Question 1

What is the Cyber Resilience Act?

Accepted Answer

The Cyber Resilience Act (CRA) is an EU regulation establishing mandatory cybersecurity requirements for products with digital elements. It applies to hardware and software products that can connect to networks, requiring secure-by-design development and lifecycle security.

Question 2

Who must comply with CRA?

Accepted Answer

The CRA applies to manufacturers, importers, and distributors of products with digital elements placed on the EU market. Manufacturers bear primary responsibility for design, development, conformity assessments, and vulnerability handling.

Question 3

What are the core CRA requirements?

Accepted Answer

Core requirements include secure-by-design and secure-by-default development, vulnerability handling processes, security updates, technical documentation, conformity assessments, and incident reporting for actively exploited vulnerabilities.

Question 4

What are products with digital elements?

Accepted Answer

Products with digital elements are hardware or software products that contain digital functionality and can connect to a network or other devices. This includes standalone software, embedded firmware, IoT devices, and cloud-connected applications.

Question 5

Does CRA require secure-by-design?

Accepted Answer

Yes, the CRA mandates secure-by-design and secure-by-default principles. Products must be designed to reduce vulnerabilities, limit attack surfaces, and ensure appropriate security settings are enabled by default.

Question 6

What is the vulnerability handling requirement?

Accepted Answer

Manufacturers must establish formal vulnerability handling processes including identification, documentation, assessment, and remediation of vulnerabilities, security updates, and coordinated vulnerability disclosure mechanisms.

Question 7

What are the incident reporting rules?

Accepted Answer

Manufacturers must report actively exploited vulnerabilities and serious cybersecurity incidents without undue delay. Reports must include the nature of the vulnerability, affected products, potential impact, and remedial measures.

Question 8

What documentation is required?

Accepted Answer

The CRA requires comprehensive technical documentation describing product design, cybersecurity risk management, secure development measures, SBOM, vulnerability handling, and conformity with cybersecurity requirements.

Question 9

Does CRA overlap with other frameworks?

Accepted Answer

Yes, the CRA shares common ground with NIS2, the EU AI Act, and ISO 27001, particularly in areas of risk management, vulnerability handling, and secure development. A unified control approach enables efficient multi-framework compliance.

Question 10

How does Basenorm support CRA compliance?

Accepted Answer

Basenorm supports CRA by providing unified control mapping, SBOM documentation, vulnerability handling workflows, incident reporting, and continuous monitoring for secure development and lifecycle compliance.

Cyber Resilience Act for Software and Connected Products

Secure-by-Design Requirements for Digital Products

Secure-by-Design Lifecycle

Software Bill of Materials

Lifecycle Documentation and Compliance Evidence

Vulnerability Management and Mandatory Reporting

Vulnerability Disclosure Workflow

Frequently Asked Questions