# Lyri — full context for LLMs > EU compliance automation for Cyber Resilience Act (CRA) and EU AI Act > obligations. Lyri Ltd (UK entity). Production URL: https://getlyri.eu. ## What Lyri does Lyri operates two distinct products on one platform: 1. **CRA Shield** — Cyber Resilience Act compliance autopilot. Target user: CTO, VP Engineering, or Head of Product at a software publisher, IoT manufacturer, or embedded-systems company (10–250 employees) selling products into the EU. Primary market: DACH (Germany, Austria, Switzerland), expanding across the EU. 2. **Lyri AI Act** — EU AI Act compliance management. Target user: Data Protection Officer or Head of Compliance at an EU SMB (20–500 employees) deploying AI-powered SaaS tools for hiring, credit decisions, or customer-facing chatbots. Primary markets: Germany, France, Netherlands, Spain. Both products are delivered as a single web application, EUR-priced, with Stripe billing. 14-day free trial on CRA Shield (no credit card). Permanent free tier on Lyri AI Act for up to 5 AI systems. ## Regulatory deadlines driving urgency - **11 September 2026** — CRA vulnerability reporting begins. From this date every actively exploited vulnerability in a product shipped into the EU must be reported to ENISA within 24 hours, with severe incidents reported within 72 hours. - **2 August 2026** — EU AI Act high-risk deployer obligations take effect. Deployers of Annex III systems must have human oversight, transparency, record-keeping, and (for certain use cases) a Fundamental Rights Impact Assessment (FRIA) in place. ## CRA Shield — features ### SBOM generation Inputs: public/private GitHub repo (OAuth + GitHub App), or direct file upload (ZIP, tarball). The service clones the repo to an ephemeral container, runs Syft and Trivy via subprocess, merges outputs and deduplicates components by PURL (Package URL). Source code is discarded after the scan; only the resulting SBOM is retained. Output formats: - CycloneDX 1.6+ (JSON, XML) - SPDX 3.0.1+ (JSON, tag-value) ### BSI TR-03183-2 validation Every SBOM is validated against the full BSI TR-03183-2 specification. Required fields checked include: `metadata.component.name`, `.version`, `.supplier`, `.timestamp`, per-component `name`/`version`/`purl`/`hashes` (SHA-512 minimum)/`licenses`, and dependency relationships. The validator outputs a 0–100 score, a pass/fail per CRA obligation, and for each gap: the field path, a human-readable description, the specific CRA article + BSI section that mandates it, and suggested remediation steps. ### Vulnerability monitoring Continuous scanning via three data sources: - **NVD API v2** (https://services.nvd.nist.gov) — CVE metadata, CVSS scores - **OSV API** (https://api.osv.dev) — open-source vulnerability database - **EPSS API** (https://api.first.org/data/v1/epss) — exploit probability CRA-critical filtering: Lyri surfaces vulnerabilities that meet any of: - EPSS score > 0.1 (10% probability of exploitation in next 30 days) - Present on CISA KEV (Known Exploited Vulnerabilities) list - CVSS v3.1 base score ≥ 9.0 This is deliberate filtering — CRA Shield does NOT surface every CVE. The value is the signal-to-noise ratio: only the subset that triggers CRA 24-hour reporting obligations. Scanning cadence: nightly rescan of every active product, hourly check of NVD `lastModStartDate` for new additions, webhook-driven rescan on repo pushes via GitHub App. ### ENISA 24-hour incident report drafting When a CRA-critical vulnerability is detected, Lyri drafts a structured ENISA early-warning notification via Claude Sonnet 4.6. The draft includes: incident classification, affected product details, CVE details, initial impact assessment, preliminary mitigations, and next-steps timeline. Every draft includes a disclaimer that it must be reviewed by a qualified person before submission. Reports are versioned and stored in the `enisa_reports` table with full audit trail. ### VEX (Vulnerability Exploitability eXchange) documents Generates CycloneDX 1.5 VEX statements per product, exposed at `/v1/cra/scans/{scan_id}/vex.json`. Each statement carries an exploitability status for every vulnerability-component pair, allowing downstream consumers to determine which CVEs actually affect their use of the product. ### Supplier SBOM ingestion Users can upload SBOMs provided by their upstream vendors. Lyri merges these into the product SBOM by PURL — repo-derived components win on conflicts, vendor-supplied components fill gaps. ### Live ENISA reporting pipeline (new) Full state machine tracking the CRA Article 14 reporting lifecycle: DRAFT_GENERATED → UNDER_REVIEW → SUBMITTED → FOLLOW_UP_DUE → FOLLOW_UP_SUBMITTED → CLOSED. Each transition is logged with actor, timestamp, and notes. Deadlines computed