Skip to content
CRA Compliance Platform

Automate CRA Compliance Workflows Before the Deadline

Complaro helps product engineering teams move from SBOM to CRA compliance readiness. Vulnerability intelligence from NVD, CISA KEV, and GitHub Security Advisories with pre-filled ENISA-format reports generated in minutes, not weeks.

Get Started Free

One product, unlimited scans, no credit card

NVIDIA Inception Program
CRA Reporting Deadline
20707
days
00
hrs
00
min
00
sec
app.complaro.com
Product Dashboard
3 products · Last scan 2 min ago
3 Products
Payment ServiceDefault
92
No vulnerabilities
IoT GatewayClass I
78
2 vulnerabilities found
Auth LibraryClass II
85
1 vulnerability found
Free Tool

CRA Readiness Scanner

Enter a public GitHub repository and get an instant CRA readiness score. See what's missing before the September 2026 deadline.

How It Works

From SBOM to CRA Compliance Readiness

Three steps between uploading your first SBOM and generating a compliance-ready incident report draft.

SBOM Analysis
express4.18.2
...
lodash4.17.21
...
xz-utils5.6.0
...
openssl3.1.4
...
Classification: Default (Art. 6)
4 components analyzed · 1 critical, 1 warning
01

Identify and Classify Your Products

Upload your Software Bill of Materials or let cra-scanner detect one. The platform maps every component against CRA Annex III and Annex IV to determine your product classification and which essential requirements apply.

Vulnerability Detected
CRITICAL
CVE-2024-3094
xz-utils 5.6.0 · Actively exploited
CVSS: 9.8
CISA KEV: Yes
EPSS: 0.97
May trigger 24h ENISA reporting
Article 14(2)(a) · Early warning required
NVD
CISA KEV
GitHub SA
02

Scan for Known Vulnerabilities

Complaro matches your SBOM components against NVD, CISA Known Exploited Vulnerabilities, and GitHub Security Advisories. Version-aware matching reduces false positives while flagging actively exploited CVEs that trigger the 24-hour ENISA reporting obligation.

ENISA Report
Draft ready for review
Subject
Early Warning - CVE-2024-3094
Report Type24h Early Warning
ProductIoT Gateway v2.1
Affected Componentxz-utils 5.6.0
CVSS Score9.8 Critical
ENISA ReferenceArt. 14(2)(a)
03

Generate ENISA-Format Reports

Export pre-filled vulnerability reports in the three CRA-mandated formats: 24-hour early warning, 72-hour incident notification, and 14-day final report. Available as PDF and machine-readable JSON.

Platform

Purpose-Built for the EU Cyber Resilience Act

Unlike general-purpose vulnerability scanners, Complaro is designed specifically for CRA compliance. The platform understands CRA product classification and scores your readiness across five compliance dimensions.

Integration

CI/CD Integration

Connect Complaro to your development workflow. Scan SBOMs automatically on every release and catch compliance issues before they ship.

GitHub Actions
GitLab CI
Jira
Slack
complaro-ci / mainrunning...
Push to main
feat: update payment-service SBOM · 14s ago
Generate SBOM...
Vulnerability Scan
CRA Classification
Compliance Check
Upload Report
Critical Alert

24-Hour Vulnerability Reporting

When a CVE hits your dependencies, Complaro flags it, helps assess your reporting deadline, and generates pre-filled ENISA-format reports before your team has finished their morning coffee.

24h
Early Warning
72h
Notification
14d
Final Report
Actively exploited vulnerability detected
Just now · Automatic scan
CRITICAL
CVE-2024-3094
xz-utils 5.6.0 · Backdoor in upstream distribution tarball
9.8
CVSS
CISA KEVNVDGitHub AdvisoryEPSS: 0.97
Article 14(2)(a) - Early warning deadlineStarted 15h 36m ago
8h 24m remaining24h deadline
Reports

ENISA Report Generation

Reports come pre-filled with data from your scan. Add the details only your team knows, export as PDF or JSON, and submit to ENISA.

Subject
Early Warning - CVE-2024-3094
Report Type24h Early Warning
ProductIoT Gateway v2.1
Affected Componentxz-utils 5.6.0
CVSS Score9.8 Critical
ENISA ReferenceArt. 14(2)(a)
Dashboard

Multi-Product Dashboard

Manage compliance across your entire product portfolio from a single interface. Track everything per product.

