On September 11, 2026, the European Union Cyber Resilience Act (CRA) becomes enforceable. Every product with a “digital element” sold in the EU must ship with a machine-readable Software Bill of Materials, continuous vulnerability monitoring, and documented incident response. Non-compliance triggers fines of up to 15 million euros or 2.5% of global turnover — whichever is higher.
Five months feels comfortable until you realize the regulation demands changes across your entire software supply chain: from dependency declaration to vulnerability disclosure timelines. Most organizations underestimate the scope.
What the CRA actually requires
Article 14 mandates that manufacturers provide an SBOM that covers at minimum the top-level dependencies of the product. The CRA does not specify a format, but the EU ENISA guidelines recommend CycloneDX 1.6 or SPDX 2.3 with VEX (Vulnerability Exploitability eXchange) annotations. VEX tells downstream consumers whether a listed CVE is actually exploitable in your build — a critical nuance that raw SBOMs miss.
Beyond SBOMs, the regulation requires you to actively monitor for new vulnerabilities and deliver patches “without delay.” That means automated scanning, not quarterly audits. It means reachability analysis that proves a CVE actually affects your code path, not just your lockfile.
Your SBOM playbook with PatchOps Guard
1. Generate SBOMs automatically
Connect your repositories via the GitHub App. PatchOps Guard parses every lockfile across 25 languages and emits CycloneDX 1.6 and SPDX 2.3 SBOMs on every commit. No manual inventory spreadsheets.
2. Attach VEX annotations
For every CVE found, the platform runs tree-sitter reachability analysis to determine whether your code actually calls the vulnerable function. The result is encoded as a VEX statement — affected, not_affected, or under_investigation — and embedded directly in the SBOM export.
3. Export the CRA Article 14 PDF
One click generates a compliance PDF containing the SBOM, VEX overlay, vulnerability timeline, and patch evidence. This document is designed for auditors and regulatory bodies. It maps each CRA requirement to the corresponding artifact in your pipeline.
4. Continuous monitoring
The scheduler polls NVD, OSV, GitHub Advisory Database, and CISA KEV on a configurable cadence. When a new CVE matches your dependency graph, the platform calculates a Defense Window Score, runs the AI repair pipeline, and opens a verified pull request — all before your next standup.
The CRA is not optional. It is the GDPR of product security. Start your SBOM pipeline today at patchguard.ai and ship compliant before September.