24 hours to report.

Do your systems make that possible?

The EU CRA mandates 24h, 72h, and 14-day reporting windows with automated evidence, full traceability, and 10 years of audit-ready records. Regulators and buyers also expect SBOM provision, NIST SSDF alignment, SOC 2 evidence, license control, and AI code governance. Manual processes will not survive this.
See the Workflow in Action

Market Exclusion

Non-compliance isn't a fine. It's market exclusion.

Products that cannot demonstrate CRA conformity lose CE marking and EU market access — revenue gone, not just fined.

Financial Exposure

2.5% of global revenue. Plus 1% for false reporting.

CRA non-compliance carries penalties up to €15M or 2.5% of global annual revenue. False or misleading reporting to regulators adds another 1%. Both are publicly disclosed.

581 vulnerabilities per codebase. And you have 24 hours.

317K+

Known open source vulnerabilities in Black Duck's knowledge base — growing by 56 new BDSAs per day

87%

Of audited codebases contain at least one vulnerable open source component — up from 86% last year

581

Mean vulnerabilities per codebase — more than doubled year-over-year, driven by AI-assisted development

98%

Of commercial codebases contain open source — it is now effectively universal in every software product

90%+

Of codebases carry significant maintenance debt — open source components years out-of-date, unpatched

EU CRA essentials

From a single detected vulnerability, three legal clocks start ticking.

Conformity assessment obligations begin June 11, 2026. Vulnerability reporting obligations begin September 11, 2026.

24h

Early warning

Notify the relevant CSIRT/ENISA after becoming aware of an actively exploited vulnerability.

72h

Vulnerability notification

Submit fuller information on the vulnerability and product impact.

14d

Final report

Provide corrective or mitigating measures, impact assessment, and evidence of action.

Why manual processes fail: CRA requires cross-functional execution between security, engineering, legal, product, and compliance. X-DLM™ turns the clock into a governed workflow inside Polarion, fed by Black Duck intelligence.

Software companies need to answer to more than one regulation.

RegulationWho it affectsTimingWhat you must answerHow X-DLM™ helps
EU Cyber Resilience Act (CRA)Any software product or hardware product with digital elements sold into the EU/EEA.Sept 11, 2026 vulnerability reporting · Dec 11, 2027 full enforcement.SBOM, secure-by-design/default, vulnerability handling, reporting, technical documentation, CE marking, post-market monitoring.Black Duck SCA + Siemens Polarion + X-DLM workflow for SBOM, evidence, approvals, traceability, VDR/VEX, and reporting timelines.
NIST SSDF / SP 800-218Software producers asked to demonstrate secure development, especially in enterprise and public-sector procurement.Active procurement expectation; often customer-driven.Secure development practices, vulnerability management, provenance, third-party component control, evidence of process maturity.Polarion links requirements, tests, releases, and security findings; Black Duck provides component intelligence.
SOC 2 / Customer Security ReviewsSaaS and general software vendors selling to enterprise customers.Customer/procurement-driven; recurring audits and renewals.Security controls, change management, risk management, vulnerability response, evidence of operating effectiveness.X-DLM keeps evidence continuously available instead of collecting screenshots and spreadsheets before every review.
Open Source License ObligationsAny software company using open source in commercial products.Applies continuously as code is used, distributed, embedded, or resold.Identify obligations, avoid restrictive terms that conflict with commercial use, customer contracts, M&A, or source disclosure.Black Duck tracks 3,000+ license types and routes legal/IP exposure into Polarion workflows for documented decisions.
SBOM / VEX / VDR ExpectationsGeneral software vendors serving regulated buyers, enterprise procurement, or EU CRA-scoped markets.Increasingly required in procurement and regulatory evidence packages.Machine-readable SBOMs, vulnerability exploitability statements, disclosure records, and remediation evidence.Black Duck generates SBOMs and vulnerability data; X-DLM synchronizes them into Polarion for lifecycle evidence.
AI-generated Code GovernanceSoftware teams using AI coding assistants or integrating open source AI models.Current governance gap; increasingly scrutinized in procurement and legal review.Detect insecure, unlicensed, hallucinated, or unattributed code; govern AI-generated snippets and model dependencies.Black Duck snippet and AI code analysis identifies provenance, security, and IP risk; Polarion governs follow-up and sign-off.

From Black Duck finding to Siemens Polarion evidence trail.

  • 01

    Detect

    Black Duck identifies vulnerabilities, malicious packages, license risk, components, SBOM data, and dependency context.

  • 02

    Route

    X-DLM synchronizes findings into Polarion as governed work items with ownership, timing, approvals, and escalation.

  • 03

    Link

    Findings are connected to requirements, code, tests, releases, risk decisions, VDR/VEX, and customer-facing evidence.

  • 04

    Prove

    LiveDocs and Polarion workflow history maintain the audit trail continuously for customer, regulatory, and internal review.

Move from CRA awareness to operational proof.

Download the EU CRA Navigation Guide or request a walkthrough of how X-DLM™ operationalizes CRA, SBOM, VDR/VEX, NIST SSDF, SOC 2, and open source governance in development teams’ workflows.

See the Workflow in Action