Cyber Resilience Act: helping you prepare.
The EU Cyber Resilience Act introduces continuous vulnerability handling and reporting obligations for software vendors selling into the EU. Quaze supports the operational pieces (SBOM packages per release, vulnerability handling logs, VEX-style determinations) and produces them on a schedule, so the run-up stops being a fire drill.
Key CRA dates
CRA enters into force
The Cyber Resilience Act becomes EU law, establishing baseline security requirements for products with digital elements.
CRA enters into force
The Cyber Resilience Act becomes EU law.
Reporting obligations begin
Manufacturers must report actively exploited vulnerabilities and severe incidents to the relevant authority within tight timelines.
Full compliance required
All products placed on the EU market must meet the full CRA requirements, with conformity assessments and ongoing vulnerability handling in place.
Full compliance required
All products placed on the EU market must meet the full CRA requirements.
Continuous handling, not one-off scans.
The CRA expects manufacturers to maintain visibility into the components they ship, monitor newly disclosed vulnerabilities, and demonstrate how each one was handled across the entire support period.
Non-compliance can result in penalties of up to €15 million or 2.5% of global annual turnover, whichever is higher.
Keep an inventory of components for every product you ship
Continuously watch for new vulnerabilities affecting those components
Have a documented triage process with clear ownership
Have the data ready to report on actively exploited vulnerabilities
Retain enough history to satisfy your audit window
An evidence pack aligned with CRA principles.
- Inventory of components in scope, by release
- Findings status and triage justifications
- Activity history (who did what, when)
- Time-bounded view of what was deployed during the period
- Retention window aligned to your obligations
How Quaze covers the obligations.
A plain-English mapping of CRA articles to what Quaze actually does for you.
Manufacturers must identify and document vulnerabilities and components in their products and address them without delay.
Quaze keeps an always-current view of every component you ship and surfaces newly disclosed vulnerabilities automatically, with a triage workflow that records the response.
Manufacturers must have a coordinated vulnerability disclosure policy and apply security updates throughout the support period.
Quaze tracks the lifecycle of each finding from disclosure through fix, with an audit trail you can include in your disclosure documentation.
Manufacturers must report actively exploited vulnerabilities and severe incidents to the relevant authority within tight timelines.
Quaze flags the affected components, environments, and releases so your reporting team has the facts before the clock starts.
Products must be designed and maintained with security in mind, including ongoing monitoring of components used.
Continuous, runtime-aware tracking is the core design pattern of Quaze, not an add-on module.
Quaze is a tool, not a legal opinion. Always confirm your obligations with qualified counsel.
CRA questions, answered briefly.
When does the CRA start to apply?
The CRA entered into force in December 2024. Reporting obligations begin in September 2026, with full compliance required from late 2027 onwards.
Who does the CRA apply to?
Any manufacturer placing products with digital elements on the EU market, including software vendors, connected hardware makers, and many SaaS providers depending on scope.
What are the penalties for non-compliance?
Up to €15 million or 2.5% of global annual turnover, whichever is higher.
Does Quaze make us CRA-compliant?
No tool does. The CRA covers the whole product lifecycle, including governance, risk management, and processes Quaze does not touch. What Quaze does cover is the operational side: continuous vulnerability tracking, ownership history, and evidence packs aligned with CRA principles. The rest depends on your organization.
Keep reading
- SolutionRead more
SBOM monitoring for releases and environments
How Quaze tracks the SBOMs you generate, by product and release.
- ProductRead more
Audit-ready evidence
Scheduled evidence packs and a searchable activity history.
- TrustRead more
Security at Quaze
Authentication, encryption, retention, sub-processors, and aligned frameworks.
Get ahead of September 2026.
Start free, or talk to sales about supporting CRA-aligned vulnerability tracking and audit evidence for your team.