# Cyber Resilience Platform

> AI-readable documentation for Cyber Resilience Platform - comprehensive SaaS for EU CRA compliance

## Overview

The Cyber Resilience Platform is a specialized SaaS application that helps organizations achieve and maintain compliance with the EU Cyber Resilience Act (CRA). It provides comprehensive CRA compliance automation including guided risk assessments, intelligent vulnerability management, SBOM intelligence with real-time CVE tracking, automated remediation workflows, and complete evidence documentation. Built specifically for manufacturers, importers, and distributors of digital products subject to CRA requirements.

## What is the EU Cyber Resilience Act?

The EU Cyber Resilience Act (CRA) establishes mandatory cybersecurity requirements for digital products sold in the EU. It applies to manufacturers, importers, and distributors of software, hardware, and connected devices.

Key Requirements:
- Secure by Design: Products designed with security from the start
- Vulnerability Management: Track and remediate vulnerabilities throughout lifecycle
- Transparency: Maintain SBOM and document security practices
- Support Period: Guarantee security updates (typically 5 years minimum)
- Documentation: Prepare technical docs and EU Declaration of Conformity

## Core Features

### 1. CRA Compliance Assessments

Three assessment templates aligned to product criticality levels:

- **Default Products CRA Baseline**: Standard assessment for products
- **Important Products CRA Enhanced**: Extended assessment for important products
- **Critical Products CRA Comprehensive**: Full maturity assessment for critical products

Capabilities:
- 39 CRA-aligned questions mapped to Cyber Resilience Act Annexes I, IV, VI, and VII
- Seven assessment domains: Governance, Risk Management, Vulnerability Handling, Technical Controls, Incident Response, Documentation & Compliance, Lifecycle Support
- Multiple question types: Boolean (Yes/No with evidence), scale (1-5 maturity), multiple-choice, free-form text
- Evidence collection at question level with file upload and encryption support
- Real-time auto-save with live compliance scoring (0-100%)
- Automated gap analysis and maturity level mapping
- Assessment completion percentage tracking
- Domain-based category scoring
- CRA requirement reference mapping for each question
- Historical assessment tracking for compliance trend analysis

### 2. Intelligent Scoring Engine

- Weighted question scoring with criticality multipliers (0.5–2.0 base weight)
- Multi-dimensional scoring across assessment domains
- Maturity level assessment (0-5 scales mapped to capability levels)
- Automated gap detection: identify missing controls and evidence
- Regulatory requirement mapping: see which CRA annexes are satisfied
- Score history and compliance trend tracking
- Integration with remediation planning for evidence-driven workflows

### 3. SBOM & Vulnerability Intelligence

- Parse and validate CycloneDX 1.x and SPDX 2.x formats
- Automatic CVE detection: NVD integration with continuous updates
- Daily automated SBOM rescan: After each NVD feed update, all unlocked assessment SBOMs are automatically rescanned
- CVE detection email alerts: Branded notification emails for critical/high severity findings with direct links to remediation
- Dashboard notifications for newly detected CVEs (type: cve_detected)
- Auto-generated remediation suggestion drafts on each daily rescan (pending, require human review)
- Component dependency analysis and supply chain visibility
- Scan history persistence with tracking of multiple SBOM versions
- Raw SBOM content storage for audit compliance
- Vulnerability false positive reporting and management
- Asset inventory and tracking with product-centric organization
- Risk scoring per component based on CVE severity and exploitability
- Component-to-CVE traceability for remediation planning
- SBOM component metadata encrypted at rest with AES-256-GCM

### 4. Remediation Planning & Workflows

- Create remediation plans from assessment gaps or SBOM vulnerabilities
- Priority-based workflows: Low, Medium, High, Critical severity levels
- Status tracking: Open, In Progress, Completed, Blocked
- Milestone and due-date management for progress tracking
- Auto-generated remediation suggestions with accept/reject workflow
- Assignment to users and teams with notification tracking
- Cross-linking to CVEs, ticket systems, and external references
- Overdue detection and escalation alerts
- Remediation evidence tracking and completion validation

