EU Cyber Resilience Act (CRA)
From your code to a CE-marked CRA dossier.
Normproof scans your product, finds what the Cyber Resilience Act requires, and generates the technical documentation, SBOM, and signed EU Declaration of Conformity you need to CE-mark it — and keeps it compliant as new vulnerabilities appear.
Built for the ~90% of products that can self-assess. No consultants. Deadlines: vulnerability reporting from 11 Sep 2026, full compliance by 11 Dec 2027.
How it works
- 1
Connect
Point Normproof at your repository, build, or an existing SBOM.
- 2
See your gaps
Live vulnerability findings plus a plain-language CRA readiness report mapped to Annex I.
- 3
Get your dossier
Generate the technical documentation and signed EU Declaration of Conformity, then stay compliant with continuous monitoring.
Not sure if the CRA even applies to you?
Answer 4 questions and get your product's CRA category, your obligations, and your deadlines — in 60 seconds, free.
- Self-assessment, done for you
- ~90% of products can self-assess under the CRA. Normproof produces the evidence and documents so you don't need a notified body or a consultant.
- Evidence that holds up
- Every dossier records the exact SBOM, rules version, and vulnerability data behind it — reproducible and audit-ready.
- Compliance that stays current
- New CVE in one of your components? Normproof alerts you and guides the 24-hour reporting duty. Compliance isn't a one-time PDF.
Stop dreading the CRA deadline.
Start with the free readiness check — see exactly what you need, then let Normproof build it.