EU Cyber Resilience Act Compliance
How PatchOps Guard addresses the core CRA requirements.
What CRA Requires
The EU Cyber Resilience Act (Regulation 2024/2847), effective 2024, requires manufacturers placing products "with digital elements" on the EU market to comply with the following:
- Annex I §1 — Ship products free of known vulnerabilities from the design stage
- Annex I §2 — Provide timely security updates throughout the support period
- Article 14 — Report actively exploited vulnerabilities to ENISA within 24 hours
- Annex VII — Retain vulnerability handling evidence (SBOM, remediation history, time-to-patch)
How PatchOps Guard Helps
Every repository scan produces CycloneDX + SPDX format SBOMs, with each component tagged with PURL, license, and hash. This satisfies Annex VII §1(a) “identification of the component”.
A weighted composite of CVSS · EPSS · CISA KEV · Reachability quantifies vulnerability priority. This serves as the basis for Article 11 §2 “known exploitable vulnerability without undue delay” determinations.
The entire 5-stage pipeline — Stage 1 (Context) → Stage 2 (Generate) → Stage 3 (Sandbox Test) → Stage 4 (Rescan) → Stage 5 (PR) — is recorded in append-only audit_logs with timestamps. This can be submitted as Annex VII §2 “vulnerability handling process” evidence.
Average response time by severity is reported on monthly/quarterly basis → PDF download → submit to regulatory authorities. Export per organization from Dashboard → Reports → CRA Compliance.
Preparing for Article 14 (24-Hour Early Warning)
When a vulnerability listed in the CISA KEV catalog is detected in your repositories, an alert is sent immediately via Slack webhook and email. The finding is marked with a "critical · kev" badge in the Defense Window. This alert provides your internal response team with the information needed to decide on ENISA reporting within 24 hours — impact scope, exploitability, and remediation status — all on a single screen.
Shared Responsibility
PatchOps Guard covers the SBOM generation, vulnerability detection, and remediation evidence retention aspects of Annex I §2 “technical requirements.” However, the following remain your organization’s responsibility:
- Article 13 (user support) — Distributing updates to product end users
- Article 14 (reporting) — Final ENISA/CSIRT report submission
- Annex I §1(h) — Secure-by-default product design
Audit Response Package
During an EU authority or Notified Body audit, export 90-day / 1-year / full-period evidence as JSON + PDF via Settings → Audit Logs → "Export audit trail." This file includes detection timestamp, remediation attempts, sandbox test results, PR links, and merge timestamps for every CVE finding.
This document does not constitute legal advice. We recommend consulting a legal professional to determine the scope of CRA applicability for your specific product lines. Contact: compliance@patchguard.ai