Skip to content

Add EU CRA (Regulation 2024/2847) product cybersecurity profile #54

Description

@JohnASRG

Motivation

The EU Cyber Resilience Act (Regulation (EU) 2024/2847) entered into force 12 November 2024 and applies from 11 December 2027. It targets products with digital elements and creates obligations around essential cybersecurity requirements, vulnerability handling, security update delivery, and technical documentation. Automotive products are explicitly in scope. RDX is uniquely positioned to be the bridge between TARA, SBOM, VEX, vulnerability management, test evidence, and CRA technical documentation — but today the schema has no CRA-specific concepts.

Proposed change

  1. CRA conformance profile (profile: cra-product-security) per the profiles work in Add USE_CASE_COVERAGE.md with per-use-case acceptance criteria and conformance profiles #50.
  2. productClassification on itemDefinition: intendedUse, foreseeableMisuse, commercialDistributionStatus, cefClass (CRA important/critical class), placedOnMarketDate.
  3. supportPeriod on itemDefinition: startDate, endDate, updatePolicyRef, updateDeliveryMechanism.
  4. vulnerabilityHandling object (PSIRT / CVD references, vulnerability status, remediation plan, advisory references). Reuses linkedArtifacts[] for advisory linkage where possible (Richer SBOM/HBOM/VEX linkage via a typed linkedArtifacts[] traceability layer #52).
  5. incidentReports[] with incidentRef, exploitationStatus, authorityReportingStatus (e.g., notified to ENISA / national CSIRT), reportedAt.
  6. CRA Annex I mapping via regulatoryMappings[] (Add regulatoryMappings[] for flexible cross-framework mapping (R155, ISO 21434, CRA, ...) #56) — control evidence mapped to CRA essential requirements; new requirement text inlined for offline reading.
  7. Example: examples/rdx-cra-profile-example.json showing a CRA-compliant product with SBOM link, VEX, support period, vulnerability handling process, and incident reporting touchpoint.

References

Acceptance criteria


Surfaced by external AI peer review; see chat transcript for full review text.

Metadata

Metadata

Assignees

No one assigned

    Labels

    ai-proposalProposed by the AI idea scout; needs human reviewenhancementNew feature or requestpeer-reviewSurfaced by external AI/peer review of the repopriority/P2Medium priority — regulatory & lifecycle

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions