The EU Cyber Resilience Act applies to more software teams than you think

VexWatch tells you in about three minutes whether your product is in scope and which obligations hit on which date, then gives you the documents you need to comply. CRA compliance for teams without a compliance team.

Check your scope, free

Two dates decide your planning

11 September 2026
Reporting duties start. Manufacturers must report actively exploited vulnerabilities and severe incidents: early warning within 24 hours, notification within 72 hours, then a final report (within 14 days for vulnerabilities, within one month for severe incidents) (Regulation (EU) 2024/2847, Article 14, applicable per Article 71(2)).
11 December 2027
The remaining obligations apply: secure-by-design lifecycle, technical documentation, conformity assessment and CE marking (Regulation (EU) 2024/2847, Article 71(2)).

Built for teams the CRA catches off guard

A common surprise: a SaaS product can come into scope the moment customers download and run any component of it, such as a desktop client or browser extension.

The VexWatch toolkit, early bird

Every document a small team needs to get compliant, written for people without a compliance background: a scope and classification memo template, a coordinated vulnerability disclosure policy aligned to Annex I, Part II of the CRA (binding on manufacturers via Article 13), a coordinated disclosure workflow with security.txt, the CRA reporting runbook (24 hour, 72 hour, and final report deadlines), RACI and internal register templates, and an SBOM starter guide.

Get the toolkit, early bird EUR 149

Documents only, no consulting. Compliance tooling, not legal advice.