24 hours to report.
Do your systems make that possible?
Market Exclusion
Non-compliance isn't a fine. It's market exclusion.
Products that cannot demonstrate CRA conformity lose CE marking and EU market access — revenue gone, not just fined.
Financial Exposure
2.5% of global revenue. Plus 1% for false reporting.
CRA non-compliance carries penalties up to €15M or 2.5% of global annual revenue. False or misleading reporting to regulators adds another 1%. Both are publicly disclosed.
581 vulnerabilities per codebase. And you have 24 hours.
Known open source vulnerabilities in Black Duck's knowledge base — growing by 56 new BDSAs per day
Of audited codebases contain at least one vulnerable open source component — up from 86% last year
Mean vulnerabilities per codebase — more than doubled year-over-year, driven by AI-assisted development
Of commercial codebases contain open source — it is now effectively universal in every software product
Of codebases carry significant maintenance debt — open source components years out-of-date, unpatched
EU CRA essentials
From a single detected vulnerability, three legal clocks start ticking.
Conformity assessment obligations begin June 11, 2026. Vulnerability reporting obligations begin September 11, 2026.
Early warning
Notify the relevant CSIRT/ENISA after becoming aware of an actively exploited vulnerability.
Vulnerability notification
Submit fuller information on the vulnerability and product impact.
Final report
Provide corrective or mitigating measures, impact assessment, and evidence of action.
Software companies need to answer to more than one regulation.
| Regulation | Who it affects | Timing | What you must answer | How X-DLM™ helps |
|---|---|---|---|---|
| EU Cyber Resilience Act (CRA) | Any software product or hardware product with digital elements sold into the EU/EEA. | Sept 11, 2026 vulnerability reporting · Dec 11, 2027 full enforcement. | SBOM, secure-by-design/default, vulnerability handling, reporting, technical documentation, CE marking, post-market monitoring. | Black Duck SCA + Siemens Polarion + X-DLM workflow for SBOM, evidence, approvals, traceability, VDR/VEX, and reporting timelines. |
| NIST SSDF / SP 800-218 | Software producers asked to demonstrate secure development, especially in enterprise and public-sector procurement. | Active procurement expectation; often customer-driven. | Secure development practices, vulnerability management, provenance, third-party component control, evidence of process maturity. | Polarion links requirements, tests, releases, and security findings; Black Duck provides component intelligence. |
| SOC 2 / Customer Security Reviews | SaaS and general software vendors selling to enterprise customers. | Customer/procurement-driven; recurring audits and renewals. | Security controls, change management, risk management, vulnerability response, evidence of operating effectiveness. | X-DLM keeps evidence continuously available instead of collecting screenshots and spreadsheets before every review. |
| Open Source License Obligations | Any software company using open source in commercial products. | Applies continuously as code is used, distributed, embedded, or resold. | Identify obligations, avoid restrictive terms that conflict with commercial use, customer contracts, M&A, or source disclosure. | Black Duck tracks 3,000+ license types and routes legal/IP exposure into Polarion workflows for documented decisions. |
| SBOM / VEX / VDR Expectations | General software vendors serving regulated buyers, enterprise procurement, or EU CRA-scoped markets. | Increasingly required in procurement and regulatory evidence packages. | Machine-readable SBOMs, vulnerability exploitability statements, disclosure records, and remediation evidence. | Black Duck generates SBOMs and vulnerability data; X-DLM synchronizes them into Polarion for lifecycle evidence. |
| AI-generated Code Governance | Software teams using AI coding assistants or integrating open source AI models. | Current governance gap; increasingly scrutinized in procurement and legal review. | Detect insecure, unlicensed, hallucinated, or unattributed code; govern AI-generated snippets and model dependencies. | Black Duck snippet and AI code analysis identifies provenance, security, and IP risk; Polarion governs follow-up and sign-off. |
From Black Duck finding to Siemens Polarion evidence trail.
- 01
Detect
Black Duck identifies vulnerabilities, malicious packages, license risk, components, SBOM data, and dependency context.
- 02
Route
X-DLM synchronizes findings into Polarion as governed work items with ownership, timing, approvals, and escalation.
- 03
Link
Findings are connected to requirements, code, tests, releases, risk decisions, VDR/VEX, and customer-facing evidence.
- 04
Prove
LiveDocs and Polarion workflow history maintain the audit trail continuously for customer, regulatory, and internal review.
Move from CRA awareness to operational proof.
Download the EU CRA Navigation Guide or request a walkthrough of how X-DLM™ operationalizes CRA, SBOM, VDR/VEX, NIST SSDF, SOC 2, and open source governance in development teams’ workflows.