⚡ EU Cyber Resilience Act

Achieve EU Cyber Resilience Act Compliance with Confidence

September 2026 vulnerability reporting deadline is [X] days away. Interlynk automates the SBOM, vulnerability management, and documentation requirements you need

Free CRA SBOM Evaluator

NEXT CRA DEADLINE

Mandatory Vulnerability Reporting

Begins September 11, 2026

000DAYS
00HOURS
00MINUTES

until 24-hour reporting obligations take effect

NEXT CRA DEADLINE

Mandatory Vulnerability Reporting

Begins September 11, 2026

000DAYS
00HOURS
00MINUTES

until 24-hour reporting obligations take effect

NEXT CRA DEADLINE

Mandatory Vulnerability Reporting

Begins September 11, 2026

000DAYS
00HOURS
00MINUTES

until 24-hour reporting obligations take effect

What is the Cyber Resilience Act?

The EU Cyber Resilience Act (CRA) is the first horizontal EU regulation imposing mandatory cybersecurity requirements on hardware and software products with digital elements. It mandates secure-by-design principles, vulnerability handling, and lifecycle transparency for any product sold in the EU market — regardless of where the manufacturer is based.

EURO 15M

Maximum fines for non-compliance
Maximum fines for non compliance

24 Hours

Vulnerability reporting window
Vulnerability reporting window

10 Years

SBOM retention
requirement
SBOM retention
requirement

90%

Products eligible for self-assessment
Products eligible for self-assessment

CRA Compliance Timeline

Who Does the CRA Affect?

Manufacturers

Anyone who develops, manufactures, or has products with digital elements designed and developed under their name or trademark.

Importers

Entities established in the EU that place a product with digital elements bearing a third-country manufacturer's name on the EU market.

Distributors

Any party in the supply chain — other than the manufacturer or importer — who makes a product with digital elements available in the EU market.

Note: An importer or distributor becomes a manufacturer if they place a product under their own name or substantially modify it.

Note: An importer or distributor becomes a manufacturer if they place a product under their

own name or substantially modify it.

Product Classification Under CRA

Default (~90%)

Smart speakers, hard drives, photo editing software
Smart speakers, hard drives, photo editing software

Important Class I

Password managers, antivirus, VPNs, network interfaces
Password managers, antivirus, VPNs, network interfaces

Important Class II

Firewalls, IDS/IPS, hypervisors, container runtimes
Firewalls, IDS/IPS, hypervisors, container runtimes

Critical

Hardware security modules, smart meter gateways, smartcards
Hardware security modules, smart meter gateways, smartcards

SBOM Requirements Under CRA

The Cyber Resilience Act mandates comprehensive Software Bill of Materials documentation. Here are the key requirements you need to meet:
☑️ Machine-readable SBOM format (CycloneDX or SPDX)
☑️ Include all top-level dependencies
☑️ Accurate version numbers for all components
☑️ Unique identifiers for each component
☑️ 10-year retention requirement for documentation
☑️ Regular updates when components change
☑️ Secure sharing mechanisms with authorized parties
☑️ Integration with vulnerability monitoring systems
☑️ Machine-readable SBOM format (CycloneDX or SPDX)
☑️ Include all top-level dependencies
☑️ Accurate version numbers for all components
☑️ Unique identifiers for each component
☑️ 10-year retention requirement for documentation
☑️ Regular updates when components change
☑️ Secure sharing mechanisms with authorized parties
☑️ Integration with vulnerability monitoring systems
☑️ Machine-readable SBOM format (CycloneDX or SPDX)
☑️ Include all top-level dependencies
☑️ Accurate version numbers for all components
☑️ Unique identifiers for each component
☑️ 10-year retention requirement for documentation
☑️ Regular updates when components change
☑️ Secure sharing mechanisms with authorized parties
☑️ Integration with vulnerability monitoring systems
{
  "bomFormat": "CycloneDX",
  "specVersion": "1.5",
  "serialNumber": "urn:uuid:...",
  "version": 1,
  "metadata": {
    "timestamp": "2026-01-15T10:00:00Z",
    "tools": [{
      "vendor": "Interlynk",
      "name": "SBOM Generator"
    }]
  },
  "components": [
    {
      "type": "library",
      "name": "example-lib",
      "version": "2.1.0",
      "purl": "pkg:npm/example-lib@2.1.0"
    }
  ]
}

Vulnerability Reporting Obligations

The CRA introduces strict timelines for reporting actively exploited vulnerabilities and severe incidents to ENISA and your CSIRT.

