Meet EU CRA requirements, keep your workflows.

Ketryx helps teams meet the EU Cyber Resilience Act's obligations for products with digital elements, spanning SBOMs, vulnerability reporting, secure-by-design evidence, and 10-year documentation retention.

What does the CRA require?

Build security into development.

The CRA shifts cybersecurity from an afterthought to a development mandate, requiring secure-by-design development, secure-by-default configurations, and documented risk assessments throughout the software lifecycle.

Report vulnerabilities in 24 hours.

The CRA imposes a new rapid reporting cadence, requiring actively exploited vulnerabilities to be flagged to ENISA within 24 hours, analyzed within 72 hours, and fully reported within 14 days.

Comprehensive technical files.

The CRA expands technical documentation obligations well beyond what most software teams produce today. Manufacturers must assemble complete technical files, risk assessments, and conformity declarations, and keep them current for up to 10 years across every product version, patch, and release.

Cybersecurity, risk management, and traceability can no longer live in silos

The CRA adds a new horizontal cybersecurity layer on top of existing vertical regulations including MDR/IVDR, NIS2, GDPR, and CE marking. Manufacturers can no longer treat cybersecurity, risk management, and traceability as separate compliance workstreams. The regulatory expectation is an integrated, evidence-based development process where:

  • Security requirements are traced to design outputs and test results
  • Dependencies are continuously monitored
  • Risk assessments are living documents

How Ketryx can help

Ketryx is an AI-powered compliance platform purpose-built for the development lifecycle of regulated software products. Rather than bolting compliance onto an existing development workflow, Ketryx makes compliance the workflow by integrating SBOM generation, vulnerability management, traceability, and documentation into your existing tools like Jira, GitHub, and Azure DevOps.

Structured vulnerability management and CRA reporting support

Ketryx provides an end-to-end vulnerability management workflow, from automated scanning and change impact assessments to structured exports for ENISA's Single Reporting Platform. Teams get the real-time visibility, structured workflows, and documentary evidence needed to meet the CRA's 24h/72h reporting windows.

Continuous GHSA and NVD monitoring with automatic Vulnerability Advisory generation for affected dependencies

ISO 14971-aligned impact assessments with CVSS v3.1 and v4.0 scoring, environmental profiles, and treatment decisions

Structured Vulnerability Report export including CVE IDs, CVSS scores, affected dependency and product versions, and remediation status, providing the structured evidence base needed to support CRA vulnerability reporting and notification obligations

Automated SBOM generation and dependency intelligence

Generate and maintain machine-readable SBOMs automatically from connected Git repositories. CycloneDX and SPDX formats, with rich dependency metadata and per-release snapshots.

.png)

Auto-scan package manifests (package.json, pom.xml, requirements.txt, Podfile, and more)

Integrated requirements, risk, and traceability management

The CRA's 'secure by design' mandate requires manufacturers to demonstrate that cybersecurity risks were systematically identified, assessed, mitigated, and verified during development. Ketryx provides a unified environment for the entire design control and risk management workflow: a complete, auditable evidence chain.

Automated technical documentation and lifecycle records

The CRA requires manufacturers to compile and retain comprehensive technical documentation for up to 10 years, available to market surveillance authorities on request. Ketryx automates the generation and management of the required technical file, producing version-locked documents directly from living project data at the click of a button.

Enforce SOPs with engineering controls

Prevent non-compliant releases before they ship. Configurable approval workflows, automated control mapping, and robust verification and validation across the entire stack.

An AI assistant that works inside your project, not around it

The Ketryx Assistant generates compliant artifacts, analyzes traceability, and answers QMS questions using your actual project data, including your requirements, risks, tests, and design history, instead of generic training sets. Originally built for FDA-regulated work, these capabilities apply directly to CRA obligations.