Portfolio Overview0 products
0
Compliant
0
At Risk
0
Critical
Payment APIDefault
0
IoT GatewayClass I
0
Auth ServiceClass II
0
Mobile SDKDefault
0
Why Complaro

Meet the CRA with Confidence

What changes when CRA compliance runs in the background instead of blocking your roadmap.

Vulnerability Reports in Minutes, Not Weeks

The CRA gives you one day to report an exploited vulnerability. Complaro helps you generate the report in minutes.

Built for Engineers

Made for the team that actually manages dependencies, not for consultants filling out PDFs.

Every Product. One View.

Whether you ship one product or a hundred, every compliance score and deadline lives in the same dashboard.

Fits What You Already Use

Imports SBOMs from Snyk, Sonatype, Trivy, or your own pipeline. Nothing to rip and replace.

Always Watching

NVD, CISA KEV, and GitHub Advisories are checked continuously. You hear about new threats before your morning standup.

Not a Consulting Invoice

Traditional CRA assessments can cost tens of thousands in consulting fees. Complaro starts free.

Pricing

Simple, Transparent Pricing

CRA compliance that scales with your product portfolio. Start free, upgrade when you need ENISA reporting.

Free

€0
  • 1 product
  • Unlimited scans
  • SBOM import (CycloneDX & SPDX)
  • Vulnerability scanning (NVD, CISA KEV, GitHub Advisories)
  • Compliance score
Get Started
Popular

SMV

€299/mo
  • Up to 10 products
  • Everything in Free
  • ENISA report generation (24h, 72h, 14d)
  • PDF & JSON export
  • All CI/CD integrations
  • Slack & Jira notifications
Get Started

Mid-market

€899/mo
  • Up to 50 products
  • Everything in SMV
  • Priority support
  • Custom classification rules
  • Advanced compliance analytics
  • Dedicated onboarding
Get Started

All prices exclude VAT where applicable.

Need more than 50 products? Contact us for enterprise pricing.

For Your README

CRA Compliance Badge

Show your CRA readiness on your GitHub README. The badge updates daily.

CRA Readiness badge for Complaro/cra-scanner
![CRA Readiness](https://complaro.com/api/badge?repo=Complaro/cra-scanner)
About

Who We Are

Complaro is a Copenhagen-based team focused exclusively on EU Cyber Resilience Act tooling. We build open source tools including cra-scanner, a free CLI for CRA readiness assessment, and this platform for teams that need continuous compliance management.

About us
Member ofNVIDIA Inception Program
FAQ

Your Questions, Answered

Answers to your most common questions about the CRA and Complaro.

The CRA (Regulation 2024/2847) is an EU regulation requiring manufacturers of products with digital elements to meet cybersecurity requirements throughout the product lifecycle. It covers vulnerability handling, SBOM provision, and incident reporting to ENISA.
Reporting obligations start 11 September 2026. All other requirements (vulnerability handling, SBOM, documentation, conformity assessment) apply from 11 December 2027.
Any manufacturer placing a product with digital elements on the EU market, including commercial software, IoT devices, and open-source projects with a commercial activity. SaaS is generally out of scope unless it involves embedded or downloadable components.
A Software Bill of Materials is a machine-readable inventory of all components in your software. The CRA requires it under Article 13(5) and Annex I Part II(1) so that downstream users and market surveillance authorities can identify vulnerable components.
Complaro helps automate the three hardest parts: classifying your products under CRA Annex III/IV, continuously scanning for known vulnerabilities, and generating pre-filled ENISA-format incident reports when actively exploited vulnerabilities are discovered. The platform scores your readiness across five CRA compliance dimensions.
Interactive Tool

Is My Product in Scope?

Answer a few questions to find out if the CRA applies to your product and what category it falls under.

Question 1 of 6

Does your product contain software or firmware?

Contact

Get in Touch

Questions about CRA compliance or Complaro? We'd love to hear from you.

Start Your Free CRA Assessment

Free plan includes one product with unlimited scans and compliance readiness scoring.

Get Started Free