24h

Early warning notification

72 hrs

Full vulnerability notification

14 days

Final report after correction

1 Month

Severe incident report

Reports must be submitted via the CRA Single Reporting Platform managed by ENISA, with simultaneous notification to your national CSIRT.

Reports must be submitted via the CRA Single Reporting Platform managed by ENISA, with simultaneous notification to your national CSIRT.

How Interlynk Helps

We map every CRA requirement to a concrete platform capability — so you can demonstrate compliance, not just claim it.
CRA Requirement
Interlynk Capability
SBOM creation & maintenance
Automated SBOM Management
Vulnerability identification
Continuous vulnerability monitoring
Dependency tracking
Open Source Management
Security update management
Supplier monitoring
Technical documentation
SBOM export in CycloneDX / SPDX
10-year retention
SBOM lifecycle management
CRA Requirement
Interlynk Capability
SBOM creation & maintenance
Automated SBOM Management
Vulnerability identification
Continuous vulnerability monitoring
Dependency tracking
Open Source Management
Security update management
Supplier monitoring
Technical documentation
SBOM export in CycloneDX / SPDX
10-year retention
SBOM lifecycle management

FAQs

More questions? Contact us now.

The CRA is an EU regulation establishing mandatory cybersecurity requirements for products with digital elements sold in the European Union. It covers hardware and software, requiring secure-by-design development, vulnerability handling, and ongoing security updates throughout the product lifecycle.

The CRA entered into force in December 2024. Vulnerability reporting obligations begin in September 2026, and full application of all requirements starts in December 2027.

Pure SaaS is generally outside the CRA's direct scope, but software components and remote data processing solutions intended to support a product with digital elements are covered. The line is nuanced and depends on whether the software is integral to the product's function.

The CRA requires SBOMs in a commonly used machine-readable format. CycloneDX and SPDX are the two industry-standard formats that meet this requirement and are supported by Interlynk out of the box.

Non-commercial open-source software is exempt. However, open-source components integrated into commercial products are not — manufacturers remain responsible for the security of all components they ship, including open-source dependencies.

Penalties can reach up to €15 million or 2.5% of global annual turnover, whichever is higher, for the most serious violations. Lesser breaches carry lower but still substantial fines.

NIS2 targets operators of essential and important services, focusing on organizational cybersecurity. The CRA targets products themselves, regulating manufacturers of hardware and software placed on the EU market.

Yes. Any company — regardless of headquarters location — that places products with digital elements on the EU market must comply with the CRA. Non-EU manufacturers typically appoint an EU-based authorized representative.

Trusted by 100+ Organizations

Start Your CRA Compliance Journey

Start Your CRA
Compliance Journey

Start Your CRA Compliance Journey

Join 100+ organizations already using Interlynk to automate SBOM management and meet EU regulatory requirements.

Free CRA SBOM Evaluator

Free CRA SBOM Evaluator

Solution

SBOM Automation

Open Source Management

Supplier Monitoring

Post Quantum Readiness

Cyber Resilience Act

Resources

Blogs

Open Source Toolkits

News

Compare to Dependency Track

Company

About Us

Privacy Policy

Documentation

Interlynk
© 2026 Interlynk Inc. All rights reserved

Solution

SBOM Automation

Open Source Management

Supplier Monitoring

Post Quantum Readiness

Cyber Resilience Act

Resources

Blogs

Open Source Toolkits

News

Compare to Dependency Track

Company

About Us

Privacy Policy

Documentation

Interlynk
© 2026 Interlynk Inc. All rights reserved

Solution

SBOM Automation

Open Source Management

Supplier Monitoring

Post Quantum Readiness

Cyber Resilience Act

Resources

Blogs

Open Source Toolkits

News

Compare to Dependency Track

Company

About Us

Privacy Policy

Documentation

Interlynk
© 2026 Interlynk Inc. All rights reserved