Synced 16 Jun 2026 15:24 UTC Account
← Home
EU Cyber Resilience Act · reporting from 11 Sep 2026

Which of your products has a reportable vulnerability right now?

From 11 September 2026, the CRA requires manufacturers to report actively-exploited vulnerabilities to ENISA within 24 hours. IsItPatched shows you which of your software and SBOM components are exploited as it happens — and exports the SBOM, VEX and risk evidence you need.

Scan your SBOM → Monitor your stack Export CRA evidence pack →

1046 actively-exploited CVEs across 613 tracked products right now

The 24-hour clock — CRA Article 14

24h

Early-warning notification to ENISA & your national CSIRT once a vulnerability in your product is actively exploited.

72h

Full vulnerability notification — what it is, severity, and the corrective or mitigating measures you're taking.

14d

Notification once a security update or fix is available to users.

The hard part is knowing you have a reportable vulnerability in time. IsItPatched watches CISA's Known Exploited Vulnerabilities (KEV) list against the exact products and versions you run, and timestamps each one the moment it surfaces — so the clock doesn't start without you knowing.

Three dates — know which applies to you

The CRA phases in. Different obligations land on different dates, so the right hook depends on where you are.

11 Jun 2026

Authorities & notified bodies

Market-surveillance authorities and conformity-assessment bodies are in place. Mostly an institutional milestone.

11 Sep 2026

Vulnerability reporting

The 24h / 72h duty to report actively-exploited vulnerabilities to ENISA begins — the hook this page is built around.

11 Dec 2027

SBOM & full obligations

The machine-readable SBOM, CE-marking and full conformity assessment apply — the "know & document your components" hook.

IsItPatched serves both the Sep 2026 reporting hook (live KEV tracking) and the Dec 2027 SBOM hook (component scanning & evidence) — one tool across both deadlines.

CRA obligations → what IsItPatched gives you

Report actively-exploited vulns (24h/72h)

Live CISA KEV tracking against your stack & SBOM, with surfaced-at timestamps and a dashboard flag for what's reportable now.

See actively-exploited CVEs →

Machine-readable SBOM

Drop in a CycloneDX or SPDX SBOM and get a per-component vulnerability verdict — parsed in your browser, the file never leaves your device.

Scan an SBOM →

Vulnerability handling & disclosure

Export a CycloneDX VEX document and a prioritised, fix-first patch queue — the evidence of an active handling process.

Open your dashboard →

Security updates for the lifetime

End-of-life tracking and minimum-safe-version guidance flag releases that can no longer be patched — a known CRA risk.

End-of-life calendar →

Export your CRA evidence — today, free

  • Machine-readable SBOM scan (CycloneDX / SPDX → OSV)
  • CycloneDX VEX document (exploitability + remediation per component)
  • Software risk register (CSV / print-to-PDF) citing the exact versions you run
  • CRA evidence pack — the register with an "actively-exploited = reportable" section highlighted

Documentation, including SBOMs, must be retained for 10 years under the CRA. Sign in (free, no password) to sync your stack and generate these from your dashboard.

Build your evidence pack →

Straight with you: IsItPatched is an informational tool built on public vulnerability data (NVD · CISA KEV · OSV · endoflife.date). It helps you meet specific CRA obligations — knowing your reportable vulnerabilities, producing an SBOM, and documenting vulnerability handling — but it is not legal advice and not a conformity assessment or CE-mark. Confirm your obligations with a qualified advisor. Disclaimer.

CRA — frequently asked

When does the EU Cyber Resilience Act start to apply?

Vulnerability- and incident-reporting obligations apply from 11 September 2026 — manufacturers must report actively-exploited vulnerabilities to ENISA and the relevant national CSIRT within 24 hours (early warning) and 72 hours (full notification). Full obligations, including CE-marking and conformity assessment, apply from 11 December 2027.

How does IsItPatched help with the CRA?

IsItPatched tells you which of the products and SBOM components you run are actively exploited (CISA KEV) — the exact trigger for the CRA's 24-hour reporting duty — with timestamps for when each surfaced. It produces a machine-readable SBOM scan, a CycloneDX VEX document, and a risk register / CRA evidence pack you can keep as part of your vulnerability-handling documentation.

Does IsItPatched make my product CRA-compliant?

No. IsItPatched is an informational tool built on public vulnerability data. It helps you meet specific obligations — knowing your reportable vulnerabilities, producing an SBOM, and documenting vulnerability handling — but it is not legal advice and not a conformity assessment or CE-mark.