### 5. Document of Conformity (DoC) Generation

- Automated EU Declaration of Conformity generation fully compliant with CRA Annex V
- Multi-language support: 24 EU languages with validation gating
- Validation system: Data completeness checks + translation sufficiency (>95% threshold required)
- Parallel PDF generation (5 concurrent processes) for performance
- ZIP archive creation for multi-locale regulatory export
- Digital signature management and enforcement
- Validation audit logging: comprehensive tracking of all generation attempts and failures
- 10-year audit retention for regulatory compliance
- Pre-generation validation prevents incomplete or invalid documentation exports

### 6. Evidence & Documentation Management

- Technical documentation upload and version control
- Assessment evidence artifact tracking with AES-256-GCM encryption (files and metadata)
- Enriched content system: contextual articles, videos, glossary, external references
- Content organized by topic with view tracking for analytics
- Multi-language technical documentation support
- File storage with soft-delete and archival capabilities

### 7. Reports & Exports

Dedicated Reports page (/reports) with two tabs: Reports and Scheduled Reports.

**On-demand report types:**
- Assessment Readiness Summary: Overall compliance posture, maturity scores, domain breakdown, top gaps with CRA requirement mapping
- Vulnerability Exposure Overview: CVE inventory, severity distribution, component exposure, remediation linkage
- Remediation Progress Report: Plan status breakdown, overdue items, upcoming deadlines, suggested drafts, priority and owner breakdown

**Export formats:** PDF (branded, paginated, multi-language), CSV (spreadsheet-ready), JSON (API integration)

**Scheduled reports:**
- Define recurring schedules (daily/weekly/monthly) for any report type
- Automatic email delivery with report file attached
- Format selection per schedule (PDF, CSV, JSON)
- Schedule management UI with edit and delete

**Report generation:**
- Multi-language PDF output (matches platform locale)
- Page headers/footers with branding, date, and organization name
- Methodology appendix page on each PDF
- Report history stored per user with download links

### 8. Analytics & Insights

- Daily organization metrics: Completeness scores, compliance levels, vulnerability counts
- Module usage breakdown: Which features are most used across teams
- Document status summary: Draft, In Progress, Completed, Failed generation tracking
- Signature throughput analytics and signature workflow monitoring
- Assessment completion and scoring trends over time
- Vulnerability remediation progress visualization
- Monthly analytics aggregation: Pre-computed monthly tables for accounts, usage (assets, assessments, remediations), and subscription/billing metrics
- Incremental aggregation job runs nightly at 3 AM; historical backfill available via admin API
- Admin-level analytics: Accounts, assets, assessments, remediations, revenue tracking
- Admin API endpoints for triggering backfill and fetching trend summaries

### 9. Data Security & Encryption

All sensitive data is encrypted at rest using AES-256-GCM:

- **SBOM component metadata**: Name, version, PURL, licenses, external references
- **CVE/vulnerability data**: Vulnerability findings stored encrypted per scan
- **Product details**: Product name, version, intended use, support period in assessments
- **Evidence files**: Uploaded evidence artifacts (in production since initial release)
- Encryption audit log: Every encrypt/decrypt operation is logged with table, row ID, duration, and outcome
- Backward compatibility: Plaintext column fallback during migration periods
- Key management: Separate encryption keys per data domain (SBOM, CVE, product, evidence)
- All encryption operations are transparent to the application layer

### 10. Internationalization (i18n)

The platform UI supports 6 languages with full coverage across all major features:
- English (en), German (de), French (fr), Spanish (es), Italian (it), Dutch (nl)
- Assessment module: All questions, domains, labels, placeholders, and gap analysis messages
- Document generation panel: Blocking issue messages, completeness indicators
- Platform navigation, dashboard, and settings
- 50+ additional translation keys added for assessment product form and readiness checks
- Language selection persisted per user session

## Pricing

Free - €0/month
- 1 user
- 1 assessment
- 1 asset
- 5 remediation plans

Pro - €59/month
- 1 user
- 5 assessments
- 5 assets
- 20 remediation plans
- Additional seat: €19/month

Business - €299/month
- 1 administrator (can add/remove users)
- Unlimited assessments
- Unlimited users
- Unlimited assets
- Unlimited remediation plans

Enterprise - Custom Pricing
- 1 administrator (can add/remove users)
- Unlimited assessments
- Unlimited users
- Unlimited assets
- Unlimited remediation plans
- On-premise installation

