CVEium
Sign Up

EU Cyber Resilience Act

How CVEium CIS helps you comply with EU CRA requirements for vulnerability handling and disclosure.

The EU Cyber Resilience Act (CRA) establishes cybersecurity requirements for products with digital elements sold in the European Union. It was adopted in 2024 with a phased implementation timeline.

Key dates

  • September 2026: Vulnerability reporting obligations begin — manufacturers must report actively exploited vulnerabilities to ENISA within 24 hours
  • December 2027: Full compliance required — SBOM maintenance, vulnerability handling, and coordinated disclosure

CRA requirements relevant to CVEium CIS

Article 13: Vulnerability handling

Manufacturers must identify and document vulnerabilities, including in third-party components, and handle them "without delay." CVEium addresses this through:

  • SBOM management: Upload and maintain machine-readable SBOMs for each release
  • Automated scanning: Continuously monitor components for newly published CVEs
  • SLA tracking: Enforce remediation deadlines aligned with severity (Critical: 7 days, High: 30 days)
  • Disposition workflow: Document your assessment of each vulnerability

SBOM requirement

The CRA requires manufacturers to "identify and document vulnerabilities and components contained in the product, including by drawing up a software bill of materials." CVEium provides:

  • Support for CycloneDX and SPDX standard formats
  • Component extraction with names, versions, PURLs, and licenses
  • SHA-256 integrity hashing for SBOM authenticity
  • SBOM download API for authority requests

Coordinated vulnerability disclosure

The CRA requires timely communication of vulnerability information to downstream users. CVEium enables this through:

  • VEX documents: Communicate which vulnerabilities affect your product
  • Public API: Machine-readable disclosure access for automated consumption
  • Digital signatures: Optional content signing for authenticity verification
  • Multiple formats: CycloneDX VEX, OpenVEX, and CSAF to meet different consumer needs

Reporting to ENISA

While CVEium CIS does not directly submit reports to ENISA, the compliance attestation report provides the evidence and documentation you need to support those submissions. The report includes SBOM summaries, vulnerability scan results, disposition status, and VEX publication records.

CRA compliance checklist

Use CVEium CIS to address these CRA obligations:

  1. Maintain an SBOM for each product release
  2. Scan components against known vulnerabilities
  3. Triage and document the impact of each vulnerability
  4. Remediate or mitigate within appropriate timeframes
  5. Generate and publish VEX documents for downstream users
  6. Maintain an audit trail of all vulnerability management activities
  7. Generate attestation reports for regulatory evidence