open Source Toolkits

Nieuws

Vergelijken met Dependency Track

Bedrijf

Over ons

Privacybeleid

Documentatie

Interlynk
© 2026 Interlynk Inc. Alle rechten voorbehouden