You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The EU Cyber Resilience Act (Regulation (EU) 2024/2847) entered into force 12 November 2024 and applies from 11 December 2027. It targets products with digital elements and creates obligations around essential cybersecurity requirements, vulnerability handling, security update delivery, and technical documentation. Automotive products are explicitly in scope. RDX is uniquely positioned to be the bridge between TARA, SBOM, VEX, vulnerability management, test evidence, and CRA technical documentation — but today the schema has no CRA-specific concepts.
Example: examples/rdx-cra-profile-example.json showing a CRA-compliant product with SBOM link, VEX, support period, vulnerability handling process, and incident reporting touchpoint.
Motivation
The EU Cyber Resilience Act (Regulation (EU) 2024/2847) entered into force 12 November 2024 and applies from 11 December 2027. It targets products with digital elements and creates obligations around essential cybersecurity requirements, vulnerability handling, security update delivery, and technical documentation. Automotive products are explicitly in scope. RDX is uniquely positioned to be the bridge between TARA, SBOM, VEX, vulnerability management, test evidence, and CRA technical documentation — but today the schema has no CRA-specific concepts.
Proposed change
profile: cra-product-security) per the profiles work in Add USE_CASE_COVERAGE.md with per-use-case acceptance criteria and conformance profiles #50.productClassificationonitemDefinition:intendedUse,foreseeableMisuse,commercialDistributionStatus,cefClass(CRA important/critical class),placedOnMarketDate.supportPeriodonitemDefinition:startDate,endDate,updatePolicyRef,updateDeliveryMechanism.vulnerabilityHandlingobject (PSIRT / CVD references, vulnerability status, remediation plan, advisory references). ReuseslinkedArtifacts[]for advisory linkage where possible (Richer SBOM/HBOM/VEX linkage via a typed linkedArtifacts[] traceability layer #52).incidentReports[]withincidentRef,exploitationStatus,authorityReportingStatus(e.g., notified to ENISA / national CSIRT),reportedAt.regulatoryMappings[](Add regulatoryMappings[] for flexible cross-framework mapping (R155, ISO 21434, CRA, ...) #56) — control evidence mapped to CRA essential requirements; new requirement text inlined for offline reading.examples/rdx-cra-profile-example.jsonshowing a CRA-compliant product with SBOM link, VEX, support period, vulnerability handling process, and incident reporting touchpoint.References
Acceptance criteria
examples/rdx-cra-profile-example.jsonvalidates and covers all CRA-specific fieldsmethodology/includes a CRA mapping page that lists Annex I requirements addressed by RDX objectsSurfaced by external AI peer review; see chat transcript for full review text.