ArmorCode Adds CRA Compliance Tools as Europe’s Cybersecurity Deadline Moves Closer

ArmorCode is expanding its Agentic AI Platform with new capabilities designed to help manufacturers prepare for the European Union’s Cyber Resilience Act, a sweeping cybersecurity regulation that will force companies selling digital products in Europe to prove they can find, manage, disclose, and remediate serious vulnerabilities on strict timelines.

The update targets makers of products with digital elements, a broad category that can include connected devices, software-enabled industrial systems, applications, and other technology sold into the EU market. Under the CRA, manufacturers will face new obligations for vulnerability handling, product security documentation, software supply chain visibility, and coordinated disclosure.

The regulation entered into force in December 2024, but one of its most important enforcement milestones arrives on September 11, 2026. From that date, manufacturers must report actively exploited vulnerabilities under tight deadlines: an early warning within 24 hours, a full vulnerability notification within 72 hours, and a final report within 14 days after a corrective or mitigating measure becomes available. Noncompliance can carry penalties of up to €15 million or 2.5 percent of global annual turnover, whichever is higher.

That creates a major operational problem for product security teams. Vulnerability data often lives across scanners, asset inventories, SBOM repositories, ticketing systems, threat intelligence tools, cloud platforms, and compliance systems. When regulators require a precise timeline and supporting evidence, scattered data can become a liability.

“The Cyber Resilience Act is redefining accountability for cybersecurity by extending focus beyond operators to the security capabilities of product suppliers,” said Larry Lowe, Chief Product Security Officer for Wabtec. “In anticipation, we proactively aligned our development processes with IEC 62443-4-1 and invested in scalable solutions to operationalize security. With ArmorCode, we are achieving the visibility and automation needed to consolidate vulnerability data, streamline disclosure workflows, and track risk in real time, enabling us to meet the pace and scale that the CRA demands while reinforcing customer trust.”

ArmorCode’s new CRA features are built around a centralized system of record for product security and exposure management. The platform now supports classification and lifecycle tracking for products and sub-products covered by the regulation, exploit status tracking, CRA notification status fields, automated disclosure workflows, deadline monitoring, SBOM and VEX management, audit trails, dashboards, compliance reporting, exception handling, and SLA tracking.

The most important distinction may be exploit awareness. Under the CRA, the 24-hour reporting clock applies to actively exploited vulnerabilities. ArmorCode says its platform helps teams prioritize issues based on real-world exploitation intelligence, not just severity scores or scanner output.

"The CRA turns product security into a reporting discipline with a deadline attached," said Mark Lambert, Chief Product Officer at ArmorCode. "The manufacturers who handle it well won't build a separate compliance program for it, they'll run it on the platform they already use to manage exposure. And as only actively exploited vulnerabilities start the 24-hour clock, knowing what's actually being exploited is the difference between a workable process and a fire drill."

For manufacturers, the CRA is part of a wider shift in cybersecurity accountability. Regulators are moving beyond guidance and voluntary standards toward enforceable product security obligations. That means security teams will need to show not only that they fixed vulnerabilities, but also that they understood product impact, tracked disclosure status, maintained evidence, and communicated within legally defined windows.

"Cyber resilience is a business requirement," said Karthik Swarnam, Chief Security and Trust Officer at ArmorCode. "The Cyber Resilience Act raises the stakes for every organization that builds or sells digital products in Europe. Failing to identify and report actively exploited vulnerabilities can result in significant financial penalties, but the greater risk is the loss of customer trust and confidence. Organizations need a way to operationalize security, compliance, and disclosure at scale. ArmorCode helps teams bring together the data, workflows, and evidence needed to respond quickly, demonstrate accountability, and stay ahead of evolving regulatory requirements."

ArmorCode says its platform connects with more than 375 security and development tools, allowing companies to correlate vulnerability findings, asset intelligence, software supply chain data, threat intelligence, cloud security signals, and business context without replacing existing systems.

As the CRA deadline approaches, the companies best positioned to comply will likely be those that treat vulnerability disclosure as a live operational workflow, not a last-minute legal exercise. ArmorCode is betting that manufacturers will need unified exposure management to make that shift before the EU’s reporting clock starts ticking.