We didn't set out to build a SaaS product. We set out to answer a question that kept coming up in our conversations with EU manufacturers: where do we actually start?
Two deadlines, two different problems
11 September 2026 is when Article 14 becomes enforceable, with a 24-hour, 72-hour, and 14-day reporting cascade for actively exploited vulnerabilities, applicable to products already on the EU market. 11 December 2027 is when the full CRA requirements arrive: CE marking, conformity assessment, SBOM, CSAF, and the rest. Most companies were treating these as one problem and freezing.
Why September is permanently free
Hundreds of thousands of EU manufacturers face this deadline. Most are SMEs without compliance budgets, legal teams, or security specialists. If we charged for the minimum viable compliance tool, we would price out the companies that need it most, and the September obligation would become a fine factory for SMEs who genuinely didn't know what they needed to do.
What is free and what is paid
- Free, permanently: public submission portal, acknowledgment tracking, Article 14 notification workflow, SLA tracking, audit trail
- Pro and Enterprise: SBOM management, CSAF advisory generation, security test documentation, multi-product management, compliance analytics
Read the full note from the team.
Read More