CRA Compliance Platform

Automate CRA Compliance Before the Deadline

Complaro helps product engineering teams move from SBOM to full CRA compliance. Vulnerability intelligence from NVD, CISA KEV, and GitHub Security Advisories with ENISA-ready reports generated in minutes, not weeks.

Get Started Free

One product, unlimited scans, no credit card

CRA Reporting Deadline
20707
days
00
hrs
00
min
00
sec
app.complaro.com
Product Dashboard
3 products · Last scan 2 min ago
3 Products
Payment ServiceDefault
92
No vulnerabilities
IoT GatewayClass I
78
2 vulnerabilities found
Auth LibraryClass II
85
1 vulnerability found
How It Works

From SBOM to CRA Compliance Readiness

Three steps between uploading your first SBOM and generating a fully compliant incident report.

SBOM Analysis
express4.18.2
...
lodash4.17.21
...
xz-utils5.6.0
...
openssl3.1.4
...
Classification: Default (Art. 6)
4 components analyzed · 1 critical, 1 warning
01

Identify and Classify Your Products

Upload your Software Bill of Materials or let cra-scanner detect one. The platform maps every component against CRA Annex III and Annex IV to determine your product classification and which essential requirements apply.

Vulnerability Detected
CRITICAL
CVE-2024-3094
xz-utils 5.6.0 · Actively exploited
CVSS: 9.8
CISA KEV: Yes
EPSS: 0.97
24h ENISA reporting triggered
Article 14(2)(a) · Early warning required
NVD
CISA KEV
GitHub SA
02

Scan for Known Vulnerabilities

Complaro matches your SBOM components against NVD, CISA Known Exploited Vulnerabilities, and GitHub Security Advisories. Version-aware matching reduces false positives while flagging actively exploited CVEs that trigger the 24-hour ENISA reporting obligation.

ENISA Report
Ready to submit
Subject
Early Warning — CVE-2024-3094
Report Type24h Early Warning
ProductIoT Gateway v2.1
Affected Componentxz-utils 5.6.0
CVSS Score9.8 Critical
ENISA ReferenceArt. 14(2)(a)
03

Generate ENISA-Format Reports

Export pre-filled vulnerability reports in the three CRA-mandated formats: 24-hour early warning, 72-hour incident notification, and 14-day final report. Available as PDF and machine-readable JSON.

Platform

Purpose-Built for the EU Cyber Resilience Act

Unlike general-purpose vulnerability scanners, Complaro is designed specifically for CRA compliance. The platform understands CRA product classification and scores your readiness across five compliance dimensions.

Integration

CI/CD Integration

Connect Complaro to your development workflow. Scan SBOMs automatically on every release and catch compliance issues before they ship.

GitHub Actions
GitLab CI
Jira
Slack
complaro-ci / mainrunning...
Push to main
feat: update payment-service SBOM · 14s ago
Generate SBOM...
Vulnerability Scan
CRA Classification
Compliance Check
Upload Report
Critical Alert

24-Hour Vulnerability Reporting

When a CVE hits your dependencies, Complaro flags it, calculates your reporting deadline, and generates the ENISA report before your team has finished their morning coffee.

24h
Early Warning
72h
Notification
14d
Final Report
Actively exploited vulnerability detected
Just now · Automatic scan
CRITICAL
CVE-2024-3094
xz-utils 5.6.0 · Backdoor in upstream distribution tarball
9.8
CVSS
CISA KEVNVDGitHub AdvisoryEPSS: 0.97
Article 14(2)(a) — Early warning deadlineStarted 15h 36m ago
8h 24m remaining24h deadline
Reports

ENISA Report Generation

Reports come pre-filled with data from your scan. Add the details only your team knows, export as PDF or JSON, and submit to ENISA.

Subject
Early Warning — CVE-2024-3094
Report Type24h Early Warning
ProductIoT Gateway v2.1
Affected Componentxz-utils 5.6.0
CVSS Score9.8 Critical
ENISA ReferenceArt. 14(2)(a)
Dashboard

Multi-Product Dashboard

Manage compliance across your entire product portfolio from a single interface. Track everything per product.

Portfolio Overview0 products
0
Compliant
0
At Risk
0
Critical
Payment APIDefault
0+3
IoT GatewayClass I
0-2
Auth ServiceClass II
0+5
Mobile SDKDefault
0+1
Why Complaro

Meet the CRA with Confidence

What changes when CRA compliance runs in the background instead of blocking your roadmap.

Vulnerability Reports in Minutes, Not Weeks

The CRA gives you one day to report an exploited vulnerability. Complaro helps you generate the report in minutes.

Built for Engineers

Made for the team that actually manages dependencies, not for consultants filling out PDFs.

Every Product. One View.

Whether you ship one product or a hundred, every compliance score and deadline lives in the same dashboard.

Fits What You Already Use

Imports SBOMs from Snyk, Sonatype, Trivy, or your own pipeline. Nothing to rip and replace.

Always Watching

NVD, CISA KEV, and GitHub Advisories are checked continuously. You hear about new threats before your morning standup.

Not a Consulting Invoice

Traditional CRA assessments can cost tens of thousands in consulting fees. Complaro starts free.

Pricing

Simple, Transparent Pricing

CRA compliance that scales with your product portfolio. Start free, upgrade when you need ENISA reporting.

Free

€0/month
  • 1 product
  • Unlimited scans
  • SBOM import (CycloneDX & SPDX)
  • Vulnerability scanning (NVD, CISA KEV, GitHub Advisories)
  • Compliance score
Get Started
Popular

SMV

€299/month
  • Up to 10 products
  • Everything in Free
  • ENISA report generation (24h, 72h, 14d)
  • PDF & JSON export
  • All CI/CD integrations
  • Slack & Jira notifications
Get Started

Mid-market

€899/month
  • Up to 50 products
  • Everything in SMV
  • Priority support
  • Custom classification rules
  • Advanced compliance analytics
  • Dedicated onboarding
Get Started

All prices exclude VAT where applicable.

Need more than 50 products? Contact us for enterprise pricing.

About

Who We Are

Complaro is a Copenhagen-based team focused exclusively on EU Cyber Resilience Act tooling. We build open source tools including cra-scanner, a free CLI for CRA readiness assessment, and this platform for teams that need continuous compliance management.

Read our blog
FAQ

Your Questions, Answered

Answers to your most common questions about the CRA and Complaro.

The CRA (Regulation 2024/2847) is an EU regulation requiring manufacturers of products with digital elements to meet cybersecurity requirements throughout the product lifecycle. It covers vulnerability handling, SBOM provision, and incident reporting to ENISA.
Reporting obligations start 11 September 2026. All other requirements (vulnerability handling, SBOM, documentation, conformity assessment) apply from 11 December 2027.
Any manufacturer placing a product with digital elements on the EU market, including commercial software, IoT devices, and open-source projects with a commercial activity. SaaS is generally out of scope unless it involves embedded or downloadable components.
A Software Bill of Materials is a machine-readable inventory of all components in your software. The CRA requires it under Article 13(5) and Annex I Part II(1) so that downstream users and market surveillance authorities can identify vulnerable components.
Complaro automates the three hardest parts: classifying your products under CRA Annex III/IV, continuously scanning for known vulnerabilities, and generating ENISA-format incident reports when actively exploited vulnerabilities are discovered. The platform scores your readiness across five CRA compliance dimensions.

Start Your Free CRA Assessment

Free plan includes one product with unlimited scans and full compliance scoring.

Get Started Free