The EU Cyber Resilience Act starts fining software vendors €15M or 2.5% of global turnover for missed vulnerability reports. CRAready generates your SBOM, tracks vulnerabilities, and files the 24-hour report — automatically.
Early-access users get lifetime 50% off. No credit card required.
Not guidance. Not best practice. Mandatory regulation with enforceable fines.
Every dependency, every version, kept current. If you can't produce a machine-readable Software Bill of Materials on 48-hour notice from a market-surveillance authority, you're non-compliant.
Active exploits in your product must be reported to ENISA and national CSIRTs within 24 hours. Miss it once — regulators remember.
Up to €15M or 2.5% of global turnover per violation. ENISA already has the Single Reporting Platform built. The fines are not theoretical.
15 minutes from connection to audit-ready.
GitHub or GitLab OAuth. Every push generates a fresh SBOM in CycloneDX or SPDX format. Automatic, versioned, audit-ready.
Continuous vulnerability enrichment from NVD, OSV, and GHSA. Know the moment a CVE drops in a library you're using — before attackers do.
When an exploitable vulnerability hits, CRAready pre-fills the 24-hour ENISA report with your SBOM data, CVE details, and mitigation steps. You review. One click. Filed.
Existing tools are priced for 500-person enterprises. CRAready is priced for the team that ships.
| CRAready | Legacy enterprise SBOM tools | Traditional SCA scanners | Dev-first security platforms | |
|---|---|---|---|---|
| Starter price | $79/mo | $40K+/yr | $15–65K/yr | $25K+/yr (seats) |
| CRA-specific workflow | ✓ Built-in | Add-on module | Generic | Generic |
| 24h ENISA reporting | ✓ One-click | Manual | Manual | Manual |
| Setup time | 15 minutes | Weeks | Weeks | Days |
| For <200 FTE companies | ✓ Designed for | Mid-market+ | Enterprise-first | Priced out |
SCA = Software Composition Analysis. SBOM = Software Bill of Materials.
14-day free trial on every plan. Cancel anytime. Annual saves 20%.
$79/mo
For solo devs and early-stage teams
$199/mo
For growing product teams
$499/mo
For serious operators
If you're a software vendor under 200 people — founder, engineering lead, or security-conscious developer — CRAready fits. You don't need a dedicated compliance team or a six-figure consulting engagement. Connect your repo, answer a few setup questions, and you're CRAready in 15 minutes.
If you sell, license, or make available software with digital elements on the EU market — yes. This includes SaaS tools, downloadable software, libraries, IoT devices, and embedded software. It does not matter where your company is legally based.
Vulnerability reporting to ENISA becomes mandatory on September 11, 2026. Full SBOM and technical documentation requirements kick in on December 11, 2027.
A Software Bill of Materials — a machine-readable list of every software component (libraries, frameworks, dependencies) your product uses. CRA requires it in CycloneDX or SPDX format. CRAready generates it automatically from your repository.
The CRA applies extraterritorially. Non-EU manufacturers must appoint an authorised representative in the EU. CRAready is planning guided integrations with EU representative services (available Q3 2026).
Yes. If you have the DevSecOps capacity to maintain the pipeline, handle vulnerability enrichment, track regulatory changes, and file ENISA reports manually — absolutely. CRAready is for teams who'd rather spend that time shipping product.
No. CRAready reads repository metadata and dependency manifests only. Your code never leaves GitHub/GitLab.
Yes — we eat our own dog food. Our SBOM is public, vulnerability handling is ENISA-ready, and we pursue SOC 2 Type 1 certification in Q3 2026.
Yes. Monthly plans cancel anytime, no questions. Annual plans prorate.
ENISA starts accepting 24-hour reports on September 11, 2026. If your vulnerability handling process isn't built, documented, and tested by then, you're not CRA-ready.
141 days remaining · No credit card required · Early-access invites begin April 29