EU Cyber Resilience Act

Generate your CRA Annex I evidence pack
in 60 seconds

Scan any GitHub repository against all 21 CRA Annex I essential requirements. Free preview inline. Audit-ready PDF delivered to your email.

Time to vulnerability reporting deadline
138
Days
06
Hours
39
Min
10
Sec
September 11, 2026 — Regulation (EU) 2024/2847, Article 14
Step 1 — Scan a public repository
Format: owner/repo or full GitHub URL. Concordance reads only metadata — no source code, secrets, or credentials are accessed.
The deliverable

What's in the CRA Evidence Pack

An audit-ready PDF mapping your engineering practices to all 21 CRA Annex I essential requirements.

21
Annex I requirements covered
Part I §1.1–1.13 + Part II §2.1–2.8
50
Engineering protocols scored
Across 6 SDLC phases — see /framework
6
Frameworks supported
CRA, NIS2, SOC 2, ISO 27001, NIST SSDF, internal
PDF
Audit-ready format
Per-requirement evidence + signal level + remediation
CRA timeline

Two deadlines that matter

Sep 11, 2026
Reporting obligations begin
Manufacturers must report actively exploited vulnerabilities (24h initial / 72h detailed / 14-day final) and severe incidents to ENISA and CSIRTs. Article 14, Regulation (EU) 2024/2847.
Dec 11, 2027
Full applicability + CE marking
Products with digital elements placed on the EU market must demonstrate conformity with all Annex I essential requirements and bear CE marking. Penalties up to €15M or 2.5% of global annual turnover, whichever is higher (Article 64). Article 71, Regulation (EU) 2024/2847.

Concordance is built and operated by Concordance Labs LLC (Pennsylvania, USA — SAM.gov UEI QH73M8NA3QR8). The 50-protocol scoring engine, the CRA Annex I and NIS2 Article 21(2) mappings, and the PDF generator are open implementations documented at /framework,/cra, and/methodology. Source citations to Regulation (EU) 2024/2847 are provided per requirement in the generated pack.