Automated CRA & AI Act compliance for every product you ship. Lexoreg manages SBOM monitoring, vulnerability detection, and ENISA reporting so your engineering team can focus on building.
Free to get started. No credit card required.
SOC 2 and ISO 27001 certify your organisation. The CRA and AI Act regulate your products — every model, every firmware version, for its entire lifecycle. Having a company security policy does not make a single product CRA-compliant.
Average manual compliance cost per company
CEPS Study, 2024
ENISA reporting deadline for exploited vulnerabilities
CRA Article 14
New vulnerabilities published in NVD daily
NVD Statistics
Minimum security update obligation per product
CRA Article 13
Engineering teams across Europe use Lexoreg to stay ahead of CRA obligations without slowing down releases.
“We had no idea which of our products were CRA-affected until Lexoreg mapped every component back to the regulation. What used to take a consultant two weeks now runs automatically on every release.”
Head of Engineering
Industrial IoT manufacturer, Germany
“The 24-hour ENISA reporting window is genuinely stressful if you're tracking CVEs manually. Lexoreg fires the Early Warning draft automatically the moment an exploited vulnerability hits one of our SBOMs.”
VP Product Security
Edge computing platform, Finland
“Our legal team was quoting EUR 180K for a compliance programme. Lexoreg replaced that entirely — and it updates every time we ship a new firmware version.”
CTO
Connected medical device company, Netherlands
Supply chain attacks don't wait for your quarterly review. Lexoreg polls NVD, OSV, CISA KEV, and EUVD every 2 hours and matches new CVEs against your exact component versions automatically.
CVE published
A critical vulnerability in a widely-used HTTP client library is disclosed on OSV and NVD.
SBOM matched
Lexoreg polls OSV, finds the CVE, and matches it against your product SBOMs using version range analysis. 3 affected products identified.
Alert dispatched
Your engineering team receives an immediate alert with severity, EPSS exploitability score, and a direct link to the affected component.
ENISA draft created
The vulnerability is flagged as actively exploited. Lexoreg auto-creates the ENISA Early Warning draft and starts the 24-hour reporting countdown.
Patch shipped
Engineer updates the dependency, pushes a new SBOM via CI/CD. The vulnerability is triaged and resolved. Audit log updated automatically.
Without automated SBOM matching, this scenario ends with a missed 24-hour ENISA deadline and a potential EUR 15M fine.
One platform for SBOM management, vulnerability monitoring, ENISA reporting, and CE readiness — built for engineering teams, not compliance consultants.
Automated Software Bill of Materials from your CI/CD pipeline. Every firmware release triggers a fresh SBOM — components are parsed, stored, and monitored continuously.
Polls NVD, OSV, CISA KEV, and EUVD every 2 hours. Matches CVEs against your SBOM components automatically. Critical and actively exploited vulnerabilities trigger immediate alerts.
Auto-generates Early Warning drafts for actively exploited vulnerabilities. Tracks the 24-hour, 72-hour, and 14-day reporting chain with deadline countdowns and overdue alerts.
Maps your product against CRA cybersecurity requirements with evidence tracking. Generates compliance checklists per product, per version — not per company.
For products with AI components — maps AI Act risk classification, documents training data governance, and tracks human oversight requirements alongside CRA obligations.
Every action is cryptographically logged — vulnerability triage, SBOM uploads, compliance updates, ENISA submissions. When the market surveillance authority asks, the evidence is already there.
Setup takes less than 10 minutes. After that, compliance runs automatically on every release.
Add each product with its CRA category (Default, Important Class I/II, Critical). Lexoreg creates a per-product compliance workspace with the right requirements.
Add two lines to your GitHub Actions or GitLab CI. Every release automatically pushes a fresh SBOM — components are parsed and monitored from that moment.
Lexoreg polls NVD, OSV, CISA KEV, and EUVD continuously. When a CVE matches a component in your SBOM, it appears in your dashboard with severity, EPSS score, and triage workflow.
Engineers triage vulnerabilities with one click. If an actively exploited vulnerability is detected, Lexoreg auto-creates the ENISA Early Warning draft and starts the 24-hour countdown.
These deadlines apply to every manufacturer placing connected products on the EU market.
Mandatory ENISA reporting for actively exploited vulnerabilities. 24-hour initial notification deadline.
CE marking, SBOM, conformity assessment, technical documentation, and 5-year security support obligation.
Non-compliance: up to EUR 15M or 2.5% of global turnover. Products can be withdrawn from the EU market.
CRA enforcement begins September 2026. Set up automated SBOM monitoring and vulnerability tracking in minutes — so your products are ready when the deadline arrives.
Free for up to 3 products. No credit card required.