EU Cyber Resilience Act

CRA compliance, managed at the artifact layer

Cloudsmith automates the SBOM generation, vulnerability detection, and audit logging the Cyber Resilience Act requires. Your team ships at full speed and with complete audit-readiness.

The CRA requires compliance in a threat landscape your current controls weren't built for.

CVEs are up 22% since 2024. Malicious open-source packages are up 73% year over year. AI agents introduce dependencies faster than any team can manually review. The window from disclosure to exploitation has collapsed from months to hours.

The CRA makes you legally responsible for mitigating the risk caused by all these factors and more Manual controls don't scale to this threat environment. Automated governance does.

0%

CVE increase since 2024

0%

Malicious open-source packages increase year over year

The ProblemPackages enter your environment without a policy checkpoint – pulled by developers or AI agents, assumed safe, not evaluated at ingestion
Cloudsmith SolutionCloudsmith enforces policy at the point of every pull, before the dependency reaches a build, the specific control the CRA requires
The ProblemBuild-time or point-in-time scans check once and stop. Artifacts already inside your environment aren't re-evaluated as threats evolve
Cloudsmith SolutionVulnerability databases update multiple times per hour. EPSS scoring filters CVE noise down to what's actually exploitable. Malicious package detection covers supply chain attacks that CVE isn’t designed to catch
The ProblemSBOM generation is manual or tied to release-cycles. Audit evidence is fragmented across tools. Article 14's 24-hour window is operationally impossible without unified, real-time logging
Cloudsmith SolutionImmutable audit logs and automatic SBOM generation are built into how the platform works – not a bolt-on. Evidence is ready when regulators ask

Cloudsmith helps you meet CRA requirements

From SBOM generation to data residency, Cloudsmith covers the artifact-layer controls the CRA mandates – documented components, continuous monitoring, controlled pipelines, and an audit trail that holds up to regulatory scrutiny.

  1. The CRA requires: A machine-readable SBOM covering all components, available to authorities on demand.
    Cloudsmith: Generates a full SBOM for every container image automatically. Versioned and retrievable on demand.

  2. The CRA requires: Continuous vulnerability tracking throughout the product support lifecycle.
    Cloudsmith: Continuously matches artifacts against major vulnerability feeds. EPSS scoring identifies what's actually exploitable – flags packages the moment intelligence changes.

  3. The CRA requires: Report actively exploited vulnerabilities to ENISA within 24 hours, 72 hours, and 14 days.
    Cloudsmith: Flags newly exploited vulnerabilities immediately. Every artifact event and policy action is logged immutably and exportable via API.

  4. The CRA requires: Products must ship without known exploitable vulnerabilities and limit attack surface by design.
    Cloudsmith: All package requests route through Cloudsmith. Policy is enforced at every request and re-evaluated continuously. Packages are gated at every stage from Dev to Production.

  5. The CRA requires: Manufacturers must document the licensing terms of every component in their product.
    Cloudsmith: Licence information is captured in every SBOM. Policies block non-conforming packages before they reach a build.

  6. The CRA requires: Products must protect against unauthorized access through appropriate access management.
    Cloudsmith: OIDC issues short-lived pipeline tokens. SCIM provisioning keeps access aligned to your identity system. Role-based controls apply at org, team, and repository level.

  7. The CRA requires: Record security-relevant events to support due diligence and incident response.
    Cloudsmith: Every governance event, policy decision, and pipeline request is logged immutably and exportable to your SIEM in JSON or CSV.

  8. The CRA requires: Handle data tied to EU users in line with GDPR provisions.
    Cloudsmith: EU-resident hosting and regional edge delivery available. GDPR-aligned processing.

Ease of access to vulnerability information - and the ability to act on it - has been the biggest change for us... We’re a stone’s throw away from having zero high or critical vulnerabilities in our supply chain.

Rich Dammkoehler

VP Architecture & Governance

Before

ConstructConnect's InfoSec team needed stronger supply chain security, but their JFrog setup left them with fragmented artifact organization, poor visibility, and limited control. Managing data usage and storage was a constant challenge — and with their contract expiring in July 2025, it was clear JFrog was holding back their velocity, security, and scalability.

With Cloudsmith
  • Secure software supply chain
  • Fully-managed, cloud-native platform
  • Scalable Infrastructure
Results
  • Minimized high or critical vulnerabilities in our supply chain
  • Reduced the management burden
  • Faster, more reliable builds with automation and integrations

Frequently asked questions

Here are some of the most frequently asked questions relating to the Cyber Resilience Act (CRA), its deadlines, clauses and how to stay compliant.

  1. If you make a product with digital elements sold or made available in the EU, yes – regardless of where your company is headquartered. A small set of products covered by sector-specific regulation (medical devices, vehicles, some defence) are exempt, but the majority are in scope.

  2. From 11 September 2026, manufacturers must report actively exploited vulnerabilities to ENISA within 24 hours of awareness, 72 hours for full notification, and 14 days for a final report. Full conformity assessment and CE marking follow in December 2027.

  3. Engineering teams use Cloudsmith to govern packages across 30+ formats and enforce policy at ingestion. Because it logs every artifact event and policy decision by default, Cloudsmith generates the audit trail the CRA expects as a normal part of operation.

  4. Those tools see packages once they're already in your environment. Cloudsmith works upstream – every package request passes policy at ingestion before it reaches a build. It's additive, not a replacement.

  5. Cloudsmith is fully managed SaaS – no infrastructure to deploy or maintain. Most teams are operational within days. Migration support is available for teams moving from JFrog, Nexus, or fragmented registries.

Get ready for September

See a personalized walkthrough of Cloudsmith's CRA controls