Skip to main content
ABV helps customers who build products subject to the EU Cyber Resilience Act (CRA) by providing observability and governance tools that support cybersecurity best practices.

​
What is the Cyber Resilience Act?

The Cyber Resilience Act establishes mandatory cybersecurity requirements for hardware and software products with digital elements sold in the European Union.
The CRA entered into force on December 10, 2024. Cybersecurity requirements apply to products placed on the market after December 11, 2027, with vulnerability reporting obligations starting September 11, 2026.
The CRA aims to improve the cybersecurity of digital products throughout their lifecycle, from design and development through operation and end-of-life. It applies to products connected directly or indirectly to other devices or networks, with specific exclusions for medical devices, aviation systems, and certain regulated sectors. Penalties for non-compliance can reach €15 million or 2.5% of global annual turnover, whichever is higher.

​
Important: CRA Does Not Apply to ABV

The Cyber Resilience Act explicitly excludes pure SaaS platforms from its scope. As a B2B SaaS observability and governance platform, ABV itself is not subject to CRA requirements and does not require CRA certification or CE marking.However, if you’re building GenAI products or software that ARE subject to CRA, ABV can help you meet your compliance obligations.

​
How ABV Supports CRA Compliance for Your Products

While ABV itself is not subject to CRA, our platform helps customers building GenAI products meet CRA requirements:
If you’re building products subject to CRA’s Annex I requirements:
  • Security Testing: Use our evaluation framework to test GenAI products for vulnerabilities and security weaknesses, supporting secure-by-design requirements.
  • Vulnerability Discovery: Monitor GenAI systems for anomalous behavior or abuse attempts indicating vulnerabilities requiring disclosure.
  • Development Documentation: Comprehensive logging provides audit trails of development and testing processes for CRA documentation.
  • Data Protection Evidence: Track how GenAI products handle data, demonstrating encryption usage, access controls, and data flow compliance.
  • Attack Surface Monitoring: Identify excessive permissions, unnecessary data access, or configuration issues expanding your product’s attack surface.
Starting September 11, 2026, CRA requires manufacturers to report actively exploited vulnerabilities within 24 hours:
  • Vulnerability Detection: Monitor GenAI products for security incidents or exploitation attempts indicating vulnerabilities requiring disclosure.
  • Incident Investigation: Use comprehensive logs and audit trails to investigate potential vulnerabilities and determine exploitation status.
  • Evidence Collection: Export detailed logs and traces to support vulnerability reports to EU CSIRTs and ENISA.
  • Timeline Tracking: Document when vulnerabilities were discovered, investigated, and reported using timestamped audit trails.
CRA requires manufacturers to provide secure updates throughout product lifecycle:
  • Update Testing: Use our evaluation framework to test security patches before deployment, ensuring updates don’t introduce new vulnerabilities.
  • Deployment Monitoring: Track security update rollout across GenAI products, identifying failed updates or systems requiring patches.
  • Version Control: Monitor which versions of GenAI products are deployed where, supporting update management requirements.

​
How ABV Helps with Your CRA Documentation

CRA requires extensive technical documentation:
  • Development Evidence: Comprehensive logs of development, testing, and deployment processes demonstrating secure development lifecycle.
  • Risk Assessment Records: Document security testing, vulnerability assessments, and risk mitigation measures using evaluation results.
  • Version History: Track all changes to GenAI products with version control, demonstrating configuration management practices.
When incorporating ABV into your CRA-regulated product:
  • ABV as Third-Party Component: Document ABV as part of your product’s supply chain using our SOC 2 Type II and ISO 27001 certifications.
  • Security Evidence: Use ABV’s security documentation to demonstrate due diligence in selecting third-party services.

​
Data Residency for CRA Products

Flexible Deployment Options: ABV can deploy in most AWS regions to meet your product’s data residency requirements under CRA.Standard regions:
  • EU (Ireland): Immediate availability
  • US (Virginia): Immediate availability
Custom deployments available in:
  • Any EU AWS region for European market products
  • Other global regions for international products
  • Contact [email protected] for regional deployment options

​
CE Marking and Your GenAI Products

If your GenAI product requires CE marking under CRA:
ABV itself does not require CE marking as it’s a pure SaaS platform excluded from CRA. However, your GenAI products may require CE marking if they’re distributed as software products, mobile apps, or embedded systems.

​
How ABV Supports Your CE Marking Process

Use ABV’s testing and evaluation data to demonstrate your product meets CRA’s essential requirements.
Export comprehensive logs and test results from ABV to include in your technical file for conformity assessment.
After obtaining CE marking, use ABV to continuously monitor your product’s security and maintain compliance evidence.

​
CRA Timeline for Your Products

DateRequirementHow ABV Helps
December 10, 2024CRA entered into forceStart using ABV to establish secure development practices
September 11, 2026Vulnerability reporting obligations beginUse ABV monitoring to detect vulnerabilities requiring 24-hour notification
December 11, 2027Essential cybersecurity requirements applyABV provides ongoing compliance evidence for products placed on market
These deadlines apply to products you place on the EU market, not to ABV itself. Start preparing now if you plan to release GenAI products in the EU after these dates.

​
Documentation for Your CRA Compliance

If you’re building CRA-regulated products, ABV can provide:
  • Security Certifications: SOC 2 Type II and ISO 27001 certificates for your supply chain documentation
  • Vendor Assessment Package: Security questionnaires and attestations for your third-party risk assessments
  • Infrastructure Documentation: Details about ABV’s security controls to include in your product documentation
To request: Email [email protected] from your company email with:
  • Your organization name and ABV account details
  • The type of product you’re building (mobile app, desktop software, IoT device, etc.)
  • What stage of CRA compliance you’re in (planning, conformity assessment, post-market monitoring)
  • Specific documentation needs for your conformity assessment
We typically respond within 1-2 business days.

​
Related Topics

Vulnerability Management

Learn about our security testing program

Incident Response

See our incident handling procedures

NIS2 Directive

Explore complementary EU cybersecurity requirements

ISO 27001 (Security)

View our information security certification