Erdo CRA Compliance

Erdo CRA Compliance helps WordPress site owners and plugin developers prepare for EU regulatory deadlines — the CRA Vulnerability Disclosure Policy obligation (September 11, 2026) and full CRA compliance (December 11, 2027).

What it does

• Plugin Risk Scanner — Scans all active plugins against CRA readiness criteria: last updated, WordPress version lag, PHP requirements, support health, and closed/removed plugin detection.
• GDPR Scanner — Detects third-party scripts, external resource connections, and data-handling risk signals on your site.
• NIS2 Scanner — Checks site-level security posture against NIS2 Article 21 requirements: HTTPS, MFA, backups, WAF, activity logging, and auto-updates.
• Compliance Dashboard — Visual score ring, per-framework risk counts, and actionable guidance in one screen.
• PDF Compliance Report — Download a formatted PDF report covering all scan results, executive summary, and prioritised recommendations.
• VDP Generator — Generate a ready-to-publish Vulnerability Disclosure Policy document pre-filled with your site details.
• SBOM Generator — Create a CycloneDX 1.4 JSON Software Bill of Materials covering WordPress core, active plugins, and active theme.
• security.txt — Automatically serve an RFC 9116-compliant /.well-known/security.txt on your site.
• Conformity Declaration Template — A structured self-assessment checklist covering CRA Articles 10/11/14, GDPR Articles 25/32/30, and NIS2 Articles 21/23.

CRA Deadlines

• September 11, 2026 — Vulnerability Disclosure Policy (VDP) obligation begins. This plugin generates and serves your VDP automatically.
• December 11, 2027 — Full CRA compliance + CE marking required. Penalties up to 15M EUR or 2.5% of global turnover.

Legal Disclaimer

This plugin provides automated analysis tools and document templates to assist with EU regulatory preparation. It does not constitute legal advice and does not guarantee regulatory compliance with the CRA, GDPR, NIS2, or any other regulation. All assessments, scores, and generated documents (VDP, SBOM, security.txt, Conformity Declaration) are starting points and templates only. Consult a qualified legal or compliance professional before relying on any output for regulatory purposes.

External Services

This plugin connects to the following third-party services. Each is documented below with what it is used for, what data is sent, when, and links to the relevant terms and privacy policy.

WordPress.org Plugins API

This plugin makes HTTP requests to the WordPress.org Plugins API (api.wordpress.org/plugins/info/) to retrieve metadata for installed plugins (last updated, tested WordPress version, PHP requirements, active installs). This request is made only during a manual or scheduled scan. No user data is sent — only plugin slugs are included in the request. Responses are cached for 12 hours per plugin using WordPress transients to minimise API requests. See the WordPress.org privacy policy.

Patchstack Vulnerability Database (optional)

This plugin can optionally connect to the Patchstack vulnerability database (patchstack.com/database/api/v2) to check installed plugins against known security vulnerabilities (CVEs). This connection is opt-in and disabled by default — it is only made if the site owner enters their own Patchstack API key on the plugin’s Settings page.

When enabled, the plugin sends the configured API key (for authentication) and the slugs/versions of installed plugins (to look up known vulnerabilities) during a manual or scheduled scan. Vulnerability responses are cached for 6 hours using WordPress transients. No personal or visitor data is sent. This service is provided by Patchstack OÜ: Terms of Service, Privacy Policy.

GDPR Scanner — third-party script detection

The GDPR scanner module includes a list of known third-party script domains (e.g. Google Analytics, Facebook Pixel, Intercom, HubSpot) used to detect whether your site is loading scripts from these services. This is a local pattern match against script URLs already enqueued on your own site — the plugin itself does not contact, query, or send any data to these third-party services.

Privacy

This plugin does not collect, store, or transmit any personal data to external services beyond the requests described above.