How CRA Due Diligence Works — Open-Source Assessment Process

The CRA Due Diligence Obligation

The EU Cyber Resilience Act (Regulation 2024/2847) requires manufacturers of products with digital elements to exercise due diligence on every third-party component they integrate — including open-source software.

What CRA Article 10 Requires

✓ Perform a cybersecurity risk assessment for each component
✓ Verify components meet the Essential Security Requirements (Annex I)
✓ Check and document known vulnerabilities, patches, and updates
✓ Produce technical documentation available to market surveillance authorities
✓ Carry out conformity assessment procedures

What Auditors Will Ask For

Market surveillance authorities and notified bodies will expect documented evidence of your due diligence process. They want to see:

→ A systematic assessment of each third-party component
→ Mapping to specific Annex I requirements
→ Professional judgment, not just tool output
→ Timestamped, traceable documentation

Raw scanner output alone does not satisfy the "due diligence" standard. Auditors expect professional review and expert opinion.

Free resource: Use our CRA Due Diligence Checklist to see every requirement mapped to specific evidence — and identify where your current process has gaps.

Enforcement Timeline

The CRA is already in force. Key deadlines are approaching.

Dec 2024

CRA entered
into force

Sep 2026

Reporting obligations
begin

Dec 2027

Full enforcement
& penalties

Our Assessment Methodology

Standard Assessment

Health, Hygiene & Known Risks

✓ Ecosystem health & maintainer profile
✓ CVE & known-vulnerability analysis
✓ OpenSSF Scorecard evaluation
✓ SPDX license classification & copyleft risk analysis
✓ Static analysis (SAST) with AI-augmented review
✓ Credential & secret scanning (full git history)
✓ CycloneDX SBOM deliverable
✓ AI-driven threat modelling
✓ Safe usage recommendations
✓ Executive summary
✓ Expert-signed CRA assertion

High-Criticality Assessment

Deep Logic, Binary Integrity & Intent

✓ Everything in Standard
✓ Reachability analysis & VEX deliverable
✓ Deep SAST with custom security rule packs
✓ Binary hardening audit (PIE, NX, RELRO, stack canaries, FORTIFY_SOURCE, CET/BTI)
✓ Multi-engine malware scanning
✓ CI/CD pipeline & workflow security analysis
✓ Cryptography inventory, weakness detection & CBOM deliverable
✓ AI-driven anomaly & backdoor detection

Assessment Capabilities

Project Health

OpenSSF Scorecard & maintainer analysis

Vulnerability Intelligence

Multi-database CVE analysis

Static Analysis

SAST with AI-augmented review

Secret Detection

Credential & key scanning across history

SBOM Generation

CycloneDX software bill of materials

Threat Modelling

AI-driven risk & attack surface analysis

Reachability & VEX

Vulnerability reachability analysis

Binary Hardening

PIE, NX, RELRO & stack canary checks

Malware Scanning

Multi-engine malware & reputation analysis

CI/CD Pipeline Audit

Dangerous workflow & supply-chain checks

Cryptography & CBOM

Algorithm inventory & weakness detection

Anomaly Detection

AI-driven backdoor & intent analysis

The Expert Assertion

Every report concludes with a formal assertion signed by a Principal-level security professional with 25+ years of experience. This assertion maps findings to specific CRA Annex I sections and provides the professional judgment that separates our reports from raw tool output. The assertion is what makes the report audit-ready.

The Process

Share Your Dependency List or SBOM

Upload an SPDX or CycloneDX file, paste a list of dependencies, or just tell us what you use. We accept any format.

We Analyze Coverage & Send a Proposal

We map your components against our library. For in-library components, reports can be delivered immediately. For new assessments, we scope the work and send pricing within 24 hours.

Reports Delivered on a Rolling Basis

After invoice payment, reports are delivered via email as they're completed. Each is a signed PDF ready to include in your CRA technical documentation.

Your Team Files the Documentation

Include reports in your technical documentation (Annex VII). Your compliance team has exactly what auditors will ask for.

Report Validity & Updates

Point-in-Time Assessment

Reports are timestamped and valid as of the date of issue. We recommend re-assessment within 12 months or upon major version/security patch.

Critical CVE Alerts

If a Critical/High CVE is published for an assessed component, we notify customers within 48 hours.

Annual Re-assessment

Full refresh available at 50% of the original price. Keeps your documentation current for ongoing compliance.

Version Updates

When a component releases a new version, we assess the delta at 30–50% of new assessment price.

When a Component Doesn’t Pass

Not every component will meet CRA requirements. When issues are found, our reports include prioritised remediation guidance with specific, actionable recommendations. For components requiring hands-on fixes, we connect you with vetted remediation partners from our security network — keeping assessment and remediation independent, exactly as auditors expect.

How It Works