CRA & NIS2

Regulatory Compliance & Reporting

Regulatory requirements share a common demand: know what is in your software, track vulnerabilities, and report them on time. TrustSource automates the evidence base for CRA, NIS2 and MDR compliance — from SBOM to machine-readable advisory.

Learn about CRA & NIS2 reporting in our webinar →

At a Glance

CRA Reporting

Automated provision of evidence required by the Cyber Resilience Act: SBOM, vulnerability notifications and patch documentation.

NIS2 Compliance

Incident and vulnerability documentation for NIS2 — audit-ready, traceable and retrievable at the push of a button.

MDR Support

For software in medical devices: SBOM evidence and vulnerability management meeting the requirements of the EU Medical Device Regulation.

Inbound CVD

Structured receipt and coordination of third-party vulnerability reports — compliant with ISO 29147 and CRA disclosure obligations.

Outbound CSAF

Machine-readable advisories via CSAF — automatically distributed to customers, authorities and the CSAF Trusted Provider network.

EACG as gCNA

EACG (ID: 102) is one of Europe's first gCNAs and supports companies without their own PSIRT in vulnerability coordination.

The Challenge

The Cyber Resilience Act (CRA) requires manufacturers of products with digital elements to actively report exploited vulnerabilities and serious security incidents — within tight deadlines. The NIS2 Directive extends these obligations to critical infrastructure and essential entities across 18 sectors. The EU Medical Device Regulation (MDR) sets comparable requirements for software in medical devices. All three frameworks share one prerequisite: without complete, audit-ready documentation of the software components in use and their vulnerabilities, timely reporting is simply not possible.

What TrustSource delivers

TrustSource creates the data foundation that makes reporting obligations fulfillable: a complete, automatically updated SBOM for every software product, continuous monitoring for new vulnerabilities, and a traceable audit trail of all changes. When a vulnerability arises, it is immediately clear which products are affected, how severe the risk is, and when it was detected — everything regulators expect in a disclosure.

Learn more about the specific reporting obligations and deadlines in our webinar — CRA & NIS2 Webinar ↗

EACG as gCNA — Support without your own PSIRT

EACG — the company behind TrustSource — is one of Europe's first Global CVE Numbering Authorities (gCNA ID: 102). This means EACG can assign CVE identifiers and take over vulnerability coordination. Companies that have not yet built their own PSIRT can outsource the coordination function to EACG and still report in compliance with CRA and NIS2.

PSIRT consulting at EACG ↗

Communication: Inbound & Outbound

Regulatory compliance is not just about internal documentation — it also requires structured communication with external parties: security researchers report vulnerabilities in, customers and authorities must be informed out. TrustSource supports both directions.

Inbound: Coordinated Vulnerability Disclosure

A structured CVD process is mandatory under the CRA. TrustSource's CVD product provides a dedicated intake channel for vulnerability reports — with a full workflow for coordinating and documenting each incoming report, compliant with ISO 29147.

Learn more about CVD ↗

Outbound: CSAF Trusted Provider

Advisories must reach customers and authorities in machine-readable form. The CSAF Trusted Provider generates and distributes advisories in CSAF format automatically — via a CSAF-compliant distribution network, without manual effort.

Learn more about CSAF ↗