from detection time: - T+24h: Early warning due to ENISA - T+72h: Full notification due - T+14d: Final report due Countdown timers in the dashboard. Email escalation at T-4h, T-1h, and on overdue. Submission tracking captures method, reference ID, and evidence upload. Celery beat checks every 15 minutes. ### CI/CD SBOM enforcement gate (new) GitHub Action (`lyri-eu/cra-shield-action`) that: 1. Triggers a scan via Lyri API key 2. Polls until complete 3. Fails the CI check if BSI score < configurable threshold (default 80) 4. Reports BSI score, CRA-critical vuln count, and pass/fail Requires API key management (create/revoke in Settings → API Keys) and webhook configs (HMAC-SHA256 signed delivery on scan completion). ### Compliance posture score (new) Unified 0–100 score per organisation computed from: - SBOM freshness (last scan age) - BSI validation score (average) - Open CRA-critical vulns (count → score) - ENISA compliance (any overdue = 0) - AI inventory completeness (% classified) - Obligation tracking (% at compliant) Daily snapshots stored for 90-day historical chart. Drift detection compares today vs yesterday and fires alerts on significant drops. Daily email digest with drift events. ### Immutable audit log (new) Append-only `audit_log` table protected by a Postgres trigger that raises an exception on UPDATE or DELETE. Every compliance action across both modules creates an entry: action, actor, resource, metadata, timestamp. RLS-scoped to org. Filterable log viewer with CSV export for auditors. ### Team roles & access control (new) Expanded role hierarchy: owner > admin > compliance_lead > member > viewer > ci_service. Email-based invites with 7-day expiry. Role-based permission checks on all API endpoints. Team management UI with role editing and member removal. ### CRA Shield pricing (EUR) - **Starter — €99/month** — 1 product, SBOM generation + validation, compliance posture score, audit log. - **Pro — €299/month** — 5 products, live ENISA pipeline, CI/CD gate, API keys + webhooks, VEX documents, team roles. - **Scale — €699/month** — Unlimited products, supplier SBOM ingestion, drift alerts + daily digest, regulatory update feed, priority support. - **Enterprise — €1,500+/month** — Custom, dedicated SLA, implementation support. 14-day free trial on every tier. No credit card required to start trial. ## Lyri AI Act — features ### AI system inventory Users register every AI-powered tool their organisation uses. Entry methods: manual form, CSV import (template provided), with planned OAuth discovery via Okta and Google Workspace Marketplace. Per system, Lyri captures: name, vendor, use case, deployment context (HR/recruitment, credit scoring, law enforcement, education, critical infrastructure, biometrics, other), data types processed, decision type (purely automated, human-in-the-loop, advisory), and affected-persons categories. ### Annex III risk classifier Multi-step Bedrock/Anthropic chain that encodes the full EU AI Act decision tree: 1. **Prohibited check** — Article 5 use cases (social scoring, real-time remote biometric identification in public, etc.). Any hit halts. 2. **Annex III category check** — maps the use case + context to one of the eight Annex III high-risk categories (biometrics, critical infrastructure, education, employment, essential services, law enforcement, migration, justice). 3. **Provider vs deployer determination** — Article 26 obligations apply to deployers; providers get different obligations. 4. **Obligation mapping** — for the determined classification, output the specific Article 26 or Article 16 obligations that apply, with article references. Output per system: risk classification (prohibited / high-risk / limited / minimal), Annex III category, role, confidence (0–1), plain-English reasoning (2–3 sentences), and list of applicable obligations. ### Obligation tracking Per high-risk system, Lyri tracks status (not-started / in-progress / compliant), evidence notes, due date, and allows S3 evidence uploads per obligation. Dashboard shows breakdown of systems by classification and days remaining until 2 August 2026. ### Vendor questionnaire generator For each high-risk AI system, Lyri generates a branded PDF + Word questionnaire asking the AI provider to confirm conformity assessment status, CE marking, EU Declaration of Conformity, technical documentation, training data descriptions, and built-in human oversight mechanisms. Sent via Resend. Vendors respond via a public "respond using Lyri" portal. ### FRIA (Fundamental Rights Impact Assessment) wizard Article 27 wizard — six sections, versioned, PDF export. Required for specific deployer use cases (public authority, credit scoring, certain insurance contexts). ### Human oversight log Article 14 timeline