## Regulatory Alignment

The platform is purposefully built for EU Cyber Resilience Act (CRA) compliance:

- Direct mapping to CRA Annexes I (Cybersecurity Requirements), IV (Example Cybersecurity Processes), VI (Free and Open-Source Software), and VII (Implementation Deadlines)
- Assessment questions tailored to specific regulatory mandates
- DoC generation compliant with CRA Annex V requirements
- Guidance for navigating CRA vs. NIS2, GDPR, and product safety regulation overlaps
- Lifecycle support documentation aligned with CRA support period mandates
- SBOM requirements aligned with CRA transparency obligations

## Key Differentiators

- **CRA-native compliance automation**: Built specifically for CRA requirements, not a generic GRC tool retrofitted to CRA
- **Evidence-driven assessment workflows**: Evidence collection and artifact tracking with full AES-256-GCM encryption built into core assessments
- **Intelligent SBOM & vulnerability intelligence**: Real-time CVE detection, daily automated rescanning, false positive management, and component-to-remediation linkage
- **Automated remediation workflows**: AI-generated suggestions with status tracking, milestone management, and assignment workflows
- **Comprehensive documentation validation**: Pre-generation validation prevents submission of incomplete or untranslated DoC files
- **Compliance reports & exports**: Three dedicated report types (Assessment Readiness, Vulnerability Exposure, Remediation Progress) with PDF/CSV/JSON export and scheduled delivery
- **End-to-end data encryption**: AES-256-GCM encryption for all sensitive data at rest — SBOM components, CVE data, product details, and evidence files — with full audit logging
- **Multi-language platform**: Full UI and report output in 6 EU languages (EN, DE, FR, ES, IT, NL)
- **Regulatory compliance readiness**: Compliance evidence tracking and signature management for regulatory inspections
- **Affordable pricing** with transparent feature access
- **Developer-friendly design** with clear API documentation and integration pathways

## Resources & Learning

The platform provides comprehensive guides and best practices tailored to CRA compliance workflows:

### Getting Started
- EU Cyber Resilience Act (CRA) Compliance Guide (/resources/cra-compliance-guide)
  Complete guide covering who must comply, key requirements, SBOM obligations, vulnerability management, lifecycle support, and platform support.

- Onboarding Guide (/docs/onboarding)
  Step-by-step quickstart: account setup, SBOM import, running multi-template assessments, evidence collection, remediation planning, and DoC generation.

- CRA Readiness Assessment (/resources/cra-readiness-assessment)
  Evaluate organizational readiness for CRA compliance before formal assessment.

### Feature & Workflow Guides
- SBOM Best Practices (/resources/sbom-best-practices)
  Practical guidance on CycloneDX and SPDX formats, CI/CD integration, validation, CVE linkage, maintenance, and compliance tracking.

- Vulnerability Management Guide (/resources/vulnerability-management-guide)
  Core CRA-aligned processes: intake, triage, SLAs, remediation tracking, coordinated disclosure timelines, and continuous monitoring.

- Remediation Workflow Guide (/resources/remediation-workflows)
  End-to-end remediation planning: priority assessment, milestone scheduling, team assignment, evidence tracking, and compliance reporting.

- Document of Conformity Guide (/resources/doc-generation-guide)
  Generating and validating your EU Declaration of Conformity: data completeness, translation requirements, signature management, and regulatory submission.

- Reports & Exports Guide (/resources/reports-guide)
  Generating Assessment Readiness, Vulnerability Exposure, and Remediation Progress reports. Configuring scheduled reports, selecting export formats (PDF/CSV/JSON), and using report data for regulatory submissions.

### Comparisons & Context
- CRA vs Other Regulations (/resources/cra-vs-other-regulations)
  How the EU Cyber Resilience Act compares to NIS2, GDPR, and product safety regulations: scope, obligations, practical overlaps, and applicability assessment.

- Cyber Resilience vs Cybersecurity (/resources/cyber-resilience-definition)
  Understanding the difference between general cybersecurity and CRA-specific resilience requirements: governance, process maturity, and evidence standards.

### Educational Content
The platform includes enriched content across all topics:
- Educational articles on CRA requirements and best practices
- Glossary of CRA and security terminology
- External resources and regulatory references

Browse all resources at /resources

Last updated: March 2026