---

Why This Exists

The CRA applies to every product with digital elements sold in the EU — software, IoT devices, industrial controllers, SaaS platforms. Manufacturers must ensure security by design, handle vulnerabilities within 24 hours, and maintain technical documentation for 10 years. Open-source projects used commercially have a new "open-source steward" category with lighter obligations.

This MCP classifies your product against CRA categories, assesses essential security requirements, checks vulnerability handling processes, and generates the conformity documentation.

Install

pip install cra-compliance-mcp

Tools

Tool	CRA Reference	What it does
classify_product	Art 6-8	Product category classification (default/important/critical)
assess_security_requirements	Annex I	Essential cybersecurity requirements check
check_vulnerability_handling	Art 14	24-hour vulnerability disclosure readiness
generate_documentation	Annex VII	Technical documentation generator
assess_supply_chain	Art 13	Software bill of materials + dependency audit
check_open_source_obligations	Art 25	Open-source steward obligations
run_full_audit	All	Complete CRA readiness assessment
sign_attestation	—	HMAC-SHA256 signed compliance certificate

Key Dates

Milestone	Date
Entry into force	10 December 2024
Vulnerability reporting obligations	11 September 2026
Full applicability	11 December 2027

Pricing

Tier	Price	What you get
Free	£0	10 calls/day
Pro	£199/mo	Unlimited + HMAC-signed attestations
Enterprise	£1,499/mo	Multi-tenant + co-branded reports

Subscribe to Pro · Enterprise

Attestation API

POST https://meok-attestation-api.vercel.app/sign
GET  https://meok-attestation-api.vercel.app/verify/{cert_id}

Also see: CRA Annex IV Classifier MCP for detailed Annex IV essential requirements.

Links

• Website: meok.ai
• All MCP servers: meok.ai/labs/mcp/servers
• Enterprise support: nicholas@csoai.org

License

MIT