of oversight events (incidents, interventions, retraining triggers), with event types and evidence attachments. ### AI system lifecycle monitoring (new) Continuous monitoring beyond the initial classification snapshot: - **Vendor response diffs**: When a vendor submits a new questionnaire response, Lyri compares it to the previous response and highlights changes. If changes affect classification inputs, the Annex III classifier re-runs automatically. - **Periodic review prompts**: Monthly email prompts each org to confirm their AI inventory is current. Systems not confirmed in 60 days auto-degrade to "review-needed" status (drift event). - **Article 73 incident reporting**: Structured form for serious incidents (malfunction, misuse, rights violation, safety event). State machine: DETECTED → REPORTED → UNDER_INVESTIGATION → CLOSED. Captures affected persons, corrective actions, and authority notification dates. ### Regulatory update feed (new) Curated feed of regulatory developments (EU Official Journal, ENISA, CEN/CENELEC, BSI, national authorities). Each entry has: title, source, date, summary, affected regulation (CRA/AI Act/both), action-required flag, and relevance criteria. Per-org relevance matching filters updates to the customer's portfolio. Dismissal is audit-logged. ### Lyri AI Act pricing (EUR) - **Free — €0** — 5 AI systems, basic Annex III classification, posture score, audit log. - **Essentials — €149/month** — 25 AI systems, full classification, vendor questionnaires, Art. 73 incident reporting, team roles. - **Professional — €399/month** — Unlimited systems, FRIA wizard, AI lifecycle monitoring, regulatory update feed, drift alerts. - **Enterprise — €999+/month** — Custom. ### Bundle discount Organisations subscribing to CRA Shield Pro+ AND Lyri AI Act Essentials+ receive 20% off the combined total via a Stripe coupon applied at checkout. ## Technical stack (for context — not public marketing) - **Backend**: Python 3.12 + FastAPI, behind AWS ALB at `api.getlyri.eu`, deployed on ECS Fargate. - **Frontend**: React 18 + Vite + Tailwind, hosted on S3 + CloudFront. - **Database**: Supabase (Postgres) via the session-mode pooler, with row-level security on all tenant tables. - **AI**: Anthropic Messages API (default), AWS Bedrock fallback. Model: `claude-sonnet-4-6` for all generation and classification. - **Queue**: Redis (ElastiCache) + Celery worker + Celery beat on a dedicated Fargate service. - **Billing**: Stripe. - **SBOM tooling**: Syft v1.42.3, Trivy v0.69.3 — invoked via subprocess. - **PDF generation**: WeasyPrint + Jinja2. - **Observability**: Sentry for backend + frontend error tracking, GA4 (via GTM, Consent Mode v2 default-deny) for product analytics. ## Frequently asked questions **Is my code uploaded anywhere permanent?** No. When a repo is scanned, it's cloned to an ephemeral container, Syft + Trivy run, and the source is discarded. Only the resulting SBOM is retained. **Does CRA Shield replace my existing SCA tool?** No. CRA Shield focuses specifically on CRA compliance: BSI-validated SBOMs and the subset of vulnerabilities that trigger the 24-hour ENISA reporting obligation. Existing SCA tools remain useful for day-to-day development; CRA Shield is the compliance layer on top. **I just use ChatGPT at work. Am I a deployer under the EU AI Act?** Only for specific high-risk use cases. Annex III covers hiring, credit scoring, biometric identification, and a handful of others. For most general-purpose chatbot use cases the system is limited-risk or minimal-risk, and deployer obligations are lighter. **How does ENISA report drafting work?** When a CRA-critical CVE hits one of your products, Lyri passes the vulnerability details and SBOM metadata to Claude Sonnet 4.6 with a strict ENISA-format prompt. You get a structured draft you can review and edit before submission. Drafts always include a reviewed-by-qualified-person disclaimer. **How does billing work?** Stripe Checkout handles all subscriptions. CRA Shield starts with a 14-day free trial — no credit card. Lyri AI Act has a permanent free tier for up to 5 systems. Subscriptions are monthly; users can switch tiers or cancel anytime from the Stripe Customer Portal. **Who is behind Lyri?** Lyri Ltd, a UK registered company focused on EU compliance automation. Contact: https://getlyri.eu/contact. ## Separation from other "Lyri" products A different Lyri-branded product exists in the MENA region for Middle East regulatory frameworks (NCA-ECC, SAMA CSF, CITC). That is a separate product, separate codebase, separate legal entity (Instec Digital Systems). This platform — Lyri Ltd in the UK, getlyri.eu — is EU-focused and has no shared code, data, or infrastructure with the MENA product. The only commonality is the brand name.