Open-source CLI for preparing EU Cyber Resilience Act (Regulation 2024/2847) Article 14 notifications for the ENISA Single Reporting Platform (SRP).
Project description
cra-scope
Open-source CLI for preparing EU Cyber Resilience Act (Regulation (EU) 2024/2847) Article 14 notifications for the ENISA Single Reporting Platform (SRP).
cra-scope builds the four notification payloads the CRA requires under
Article 14 (and the comparable structure of Article 15), validates them
against a stable JSON schema, resolves the designated CSIRT for each EU
Member State, and checks CVEs against the public CISA KEV catalogue.
It is the open-source core of the CRA Scope ecosystem. Use it to prepare payloads in CI, in scripts, or at the keyboard — then submit them through the ENISA SRP portal under your manufacturer's EU Login account, as required by EC FAQ §4.6.1.
For a fully managed workflow — compliance clocks, multi-product case management, evidence archival, board dashboards, CSIRT/SIEM/ITSM integrations, alerting, and audit trail — see CRA Scope SaaS.
What's in the box
| Stage | Article | Deadline | Builder |
|---|---|---|---|
| Early warning | 14(2)(a) / 14(4)(a) | 24 h | build early-warning |
| Vuln notification | 14(2)(b) | 72 h | build vuln-notification |
| Incident notification | 14(4)(b) | 72 h | build incident-notification |
| Final report (vuln) | 14(2)(c) | 14 d | build final-report |
| Final report (incident) | 14(4)(c) | 1 m | build final-report --report-subject-type severe_incident |
Plus:
cra-scope csirt <country>— resolve designated CSIRTcra-scope csirts— list all 27 EU Member State CSIRTscra-scope validate <payload.json>— validate a saved payloadcra-scope kev-check <CVE>— check CISA Known Exploited Vulnerabilities
Install
pip install cra-scope
Requires Python 3.10+.
Quick start
Build a 24-hour early warning for an actively exploited vulnerability:
cra-scope build early-warning \
--manufacturer-name "ACME GmbH" \
--manufacturer-country DE \
--manufacturer-contact security@acme.example \
--product-name "ACME Router" \
--product-version 2.4.1 \
--detection-timestamp 2026-05-17T10:00:00Z \
--vulnerability-id CVE-2026-12345 \
--suspected-malicious true \
--cross-border-impact true \
--preliminary-description "RCE in firmware update handler" \
--out early-warning.json
Then validate it before uploading:
cra-scope validate early-warning.json
# OK: payload is valid.
Check whether a CVE is actively exploited (CISA KEV):
cra-scope kev-check CVE-2024-3400
Library usage
from cra_scope_core import (
build_early_warning,
validate_notification,
resolve_csirt,
)
payload = build_early_warning(
manufacturer_name="ACME GmbH",
manufacturer_country="DE",
manufacturer_contact="security@acme.example",
product_name="ACME Router",
product_version="2.4.1",
product_category="network",
vulnerability_id="CVE-2026-12345",
detection_timestamp="2026-05-17T10:00:00Z",
suspected_malicious=True,
cross_border_impact=True,
)
errors = validate_notification(payload)
assert not errors
print(resolve_csirt("DE"))
# {'name': 'BSI CERT-Bund', 'id': 'CSIRT-DE-001'}
What this tool does NOT do
- It does not submit notifications to ENISA on your behalf. ENISA SRP
authentication uses EU Login (CAS), a closed government identity scheme;
Article 14 reporting is the manufacturer's non-delegable legal
obligation (EC FAQ §4.6.1).
cra-scopeprepares the payload — you upload it through the SRP portal. - It does not run a compliance clock, track multiple products, store evidence, page on-call engineers, push to your SIEM/ITSM, or produce a signed audit archive. Those are workflow concerns better handled by a managed platform — see CRA Scope SaaS.
- It is not legal advice. CRA Article 14 obligations apply from 11 September 2026; you remain responsible for your own compliance.
When to use this vs. CRA Scope SaaS
| You need… | Use |
|---|---|
| Build & validate a payload in a script | cra-scope |
| One-off vulnerability disclosure prep | cra-scope |
| Multi-product compliance clock + dashboard | CRA Scope SaaS |
| Continuous monitoring, alerts, on-call | CRA Scope SaaS |
| Signed audit archive, board reporting | CRA Scope SaaS |
| CSIRT / SIEM / ITSM integrations | CRA Scope SaaS |
Contributing
Issues and PRs welcome. This project follows Semantic Versioning and a Keep a Changelog changelog.
git clone https://github.com/Usingthefork/cra-scope-cli.git
cd cra-scope-cli
pip install -e ".[dev]"
pytest
License
Apache License 2.0 — see LICENSE and NOTICE.
cra-scope is not affiliated with, endorsed by, or sponsored by ENISA,
the European Commission, CISA, or any EU Member State CSIRT.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file cra_scope-0.1.1.tar.gz.
File metadata
- Download URL: cra_scope-0.1.1.tar.gz
- Upload date:
- Size: 19.0 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
79e475d5d1ee26dba68f467529916afc79f0a5ce01e8a52626ed86bf73cabb4a
|
|
| MD5 |
65a8fe00187fa411393c647502571801
|
|
| BLAKE2b-256 |
f3627096dfb1c7204c4ec46d9368db0be2066eef19ead1331461a11a41927fc2
|
File details
Details for the file cra_scope-0.1.1-py3-none-any.whl.
File metadata
- Download URL: cra_scope-0.1.1-py3-none-any.whl
- Upload date:
- Size: 22.9 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
61f4fb8b4aa4fd5b3c47bc222f6959b515ba77d32e4ab80ad9c15ff5529a9714
|
|
| MD5 |
5d03af59b97369216f5e8fed3e9205ce
|
|
| BLAKE2b-256 |
120cf7f4c9630de44c3b565cf1353ada4e1288e92b62fee769fe60ae42964451
|
