01
Maintain a conformant SBOM
A machine-readable bill of materials for every product, kept current across releases, available to authorities on request.
CRA · Annex I §2(1)
Get reporting-ready before 11 September 2026 with an open-source toolchain you self-host — and a team that helps you stand it up. Your vulnerability data never leaves your infrastructure.
The Cyber Resilience Act makes every product placed on the EU market a multi-year safety obligation for the vendor — not at release, but for the entire support period. NIS2 layers the operator-side regime on top for essential services. Non-compliance under the CRA carries administrative fines of up to €15M (or 2.5% of global turnover) and revocation of EU market access.
A machine-readable bill of materials for every product, kept current across releases, available to authorities on request.
Not at build — continuously, against live feeds, for the entire support period of the product (5 years minimum).
Actively exploited vulnerabilities require an early-warning notification to the designated CSIRT and ENISA inside one day.
Disclose to users without undue delay with mitigation guidance, and retain the record for at least ten years.
SCA tools like Snyk or Dependency-Track are good citizens of the pipeline. Post-market safety and regulator reporting are a different category — a different system, a different data stack, a different operational model.
The Transparenz engine ingests your SBOMs, reconciles EUVD, NVD, OSV and CISA KEV in real time, maps every finding to the controls it triggers, and emits regulator-ready advisories. Built as one system, not glued tools.
The transparenz CLI generates BSI TR-03183-2 SBOMs out of CI — SHA-512 hashes, supplier & license enrichment, validated by bsi-check.
VulnzMatcher scans every stored SBOM against EUVD, NVD, OSV and CISA KEV — re-running the moment a feed sync lands a new CVE.
Every finding maps to the CRA article it triggers and starts the 24h / 72h SLA clock automatically — anchored to the CVE's publish date, not scan time.
Generates CSAF 2.0 advisories and runs the VEX lifecycle and coordinated disclosure. ENISA submissions are formatted and staged, ready for the platform.
Safety isn't a posture, it's a measurable surface. Every Transparenz subsystem is engineered with SLOs, telemetry and an audit trail — the same instruments your reliability team already runs.
Every shipped SBOM is re-evaluated against new vulnerabilities the moment they land in any feed — not on a nightly batch.
Active exploits trigger an auto-drafted early-warning notification, formatted to CSIRT and ENISA spec, ready for sign-off.
One finding lights up every regime it triggers — CRA, NIS2, DORA, ISO 27001, SOC 2, FedRAMP and 68 more — with the exact control referenced.
Every SBOM, scan run and advisory is signed and chained — Sigstore-rooted, regulator-replayable, tamper-evident.
EUVD, NVD, OSV and CISA KEV reconciled into one canonical record — no duplicate alerts, no missed CVEs, no source ambiguity.
Every obligation, every deadline, every notice — signed, timestamped, append-only. Architected so any historical state can be reconstructed for an auditor on request.
Vulnerability data, hosting, submission pipelines and engineering — all inside the Union. While generic scanners route through US feeds and US clouds, Transparenz speaks the EU vocabulary by default. Structurally hard for US incumbents to replicate.
Push your SBOM out of CI; everything downstream is automatic. APIs and webhooks for the systems your team already runs.
# .github/workflows/transparenz.yml on: [push, release] jobs: monitor: runs-on: ubuntu-latest steps: - uses: transparenz/action@v2 with: token: ${{ secrets.TRANSPARENZ }} product: "acme-gateway" sbom: "dist/sbom.cdx.json" host: ${{ secrets.TPZ_HOST }} # your self-hosted server # server takes it from here — scan, # map and ENISA-ready advisories.
# install the SBOM CLI $ go install github.com/vincents-ai/transparenz@latest # generate a BSI TR-03183-2 compliant SBOM $ transparenz generate . \ --format cyclonedx --bsi-compliant \ --manufacturer "Acme Corp" # validate, then submit to your server $ transparenz bsi-check sbom.json ✓ SHA-512 hashes · supplier + license coverage ✓ CycloneDX 1.6 · BSI TR-03183-2 compliant $ transparenz generate . --bsi-compliant --submit
// upload an SBOM to your self-hosted server (JWT) await fetch(`${TPZ_HOST}/api/sboms/upload`, { method: "POST", headers: { "Authorization": `Bearer ${TOKEN}` }, body: sbom }); // stream SLA + vulnerability alerts in real time new EventSource(`${TPZ_HOST}/api/alerts/stream`); // verify the compliance audit chain await fetch(`${TPZ_HOST}/api/audit/verify`);
The transparenz SBOM CLI and the transparenz-server compliance server — both AGPL-3.0, both self-hosted.
CycloneDX 1.6 and SPDX 2.3, generated with the native Syft library — no proprietary lock-in, no translation layer.
Stream new-vulnerability and SLA-deadline alerts over Server-Sent Events — wire them into Slack, PagerDuty or Jira.
Role-based access (admin / compliance officer), multi-tenant isolation, and a verifiable append-only audit chain.
Both engines are open core — AGPL-3.0 community editions, with commercial licensing for closed-source or SaaS use. MSPs resell it as managed service, funds offer it as portfolio coverage, platforms integrate it as the EU-compliance surface their customers already need.
Run a CRA / NIS2 managed service under your own brand. We power the monitoring and reporting; you own the customer and the margin.
One vendor deal, every portco protected. EU market access stays open across the whole book — no founder time spent rebuilding compliance.
The EU-compliance surface your platform doesn't currently serve — EUVD-native data, 74-framework engine, ENISA pipeline. Years to build, ready today.
Both engines are open source and local-first — self-host in minutes inside your own pipeline, with nothing leaving your environment. Get compliance out of static spreadsheets and into the build. Need it managed or rolled out across a portfolio? That's what partners are for.
Join the early-access list for self-hosted CRA onboarding and support. We'll reach out as we open spots — no spam, no sales blast.