Meiko Monitor — know immediately when your software has a critical CRA vulnerability, and what to report, to whom, and within what timeframe the law requires.
Meiko Monitor monitors your repositories daily, surfaces critical findings, and produces ready-made report drafts. As a continuous service, not a one-off audit.
Notifications submitted to ENISA's centralised reporting platform and to the national CSIRT authority.
The CRA is already in force — the reporting obligation starts 11 September 2026.
The EU Cyber Resilience Act entered into force in December 2024. Reporting obligations become applicable on 11 September 2026 — with no transition period.
The reporting obligation begins. Full application of the CRA starts on 11 December 2027, but the obligation to report vulnerabilities comes into effect this autumn.
You must report actively exploited vulnerabilities and severe incidents — not every CVE. They just need to be identified in time.
In the most serious cases, the fine can be up to €15 million or 2.5% of global annual turnover — whichever is greater.
The law does not penalise you for having a vulnerability. It penalises you for failing to detect, handle, and report it correctly and on time.
Source: digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act
Does the CRA apply to you? If your products contain software or network connectivity, the answer is most likely yes.
The CRA applies to products with digital elements that are made available on the EU market — including both software products and network-connected devices. Whether the obligation applies to your specific systems and in what capacity is a case-by-case question.
This is one reason to obtain monitoring from an external partner: you do not have to interpret alone what is reportable and what is not. Meiko Monitor monitors continuously, and when needed we help assess whether an individual finding falls under the CRA reporting obligation.
The Cyber Resilience Act applies to products with digital elements. In practice, this means devices and software that operate in a digital environment and can be connected directly or indirectly to a network.
- consumer smart devices such as security cameras, televisions, toys, and home routers
- software and applications such as games, text and image editing programs, operating systems, browsers, and password management software
- industrial and technical digital systems such as industrial control systems, network-connected IoT devices, and certain microprocessors and microcontrollers
For IoT devices, the remote data processing solution provided by the manufacturer — such as a service intended for remote management of the device — is also considered part of the product. The regulation may also apply to cloud services when they are part of a product or the manufacturer's remote processing solution.
Source: kyberturvallisuuskeskus.fiMeiko Monitor: continuous CRA vulnerability monitoring, ready-made report drafts, a clear picture of your situation.
Meiko Monitor is Meiko Oy's continuous vulnerability monitoring service for companies manufacturing software and network-connected devices. The service identifies vulnerabilities covered by the EU Cyber Resilience Act (CRA, EU 2024/2847), produces ready-made report drafts, and keeps the software inventory (SBOM) up to date.
Daily monitoring
Dependencies are scanned for every named repository, findings are compared against the CISA KEV list, and EPSS scores are updated for open findings — every day.
Report draft within 24 hours
When a finding is on the KEV list, EPSS ≥ 0.50, or CVSS ≥ 9.0, you receive a ready-made draft: CVE, CVSS, severity, affected component, fix availability, and a template for a VEX statement.
Monthly software inventory (SBOM)
You cannot report what you do not know is in your products. That is why we produce an up-to-date inventory of your software components from each repository every month — the technical term is Software Bill of Materials (SBOM), in CycloneDX format.
Immediate alerts
When a KEV hit occurs, our team receives an alert and starts the report draft immediately. You receive a ready-made draft, not a raw notification — we handle the intermediate step on your behalf.
Clear monthly report
Number of findings and severity distribution, open findings in priority order, closed findings, and recommendations for the following month.
Expert support
Consultancy is included in the monthly fee, and you can obtain additional work at an hourly rate whenever a finding requires human interpretation or a regulatory notification.
The compliance officer's question is answered on your behalf.
A clear monthly fee. Additional work when you need it.
- Continuous monitoring, covers one repository
- Daily checks and alerts
- Report drafts and monthly report
- 2 hours of consultancy per month
- Additional repositories from €100/each
- Additional work €90/h (excl. VAT), other needs agreed separately
Up and running in three steps.
A short conversation
We go through your systems and what is relevant from a CRA perspective. 15 minutes is enough to start.
Access to repositories
You grant read access to the named repositories. Lightweight onboarding, no changes to your systems.
Monitoring starts
The service is launched within 10 working days of receiving access credentials. After that, reports and alerts arrive automatically.
Meiko Monitor is based on public data sources (NVD, CISA KEV, OSV, FIRST EPSS). The service provides continuous monitoring, findings, and report templates on which decisions can be based easily. It does not guarantee CRA compliance and does not constitute legal advice — responsibility for fulfilling statutory obligations remains with the client.
These companies trust us
Let's see whether the CRA applies to your systems.
Let's book 15 minutes and go through what it means in practice. If there is no need, we will say so frankly.
Kivääritehtaankatu 6, 40100 Jyväskylä