The EU Cyber Resilience Act — product cybersecurity requirements with CE marking for all products with digital elements sold in the EU.
Any product with digital elements placed on the EU market, including software and IoT.
Continuous evidence pipeline available; audit support included for all customers.
These are the obligations a regulated entity owes — the things an assessor or supervisor will ask about.
Security by design and by default per Annex I.
Vulnerability handling for the product lifetime, including coordinated disclosure.
SBOM for each product with digital elements.
24-hour early warning + 72-hour incident notification + 14-day final report for actively exploited vulnerabilities and severe incidents.
Conformity assessment and CE marking.
Free security updates throughout the declared support period.
Each requirement above is bound to live telemetry — not screenshots. The mapping below is what your auditor or regulator sees.
Product CRA-tier classification (default / important class I / II / critical) with conformity track recommendation.
Annex I checklist auto-populated from telemetry.
Vulnerability handling pipeline with mandatory disclosure timelines.
SBOM publication per product release.
24/72/14 incident reporting timer with ENISA-compatible export.
Each evidence artifact is signed and timestamped. Auditors can verify integrity without trusting Safeguard.
Annex I conformity assessment evidence.
Per-product SBOM with VEX.
Vulnerability disclosure log.
Incident reports per CRA template.
These frameworks share substantial control overlap with EU CRA. Customers running one assessment typically satisfy the others with the same evidence base.
European Union
The expanded EU network and information security directive, covering essential and important entities across 18 sectors.
European Union
The EU directive on resilience of critical entities — physical and operational resilience baseline for 11 sectors including energy, transport, banking, and digital infrastructure.
North America
The Secure Software Development Framework that backs EO 14028, the CISA attestation form, and most modern software supply-chain mandates.
Bring the framework. We'll walk the controls with you — section by section, evidence packet by evidence packet, with the regulators you actually have to answer to.