EU Cyber Resilience Act · Effective 11 September 2026
Know which CVEs trigger mandatory ENISA notification — before the 24h clock runs out.
BicPort Report cross-references your firmware SBOM against CISA KEV, NVD, OSV, and EPSS. Automatically identifies Art. 14 obligations, generates ENISA draft reports, and tracks every deadline. Free.
No credit card required · Free tier · Full SBOM analysis
WHO THIS IS FOR
Built for EU hardware manufacturers who ship connected products.
Industrial hardware manufacturers
PLCs, sensors, gateways, robotics controllers — any connected device sold in the EU after September 2026.
Embedded firmware teams
If your firmware includes third-party libraries, you have an SBOM obligation. BicPort Report makes that obligation manageable.
SMEs without a security team
You don't need a CISO. BicPort Report automates the reporting workflow that CRA requires — from detection to ENISA submission.
If your product connects to a network and is sold in the EU, CRA Article 14 applies to you from 11 September 2026.
THE DEADLINE IS FIXED
One actively exploited CVE. Three mandatory notifications. €15M in fines.
CVE appears in CISA KEV
An actively exploited vulnerability is found in a component your firmware uses. The clock starts the moment you become aware.
T+0 to T+24h
Notify ENISA. Brief alert that you are aware and investigating.
T+0 to T+72h
Full report with CVE details, affected products, initial assessment.
T+14 days after patch
Final report confirming the patch has been released.
Non-compliance penalties: up to €15,000,000 or 2.5% of global annual turnover — whichever is higher.
FEATURES
Everything you need to comply with CRA Article 14.
Automated Obligation Detection
KEV match = Art. 14 event created instantly. Countdown timers for 24h, 72h and 14-day deadlines. No manual monitoring.
Continuous KEV Monitoring
Hourly KEV sync. If a new CVE is added that affects your product, you are alerted immediately — not after your next manual scan.
Pipeline Integration
GitHub Actions, GitLab CI, Jenkins. SBOM generated and scanned automatically on every firmware build.
AI Act Art. 73 Dual Reporting
For firmware with embedded AI/ML: parallel reporting to national AI authority alongside ENISA. Aug 2026 deadline — earlier than CRA.
On-Premise Available
For manufacturers with strict data sovereignty requirements: BicPort Report deploys on your own infrastructure. Your SBOM data never leaves your environment.
SBOM Upload & Analysis
CycloneDX 1.4/1.5 or SPDX 2.3. Drag-and-drop or API. Auto-generates completeness score. No SBOM yet? BicPort Report generates one.
6 Feeds, One View
CISA KEV (Art. 14 trigger), NVD, OSV, EPSS, endoflife.date, and EUVD (live Sep 2026). Cross-referenced automatically.
ENISA Draft Reports
Pre-filled early warning, detailed notification, and mitigation reports. One click per phase. ENISA SRP-ready for Sep 2026.
Team & Organisation Access
Role-based access (Admin, Analyst, Read-only). Database-level row isolation. API keys for programmatic access.
DATA SOVEREIGNTY
Your SBOM data never has to leave your infrastructure.
Industrial SBOM data reveals your complete software supply chain. For manufacturers with strict data sovereignty requirements — or those operating in regulated sectors — BicPort Report deploys entirely on your own infrastructure.
Same features. Same compliance workflow. Zero external data transmission.
- ✓ Self-hosted on your servers or private cloud
- ✓ No data transmitted to BicPort infrastructure
- ✓ Air-gapped deployment available
- ✓ Audit-ready — you control the logs
- ✓ Available on Enterprise and AI Compliance tiers
HOW IT WORKS
From upload to ENISA report in 5 steps.
Connect your CD/CI OR upload your SBOM
Drag-and-drop CycloneDX or SPDX. Or generate one automatically from your build artifacts.
Automatic Analysis
Every component cross-referenced against 6 feeds simultaneously. Completes in seconds.
Review Findings
CVEs sorted by priority: KEV first, then EPSS, then CVSS. Filter by product, severity, or status.
Art. 14 Events Created
KEV matches trigger automatic Art. 14 events with live countdown timers. Nothing falls through the cracks.
Generate ENISA Reports
Pre-filled draft reports for each phase. Review, approve, submit. ENISA SRP-ready for Sep 2026.
FAQ
Common questions.
We have until December 2027 for full CRA compliance. Why act now?
CRA Article 14 (incident reporting) activates on 11 September 2026 — over a year before the full compliance deadline. From that date, any actively exploited CVE in your product requires ENISA notification within 24 hours, regardless of your overall compliance status.
What exactly is an SBOM and do we have one?
An SBOM (Software Bill of Materials) is a structured list of every software component in your firmware. If you use Yocto, Buildroot, or any standard build system, BicPort Report can generate one automatically from your build artifacts — you don't need to create it manually.
We don't have a dedicated security team. Is this too complex?
BicPort Report is designed for manufacturers without security specialists. The Art. 14 workflow guides you step by step: detection is automatic, drafts are pre-filled, and deadlines are tracked in real time.
What about our SBOM data confidentiality?
BicPort Report is available as an on-premise deployment for organisations with strict data sovereignty requirements. Your SBOM data stays entirely within your own infrastructure.
Does the free tier have any limitations?
During beta, the free tier includes full SBOM analysis, all 6 vulnerability feeds, Art. 14 detection, and ENISA draft generation. Volume and support SLA are the main differences in paid tiers.
Your CRA Art. 14 deadline is fixed.
11 September 2026. Free to start. No credit card.