Product

Autovion Ledger

Autovion Ledger is a German-hosted, EU-sovereign system of record for open-source security and compliance, continuously tracking risk and enabling governance, auditability, and AI-driven automation across the software supply chain.

Benefits

Continuous System of Record

Maintains a time-stamped, traceable record of OSS components, vulnerabilities, and remediation actions to support CRA technical documentation and lifecycle accountability.

Built-in Governance & Automation

Enforces security and license policies in CI/CD, automates risk triage, and operationalizes secure-by-design controls expected under the EU Cyber Resilience Act.

Audit-Ready by Design

Produces defensible evidence for conformity assessments, including vulnerability handling history, policy decisions, and corrective actions required for CRA readiness.

EU-Sovereign & German-Hosted

Keeps compliance data within EU jurisdiction on German infrastructure, supporting data residency, regulatory assurance, and trusted CRA-era governance for European enterprises.

Vulnerability & License Intelligence

Correlates dependencies with up-to-date vulnerability feeds and license data to surface security risk and compliance obligations in the context of your actual OSS usage.

AI Agent Framework

Provides a structured foundation for intelligent agents to monitor change, verify compliance, recommend remediation, and automate governance workflows based on Ledger's recorded state.

Policy-Based Compliance Enforcement

Enables teams to define open-source policies and automatically verify, flag, or block changes that violate security or license requirements across repositories and releases.

Continuous Dependency Tracking

Provides an always-current view of open-source dependencies and version changes across repositories and builds, so teams can detect risky updates and inconsistent OSS usage before they reach production.

It's For Development TeamsLegal & Compliance TeamsSecurity Teams

Enterprises rely heavily on open-source software, yet managing compliance, security, and legal obligations at scale presents significant challenges:

Autovion Ledger provides a comprehensive platform to govern your open-source ecosystem with confidence, ensuring compliance while maintaining development velocity.

Select a compliance module to view module-specific capabilities.

Key Features - EU Cyber Resilience Act

Support EU CRA Article 13/14 obligations with SBOM integrity, vulnerability lifecycle controls, incident reporting, and Annex V conformity documentation.

CRA-Ready SBOM Export

Generate CycloneDX SBOMs with SHA-256 integrity hashing for traceable software supply chain evidence.

Article 14 Incident Reporting

Create and manage incidents with auto-calculated reporting deadlines (24h / 72h / 14d).

Annex V Conformity Reports

Produce draft and signed conformity reports for internal review and regulatory submission workflows.

Vulnerability Lifecycle Management

Track vulnerabilities from detected -> triaged -> patching -> verified -> closed with accountable ownership.

CRA Compliance Dashboard

View project-level readiness scoring and checklist status to identify compliance gaps quickly.

ENISA Notification Templates

Generate structured 24h/72h/14d notification templates aligned with CRA incident communication expectations.

Standards & Frameworks Coverage

Autovion Ledger's continuous evidence model maps directly to the regulations and standards European software teams are evaluated against.

EU Cyber Resilience Act (CRA)

CycloneDX SBOM export with SHA-256 integrity, Article 14 incident reporting timers (24h / 72h / 14d), Annex V conformity drafts, and CE-marking-ready documentation trails.

NIS2 Directive

Incident records, vulnerability disclosure timelines, and supply-chain risk evidence aligned with NIS2 reporting expectations for software vendors and essential entities.

ISO 27001

Versioned audit logs, access-controlled governance records, and policy-enforcement trails that support an ISMS evidence base for ISO 27001 certification scope.

BSI C5 (Type 2)

EU-resident hosting on IONOS Cloud (Berlin) inherits the BSI C5 Type 2 platform certification, supporting Cloud Computing Compliance Criteria Catalogue assessments.

ISO 26262 (coming soon)

Functional-safety governance module for automotive software - safety artifact traceability, impact-oriented risk classification, and release-gate alignment.

