EU CRA

Ketryx for EU CRA Compliance

Ketryx helps teams meet the EU Cyber Resilience Act's obligations for products with digital elements, spanning SBOMs, vulnerability reporting, secure-by-design evidence, and 10-year documentation retention.

30 minutes · No commitment · Tailored to your regulatory requirements

What does the CRA require?

Build security into development.

The CRA shifts cybersecurity from an afterthought to a development mandate, requiring secure-by-design development, secure-by-default configurations, and documented risk assessments throughout the software lifecycle.

Report vulnerabilities in 24 hours.

The CRA imposes a new rapid reporting cadence, requiring actively exploited vulnerabilities to be flagged to ENISA within 24 hours, analyzed within 72 hours, and fully reported within 14 days.

Comprehensive technical files.

The CRA expands technical documentation obligations well beyond what most software teams produce today. Manufacturers must assemble complete technical files, risk assessments, and conformity declarations, and keep them current for up to 10 years across every product version, patch, and release.

Cybersecurity, risk management, and traceability can no longer live in silos

The CRA adds a new horizontal cybersecurity layer on top of existing vertical regulations including MDR/IVDR, NIS2, GDPR, and CE marking. Manufacturers can no longer treat cybersecurity, risk management, and traceability as separate compliance workstreams. The regulatory expectation is an integrated, evidence-based development process where:

How Ketryx can help

Ketryx is an AI-powered compliance platform purpose-built for the development lifecycle of regulated software products. Rather than bolting compliance onto an existing development workflow, Ketryx makes compliance the workflow by integrating SBOM generation, vulnerability management, traceability, and documentation into your existing tools like Jira, GitHub, and Azure DevOps.

Automated SBOM generation and dependency intelligence

Generate and maintain machine-readable SBOMs automatically from connected Git repositories. CycloneDX and SPDX formats, with rich dependency metadata and per-release snapshots.

.png)

Structured vulnerability management and CRA reporting support

Ketryx provides an end-to-end vulnerability management workflow, from automated scanning and change impact assessments to structured exports for ENISA's Single Reporting Platform. Teams get the real-time visibility, structured workflows, and documentary evidence needed to meet the CRA's 24h/72h reporting windows.

Integrated requirements, risk, and traceability management

The CRA's 'secure by design' mandate requires manufacturers to demonstrate that cybersecurity risks were systematically identified, assessed, mitigated, and verified during development. Ketryx provides a unified environment for the entire design control and risk management workflow: a complete, auditable evidence chain.

Automated technical documentation and lifecycle records

The CRA requires manufacturers to compile and retain comprehensive technical documentation for up to 10 years, available to market surveillance authorities on request. Ketryx automates the generation and management of the required technical file, producing version-locked documents directly from living project data at the click of a button.

Enforce SOPs with engineering controls

Prevent non-compliant releases before they ship. Configurable approval workflows, automated control mapping, and robust verification and validation across the entire stack.

An AI assistant that works inside your project, not around it

The Ketryx Assistant generates compliant artifacts, analyzes traceability, and answers QMS questions using your actual project data, including your requirements, risks, tests, and design history, instead of generic training sets.

How a Top 5 MedTech Company Assessed Vulnerabilities 80% Faster

A top 5 MedTech Surgical Robotics company partnered with Ketryx to modernize its cybersecurity risk assessment process and accelerate vulnerability assessments. After improving their Cybersecurity System Architecture (CSA), they began identifying more vulnerabilities, which exposed gaps in their existing workflow. Their vulnerability review process had become a costly, major bottleneck: dispersed tools, inconsistent data, and manual handoffs made it difficult to efficiently identify and prioritize the vulnerabilities that posed the greatest patient and business risk.

Ketryx simplified workflows into an AI-driven system that improved prioritization, increased review throughput, and significantly reduced operational risk.