Ketryx for the EU CRA
EU CRA compliance, without restructuring your workflows
Ketryx helps teams meet the EU Cyber Resilience Act's obligations for products with digital elements, spanning SBOMs, vulnerability reporting, secure-by-design evidence, and 10-year documentation retention.
30 minutes · No commitment · Tailored to your regulatory requirements
A step change in cybersecurity obligations
Process immaturity meets sweeping new requirements
The CRA demands secure-by-design development, secure-by-default configurations, and documented risk assessments — built into the development process, not assembled retroactively. Many manufacturers, particularly in sectors that have historically been hardware-centric or only lightly regulated from a software perspective, face a significant readiness gap.
24-hour reporting windows demand systematic tooling
Actively exploited vulnerabilities must be reported to The European Union Agency for Cybersecurity (ENISA) within 24 hours, with a full analysis within 72 hours and a final report within 14 days. Without systematic dependency tracking, manufacturers cannot identify, let alone report, affected components within these windows.
Tooling fragmentation with no unified evidence trail.
Requirements in one tool, risks in another, test results in a third, and no unified evidence trail connecting them. The CRA requires comprehensive technical files, risk assessments, and conformity declarations retained for up to 10 years. Manual or fragmented document management at this scale, across multiple product versions and release cycles, is not sustainable.
The Problem
Cybersecurity, risk management, and traceability can no longer live in silos
The CRA adds a new horizontal cybersecurity layer on top of existing vertical regulations including MDR/IVDR, NIS2, GDPR, and CE marking. The cumulative effect is that manufacturers can no longer treat cybersecurity, risk management, and traceability as separate compliance workstreams. The regulatory expectation is an integrated, evidence-based development process where security requirements are traced to design outputs and test results, dependencies are continuously monitored, risk assessments are living documents, and all of it is audit-ready and retained for up to 10 years.
How Ketryx
can help
Ketryx is an AI-powered compliance platform purpose-built for the development lifecycle of regulated software products. Rather than bolting compliance onto an existing development workflow, Ketryx makes compliance the workflow by integrating SBOM generation, vulnerability management, traceability, and documentation into your existing tools like Jira, GitHub, and Azure DevOps.
SBOM
Automated SBOM generation and dependency intelligence
Generate and maintain machine-readable SBOMs automatically from connected Git repositories. CycloneDX and SPDX formats, with rich dependency metadata and per-release snapshots.
Explore SBOM →
.png)
Auto-scan package manifests (package.json, pom.xml, requirements.txt, Podfile, and more)
CycloneDX and SPDX format support, ingested directly via CI/CD pipeline
Per-release SBOM snapshots for a verifiable record of every shipped version
Vulnerability Management
Structured vulnerability management and CRA reporting support
Ketryx provides an end-to-end vulnerability management workflow, from automated scanning and change impact assessments to structured exports for ENISA's Single Reporting Platform. Teams get the real-time visibility, structured workflows, and documentary evidence needed to meet the CRA's 24h/72h reporting windows.
Explore More →
Continuous GHSA and NVD monitoring with automatic Vulnerability Advisory generation for affected dependencies
ISO 14971-aligned impact assessments with CVSS v3.1 and v4.0 scoring, environmental profiles, and treatment decisions
Structured Vulnerability Report export including CVE IDs, CVSS scores, affected dependency and product versions, and remediation status, providing the structured evidence base needed to support CRA vulnerability reporting and notification obligations
Traceability
Integrated requirements, risk, and traceability management
The CRA's 'secure by design' mandate requires manufacturers to demonstrate that cybersecurity risks were systematically identified, assessed, mitigated, and verified during development. Ketryx provides a unified environment for the entire design control and risk management workflow: a complete, auditable evidence chain.
Explore Traceability →
Full V-model traceability: requirements to design outputs to implementation to test cases and test executions
Real-time traceability matrix showing coverage gaps: requirements without tests, risks without controls, controls without passing test executions
KQL-powered querying to instantly identify non-compliant states across your product
Documentation
Automated technical documentation and lifecycle records
The CRA requires manufacturers to compile and retain comprehensive technical documentation for up to 10 years, available to market surveillance authorities on request. Ketryx automates the generation and management of the required technical file, producing version-locked documents directly from living project data at the click of a button.
Explore Documentation →
.png)
Auto-generated SRS, SDD, Risk Management File, Traceability Matrix, SBOM, and Vulnerability Report
Electronic signatures compliant with 21 CFR Part 11 and EU standards
Immutable audit trail logging every change to every item across versions
Enforcement
Enforce SOPs with engineering controls
Prevent non-compliant releases before they ship. Configurable approval workflows, automated control mapping, and robust verification and validation across the entire stack.
Explore Enforcement →
Multi-group approval workflows with configurable sign-off gates
Automated mapping of risk controls to implementation and test evidence
Change Request and CAPA workflows with full traceability chains
AI Agents
AI agents that accelerate compliance, not just flag gaps
Ketryx AI agents scan your systems for compliance gaps, review changes for regulatory impact, and generate documentation drafts, all with human-in-the-loop approval ensuring quality and regulatory defensibility. Originally designed to automate FDA documentation, these capabilities map directly onto CRA obligations.
Explore AI Agents →
AI-powered change impact analysis across requirements, code, and test layers
Automated gap detection in traceability and documentation coverage
Human-in-the-loop workflows ensuring quality and regulatory defensibility for every AI-generated output
.svg)