Secure-by-design

CRA ready for September 11, 2026

Echo delivers CVE-free containers, built for enterprises needing evidence-grade compliance under 
CRA, NIS2, DORA, FedRAMP, and other regulated regimes, without adding engineering headcount.

Compliance-grade,
by design

  • Evidence outputs for BSI, ANSSI, AgID, INCIBE, and other surveillance authorities
  • SBOMs in SPDX and CycloneDX, signed with cosign and sigstore
  • FIPS 140-3 validated & STIG-hardened variants

Instant time to value

  • 0
    Engineering hours for FIPs-validated images saved
  • 99 days
    Average remediation time
  • <0h
    Reporting and triaging time
  • 0+
    CVEs eliminated to align with NIST SP 800-53
“Thanks to Echo, zero vulnerabilities showed up, everything was compliant, and the auditor was super satisfied. It was a smooth ride.”

Lior Chen, Deputy CTO

CRA obligations met, without adding headcount

  • Speed without
    sacrifice

    Achieve CRA compliance faster with vulnerability-free, hardened, SBOM-ready container images and libraries.

  • Hundreds of
    thousands saved

    Reduce engineering and security costs by offloading CVE remediation, hardening, and ENISA reporting requirements.

  • No release delays

    Avoid the engineering drag of CRA work blocking your release pipeline. Compliance posture stays current automatically.

  • Audit-ready evidence

    SBOMs, provenance attestations, and CVE history outputs, consumable directly by external auditors and certification bodies.

“With Echo, we not only get vulnerability-free container images – they’re also hardened and FIPS validated.”

Chris LongDirector of IT & Security

Speak with a product expert

The smoothest path to CRA

  • Policy compliant cryptography

    Echo images use cryptographic modules aligned with EU standards to meet the CRA's security requirements for data protection and integrity.

  • SBOM transparency

    Echo images and libraries ship in both SPDX and CycloneDX, with every tag including a corresponding SBOM in order to satisfy the CRA's mandatory component traceability requirement.

  • Hardened and minimal by design

    Each image is pre-hardened with secure configurations applied to meet the CRA's ‘security by design' mandate

  • Provenance and attestation

    All software artifacts, including images, SBOMs, and provenance are signed and easily attested as per industry standard tools like cosign and sigstore.

  • Constant CVE monitoring

    Automated scanning, reporting, and justification for all unfixed vulnerabilities is applied to support the CRA's 24-hour ENISA reporting deadline.

  • Strong cryptography across dependencies

    Images and libraries ship with strong, standards-aligned cryptographic modules, covering your entire software supply chain.

Evidence auditors actually accept

Echo's outputs are designed for the workflows European audit and certification bodies use during CRA conformity assessments and ongoing compliance reviews.

  • CRA conformity report

    Detailed reports covering CRA essential requirement checks, with all components pre-built to pass conformity assessment – no translation work needed.

  • FIPS runtime tester

    Software components are signed and attested via cosign and sigstore, giving auditors a cryptographically verifiable chain of custody from build to deployment.

Why not just DIY?

Echo images are built to pass audits right off the bat, saving you the time and engineering resources needed to achieve CRA-readiness on your own.

Task
Requirement
DIY cost per image
With
Security hardening
Harden and test security controls across images and libraries
$2,000 - 5,000
Included
SBOM generation
Generate SPDX/CycloneDX SBOMs for every component
$3,000 - 8,000
Included
Continuous CVE management
Monitor and remediate vulnerabilities across full dependency tree
$115,000 - 230,000
Included
ENISA vulnerability reporting
Report exploited vulnerabilities within 24-hour legal deadline
$5,000 - 10,000
Included
Total cost per image
$125,000 - $253,000
Included
Speak with a product expert

Frequently asked questions

Reporting obligations to ENISA (24-hour early warning, 72-hour notification, 14-day final report) sit with the manufacturer of the end product. Echo provides the evidence layer (SBOMs, real-time CVE status, provenance attestation) so your team can meet those deadlines without scrambling and document them to BSI, ANSSI, or the national authority responsible for your market.

The same foundation that gets you CRA-ready also supports DORA reporting for financial services, NIS2 compliance for KRITIS and essential services, FedRAMP authorization for US federal business, ISO 27001:2022 re-certification, FIPS and STIG requirements, and ongoing CVE reduction across your entire image estate.

Echo provides the evidence that national market surveillance authorities across the EU expect in CRA conformity assessments and post-incident reviews. This includes the Bundesamt für Sicherheit in der Informationstechnik (BSI) in Germany, ANSSI in France, AgID in Italy, INCIBE in Spain, and equivalent bodies in other member states.