7 Months Until CRA — Do You Know Where Your CVEs Are?
September 11, 2026 is not the day the EU Cyber Resilience Act takes full effect. That's December 11, 2027. But September 11, 2026 is when the CRA's vulnerability reporting obligations become legally binding — and that deadline is now roughly seven months away.
From that date, every manufacturer of products with digital elements sold in the EU must report actively exploited vulnerabilities to ENISA within 24 hours of becoming aware. A full notification follows within 72 hours. A final report is due within 14 days of a corrective measure becoming available.
This applies to products already on the market. It applies to software you shipped in 2020. It applies regardless of whether you've started your CRA compliance journey.
The hidden dependency most teams are missing
Most organizations plan around the December 2027 full-compliance date. That's when SBOM requirements, conformity assessments, and CE marking obligations kick in. So the thinking goes: we have time.
But here's the problem. To report an actively exploited vulnerability within 24 hours, you need to know:
- What software components are in your product
- Which of those components are affected by a given CVE
- Whether that CVE is being actively exploited
You can't do any of that without an SBOM and a vulnerability monitoring process. In practice, SBOM readiness is a prerequisite for September 2026, even though SBOMs aren't formally mandated until December 2027.
As Keysight's security team put it: "You can't report what you don't know."
What the reporting timeline looks like
When a manufacturer becomes aware of an actively exploited vulnerability in their product, the CRA requires:
| Deadline | Requirement |
|---|---|
| 24 hours | Early warning to CSIRT via ENISA's Single Reporting Platform |
| 72 hours | Full notification including severity assessment and affected products |
| 14 days | Final report once a corrective or mitigating measure is available |
ENISA's Single Reporting Platform will be operational by September 2026. Once it's live, there's no grace period.
The penalty math
Non-compliance with the CRA can result in fines of up to €15 million or 2.5% of global annual turnover, whichever is higher. For context, a mid-sized European software company with €100M in annual revenue faces a potential €2.5M fine — for a single failure to report.
Even for companies well below that revenue threshold, the reputational damage of a missed CRA notification may be worse than the fine itself.
The current landscape: what's out there
If you're starting to evaluate tooling, the market broadly breaks down like this:
Enterprise SCA platforms — tools like Snyk, Sonatype, and FOSSA offer software composition analysis with SBOM generation as a feature. These platforms are powerful and mature, but they were designed for American security teams and often cost €2,000–5,000+/mo. CRA-specific workflows (24h→72h→14d reporting, EUVD integration, ENISA reporting) are typically not built in.
SBOM lifecycle managers — tools like Cybeats SBOM Studio and sbomify focus on SBOM management, archival, and sharing. They're strong on the documentation side but may require separate tooling for vulnerability detection and alerting.
Open-source generators — Syft, cdxgen, and npm-sbom can generate SBOMs in CI/CD pipelines. They're free and flexible, but you'll need to build the CVE monitoring, alerting, and reporting workflow yourself.
CRA-focused platforms — a newer category of tools built specifically around CRA timelines and requirements. ScanDog and Verimu fall into this category: purpose-built for European compliance, with SBOM generation, vulnerability monitoring, and regulatory reporting as core features rather than add-ons.
The question isn't whether you need a tool. It's which trade-offs you're willing to make: build vs. buy, cost vs. coverage, CRA-native vs. retrofitted.
What "CRA-ready" actually means by September
By September 11, 2026, at minimum, you should have:
- A complete SBOM for every product on the market — covering all direct and transitive dependencies, in CycloneDX or SPDX format
- Automated vulnerability monitoring — cross-referencing your SBOMs against NVD, EUVD, and ideally CISA KEV for actively-exploited-vulnerability signals
- An alerting workflow — that notifies the right people within hours, not days
- A reporting process — mapped to the CRA's 24h/72h/14d timeline, with templates ready for the ENISA Single Reporting Platform
- Documentation — showing that this process exists, is tested, and has been operational before the deadline
If any of these are missing, you're exposed.
How Verimu fits
Verimu was built specifically for this problem. We're a team of medtech and industrial software engineers who went through CRA compliance planning ourselves and realized the tooling gap was enormous — especially for small and mid-sized European software teams that don't have a €50K/year security tooling budget.
Here's what Verimu does today:
- SBOM generation — CycloneDX 1.7, NTIA-compliant, generated automatically on every commit via GitHub App
- CVE monitoring — cross-referencing against NVD, EUVD, and CISA KEV
- Real-time alerting — email notifications to your team when a vulnerability affects your dependencies
- CRA reporting templates — mapped to the 24h/72h/14d notification timeline
- EU-hosted infrastructure — your data stays in Europe
Starting at €49/mo — not thousands.
We're starting with GitHub and npm/Node.js, with C#, Java, Go, and Rust support on the roadmap.
If you want to see what a compliant SBOM looks like before you commit to anything, you can generate one in your browser right now — no signup needed.
Seven months is less time than it sounds. Especially when the first month goes to evaluation, the second to procurement, the third to integration, and you want at least a quarter of runway before the deadline.
Get started free → or book a demo to see how Verimu can get you CRA-ready before September.