COMPLIANCE · CRA · EU 2024/2847
Not just compliant —
demonstrably compliant
VAST helps structure and maintain a coherent approach aligned with CRA requirements, and demonstrate it to clients, auditors and regulators.
What the CRA requires — What VAST covers
The 4 pillars
The Cyber Resilience Act imposes four fundamental requirements on manufacturers of connected products sold in the EU.
01
Security by design
CRA requirementAnnex I requires 12 essential security requirements before placing the product on the market.
What VAST doesVAST structures the risk analysis and documents decisions taken on each requirement, version by version.
02
Continuous vulnerability management
CRA requirementManufacturers must monitor, assess and treat vulnerabilities throughout the declared support duration.
What VAST doesVAST correlates CVEs with your real assets, prioritises by actual exposure and documents every fix/mitigate/accept decision.
03
PSIRT & 24h ENISA notification
CRA requirementAny actively exploited vulnerability must be notified to ENISA within 24 hours, with a full report within 14 days.
What VAST doesVAST detects concerned assets, generates the VEX and prepares notification elements within the required timeframe.
04
Technical documentation & evidence
CRA requirementComplete technical documentation must be maintained and the product support duration publicly declared.
What VAST doesVAST generates versioned reports, exportable SBOMs and shareable evidence without disclosing architecture or IP.
CRA compliance
December 2027 is closer than it seems
Setting up SBOM, CVE monitoring, PSIRT and technical documentation takes 4 to 6 months. The right time to start is now.