EU Cyber Resilience Act compliance tools for WordPress. Generate SBOMs, track vulnerabilities, and maintain audit trails for regulatory compliance.
The CRA is EU legislation establishing cybersecurity requirements for products with digital elements. If you sell WordPress-based products or services to EU customers, you need to be prepared.
Products must include a Software Bill of Materials listing all components. This enables vulnerability identification and supply chain transparency.
Manufacturers must handle vulnerabilities effectively throughout the product lifecycle, including reporting to authorities within 24 hours of discovery.
Technical documentation and conformity assessment are required. This includes maintaining records of security updates and vulnerability responses.
Comprehensive tools to help WordPress agencies and developers meet EU Cyber Resilience Act requirements.
Generate Software Bill of Materials in CycloneDX and SPDX formats. List all plugins, themes, and their versions automatically.
Integration with OSV.dev to track known vulnerabilities. Monitor security status of all components in your WordPress installation.
Maintain records of all security-related events. Track plugin updates, vulnerability discoveries, and remediation actions.
Visual overview of your compliance status. See at a glance what's compliant and what needs attention.
Get notified about compliance issues, new vulnerabilities, and required updates. Stay on top of your security posture.
Export compliance reports for auditors and regulatory bodies. Professional documentation ready for inspection.
The CRA is EU legislation that establishes cybersecurity requirements for products with digital elements. It requires manufacturers to ensure security throughout a product's lifecycle, including vulnerability handling, security updates, and software transparency through SBOMs. It applies to both hardware and software products sold in the EU market.
If you sell products or services that include WordPress as part of the package to EU customers, you may need to demonstrate CRA compliance. This includes e-commerce stores, SaaS products built on WordPress, and agencies delivering WordPress solutions to EU clients. The regulation applies regardless of where your business is located - if you sell to EU customers, you must comply.
A Software Bill of Materials (SBOM) is a formal record of all components in a software product, including their versions and dependencies. The CRA requires SBOMs to enable vulnerability identification, supply chain transparency, and rapid response to security incidents. Our plugin generates SBOMs in industry-standard CycloneDX and SPDX formats that are accepted by regulatory bodies.
The CRA was adopted in 2024 with a phased transition period. Vulnerability reporting requirements begin in late 2026, and full compliance is required by late 2027. Starting compliance work now gives you time to implement proper processes before the deadlines.
The CRA includes significant penalties for non-compliance. Fines can reach up to 15 million EUR or 2.5% of global annual turnover, whichever is higher. Additionally, non-compliant products can be banned from the EU market. These penalties make early preparation essential for businesses selling to EU customers.
This plugin covers the WordPress-specific technical aspects of CRA compliance: SBOM generation, vulnerability tracking, and audit trails. Full CRA compliance also involves organizational processes, risk assessments, documentation, and potentially third-party conformity assessment. We recommend consulting with a compliance specialist for your specific situation.
Both are industry-standard SBOM formats accepted for CRA compliance. CycloneDX is more focused on security use cases and is popular for vulnerability management. SPDX (from the Linux Foundation) is broader and includes detailed license information. Our plugin supports both formats so you can choose based on your requirements or provide both.
The CRA includes an exemption for non-commercial open source software developed by non-profit organizations. However, if you use open source plugins in a commercial product or service, you (as the manufacturer/integrator) bear responsibility for compliance. This is why tracking vulnerabilities in your plugins is crucial.
Agencies building WordPress sites for EU clients may be considered "manufacturers" under the CRA if they deliver a complete digital product. This means you may need to provide SBOMs, maintain vulnerability handling processes, and ensure ongoing security updates. Our plugin helps you document compliance for each client project.
Yes! The plugin is GPL licensed, which means you can install it on unlimited sites, including client sites. For agencies, this is particularly valuable as you can standardize your CRA compliance workflow across your entire client portfolio without additional licensing costs.
Don't wait until the deadline. Get started with free SBOM generation and vulnerability tracking today.