UNECE WP.29 R155 / R156

Vehicle-type CSMS and SUMS workflows: TARA progress, RxSWIN-linked configurations, controlled update campaigns, and audit-ready cybersecurity assurance evidence.

Automotive SPICE evidence trails

Process-execution records, approvals, and corrective-action history for OSS-related sub-processes - supporting capability assessments without replacing your QMS.

Secure-by-design principles

Policy-controlled change governance, dependency tracking, and continuous vulnerability lifecycle management - operationalizing CRA's secure-by-design and secure-by-default expectations.

Frequently Asked Questions

Does Autovion Ledger help with EU CRA Article 13 and Article 14 obligations?+

Yes. Article 13 essential cybersecurity requirements are supported through continuous SBOM tracking, vulnerability lifecycle management, and policy-enforced secure-by-design controls. Article 14 vulnerability and incident reporting is handled through Ledger's incident module with auto-calculated 24-hour, 72-hour, and 14-day reporting deadlines and ENISA-aligned notification templates.

What SBOM formats does Autovion Ledger generate?+

Autovion Ledger generates CycloneDX SBOMs with SHA-256 integrity hashing for traceable software supply chain evidence. CycloneDX is the format aligned with the EU CRA's technical documentation expectations and supports VEX (Vulnerability Exploitability eXchange) statements for accurate risk communication.

How does Autovion Ledger support NIS2 compliance?+

Ledger maintains the auditable evidence trail NIS2 reporting depends on: dependency and vulnerability posture over time, incident records with 24h/72h/1-month reporting timers, supply-chain transparency for third-party software, and policy-controlled change governance. This is especially relevant for software vendors classified as Important or Essential entities.

Where is Autovion Ledger hosted, and does it meet EU data residency requirements?+

Autovion Ledger runs on IONOS Cloud in Berlin, Germany. Customer governance data - SBOMs, vulnerabilities, audit logs, organization records - stays within EU jurisdiction. The platform inherits IONOS's ISO 27001 and BSI C5 Type 2 certifications, supporting EU digital sovereignty and German data protection requirements.

How does Autovion Ledger differ from traditional SCA tools like Black Duck or FOSSA?+

Traditional SCA tools are scan-centric: they produce point-in-time reports. Autovion Ledger is a continuous system of record - it maintains a time-stamped, queryable history of OSS components, vulnerabilities, and remediation actions across releases. That historical, audit-ready model is what CRA conformity assessments and ISO 27001 audits actually need, not just a fresh scan.

How does Autovion Ledger handle vulnerability disclosure deadlines?+

Ledger tracks each vulnerability through detected → triaged → patching → verified → closed states with accountable ownership. Reporting deadlines for CRA Article 14 (24h initial notification, 72h update, 14-day final report) are auto-calculated from the trigger event, with structured notification templates aligned with ENISA expectations.

Does Autovion Ledger support ISO 27001 audits?+

Yes. Ledger's versioned audit logs, access-controlled governance records, and policy-enforcement trails contribute to the ISMS evidence base auditors expect. While Ledger doesn't replace a full ISO 27001 toolset, it covers the OSS, supply-chain, and vulnerability-management evidence requirements that ISO 27001 Annex A controls increasingly demand.

Can Autovion Ledger generate VEX (Vulnerability Exploitability eXchange) statements?+

Yes. Ledger's vulnerability lifecycle data - including triage decisions, exploitability assessments, and not-affected justifications - is structured to emit VEX statements alongside CycloneDX SBOMs. This is increasingly important for downstream customers and regulators evaluating real-world risk versus theoretical CVE presence.

Why Autovion Ledger

Dimension	Traditional Tools (e.g. Black Duck, FOSSA)	Autovion Ledger
Core model	Scan-centric reports	Continuous system of record
Time awareness	Point-in-time	Historical, time-based truth
Governance	External / manual	Built-in, automatable
OSPO fit	Adapted	Native by design
AI readiness	Add-on features	Foundation-level
Data residency	Often US-hosted	German cloud (EU sovereignty)