The Cyber Resilience Act requires reporting actively exploited vulnerabilities to ENISA within 24 hours. Most companies aren't ready. Here's how to build an incident response process that actually works, with automated deadline tracking and report generation.
Connect your GitHub account and ResilienceWP auto-imports every dependency from your repositories — npm, PyPI, Go, Rust, Maven, Packagist, NuGet, and WordPress. Every dependency is scanned against OSV.dev and WPScan on weekly or daily schedules. When a vulnerability is actively exploited, the Incident Center starts your 24-hour ENISA clock and guides you through each notification stage. The Document Generator produces your Vulnerability Disclosure Policy, SBOM, Risk Assessment, and EU Declaration of Conformity from your live data.
The EU Cyber Resilience Act applies to every software product with digital elements placed on the EU market, regardless of where the developer is based. SaaS companies, open-source maintainers with commercial activity, plugin and extension developers, and software vendors shipping desktop apps, libraries, or developer tools to EU users are all in scope.
Article 14 requires notification to ENISA within 24 hours of awareness of an actively exploited vulnerability, a follow-up within 72 hours, and a final report within 14 days. Annex I requires products to ship without known exploitable vulnerabilities and receive security updates throughout their supported lifetime. Article 13 requires a risk assessment, vulnerability disclosure policy, Software Bill of Materials, and EU Declaration of Conformity per product.
GitHub integration, dependency scanner, incident center with ENISA deadline tracking, document generator with eight CRA-required templates, CRA controls tracker with 28 controls mapped to specific articles, product classification wizard, obligation tracking, cross-framework mapping to NIS2 and ISO 27001, live compliance score, CycloneDX SBOM export, PDF compliance reports, and webhook integrations.
EU market surveillance authorities can impose fines of up to €15 million or 2.5% of global annual revenue for failure to meet essential cybersecurity requirements, and up to €10 million or 2% for other infringements including missed reporting deadlines. Authorities can also force product withdrawal from the EU market.