Ketryx for EU CRA Compliance
Meet EU CRA requirements, keep your workflows.
Ketryx helps teams meet the EU Cyber Resilience Act's obligations for products with digital elements, spanning SBOMs, vulnerability reporting, secure-by-design evidence, and 10-year documentation retention.
30 minutes · No commitment · Tailored to your regulatory requirements
What does the CRA require?
Build security into development.
The CRA shifts cybersecurity from an afterthought to a development mandate, requiring secure-by-design development, secure-by-default configurations, and documented risk assessments throughout the software lifecycle.
Report vulnerabilities in 24 hours.
The CRA imposes a new rapid reporting cadence, requiring actively exploited vulnerabilities to be flagged to ENISA within 24 hours, analyzed within 72 hours, and fully reported within 14 days.
Comprehensive technical files.
The CRA expands technical documentation obligations well beyond what most software teams produce today. Manufacturers must assemble complete technical files, risk assessments, and conformity declarations, and keep them current for up to 10 years across every product version, patch, and release.
The Problem
Cybersecurity, risk management, and traceability can no longer live in silos
The CRA adds a new horizontal cybersecurity layer on top of existing vertical regulations including MDR/IVDR, NIS2, GDPR, and CE marking. Manufacturers can no longer treat cybersecurity, risk management, and traceability as separate compliance workstreams. The regulatory expectation is an integrated, evidence-based development process where:
- Security requirements are traced to design outputs and test results
- Dependencies are continuously monitored
- Risk assessments are living documents
How Ketryx
can help
Ketryx is an AI-powered compliance platform purpose-built for the development lifecycle of regulated software products. Rather than bolting compliance onto an existing development workflow, Ketryx makes compliance the workflow by integrating SBOM generation, vulnerability management, traceability, and documentation into your existing tools like Jira, GitHub, and Azure DevOps.
Vulnerability Management
Structured vulnerability management and CRA reporting support
Ketryx provides an end-to-end vulnerability management workflow, from automated scanning and change impact assessments to structured exports for ENISA's Single Reporting Platform. Teams get the real-time visibility, structured workflows, and documentary evidence needed to meet the CRA's 24h/72h reporting windows.
Explore Secure SDLCs →
Continuous GHSA and NVD monitoring with automatic Vulnerability Advisory generation for affected dependencies
ISO 14971-aligned impact assessments with CVSS v3.1 and v4.0 scoring, environmental profiles, and treatment decisions
Structured Vulnerability Report export including CVE IDs, CVSS scores, affected dependency and product versions, and remediation status, providing the structured evidence base needed to support CRA vulnerability reporting and notification obligations
SBOM
Automated SBOM generation and dependency intelligence
Generate and maintain machine-readable SBOMs automatically from connected Git repositories. CycloneDX and SPDX formats, with rich dependency metadata and per-release snapshots.
Explore SBOM →
.png)
Auto-scan package manifests (package.json, pom.xml, requirements.txt, Podfile, and more)
CycloneDX and SPDX format support, ingested directly via CI/CD pipeline
Per-release SBOM snapshots for a verifiable record of every shipped version
Traceability
Integrated requirements, risk, and traceability management
The CRA's 'secure by design' mandate requires manufacturers to demonstrate that cybersecurity risks were systematically identified, assessed, mitigated, and verified during development. Ketryx provides a unified environment for the entire design control and risk management workflow: a complete, auditable evidence chain.
Explore Traceability →
Full V-model traceability: requirements to design outputs to implementation to test cases and test executions
Real-time traceability matrix showing coverage gaps: requirements without tests, risks without controls, controls without passing test executions
KQL-powered querying to instantly identify non-compliant states across your product
Documentation
Automated technical documentation and lifecycle records
The CRA requires manufacturers to compile and retain comprehensive technical documentation for up to 10 years, available to market surveillance authorities on request. Ketryx automates the generation and management of the required technical file, producing version-locked documents directly from living project data at the click of a button.
Explore Documentation →
.png)
Auto-generated SRS, SDD, Risk Management File, Traceability Matrix, SBOM, and Vulnerability Report
Electronic signatures compliant with 21 CFR Part 11 and EU standards
Immutable audit trail logging every change to every item across versions
Enforcement
Enforce SOPs with engineering controls
Prevent non-compliant releases before they ship. Configurable approval workflows, automated control mapping, and robust verification and validation across the entire stack.
Explore Enforcement →
Multi-group approval workflows with configurable sign-off gates
Automated mapping of risk controls to implementation and test evidence
Change Request and CAPA workflows with full traceability chains
Ketryx Assistant
An AI assistant that works inside your project, not around it
The Ketryx Assistant generates compliant artifacts, analyzes traceability, and answers QMS questions using your actual project data, including your requirements, risks, tests, and design history, instead of generic training sets. Originally built for FDA-regulated work, these capabilities apply directly to CRA obligations.
Explore AI Assistant →
AI-powered change impact analysis across requirements, code, and test layers
Automated gap detection in traceability and documentation coverage
Human-in-the-loop workflows ensuring quality and regulatory defensibility for every AI-generated output
How a Top 5 MedTech Company Assessed Vulnerabilities 80% Faster
A top 5 MedTech Surgical Robotics company partnered with Ketryx to modernize its cybersecurity risk assessment process and accelerate vulnerability assessments. After improving their Cybersecurity System Architecture (CSA), they began identifying more vulnerabilities, which exposed gaps in their existing workflow. Their vulnerability review process had become a costly, major bottleneck: dispersed tools, inconsistent data, and manual handoffs made it difficult to efficiently identify and prioritize the vulnerabilities that posed the greatest patient and business risk.
Ketryx simplified workflows into an AI-driven system that improved prioritization, increased review throughput, and significantly reduced operational risk.
.svg)