Product Security Solution: end-to-end CRA compliance
For hardware manufacturers, SaaS editors, IoT makers and industrial equipment suppliers placing products with digital elements on the EU market.
Your 2026-2027 CRA challenges
CRA applicable in 20 months
The Cyber Resilience Act applicable on 11 December 2027 imposes cybersecurity CE marking, SBOM, CVD, Annex I matrix. Fines up to €15M or 2.5% of global turnover.
SBOM: impossible inventory manually
Your products contain 100-10,000 open-source components. Impossible to track manually, let alone cross-reference with emerging CVEs.
CVD mandatory but no process yet
You must publish a coordinated disclosure policy + security.txt. Without tooling, researcher reports get lost in a generic mailbox.
5-15 year support hard to track
Long support obligations break with typical product cycles. You need a system that automatically triggers EOL alerts and patch cadence.
What ResiPlan delivers
Complete PDE Registry
Inventory every product, its classification (non-critical → critical), assessment route, CE status. Linked to your existing CMDB.
Automated CycloneDX / SPDX SBOM
Drag-and-drop import, instant parsing, automatic CVE cross-reference per component. Alerts on new vulnerabilities.
Turnkey CVD portal
RFC 9116 compliant security.txt + public form + 8-state triage workflow + 30-day SLA tracking for CVSS ≥ 7.
Patch lifecycle
5-year or 15-year support clock per classification. Patch history linked to fixed CVEs. Customer notification log.
Annex I evidence matrix
13 essential requirements × products, evidence attachments (tests, pentest, code review). Readiness score for Declaration of Conformity.
Audit dossier ready
Pre-assembled audit pack per product. Mock audit mode. 15-business-day timer when a real request arrives from an authority.
Built for
If you are one of these roles, you'll find in ResiPlan the tooling to steer your CRA compliance.