CRA Compliance with Gover
The Cyber Resilience Act (CRA) establishes cybersecurity requirements for products with digital elements.
Overview
| Attribute | Value |
|---|---|
| Full Name | Cyber Resilience Act |
| Jurisdiction | European Union |
| Status | Adopted 2024 |
| Applies To | Products with digital elements |
Scope
The CRA applies to:
- Hardware products with digital elements
- Software products
- Remote data processing solutions
- Components and accessories
Exclusions
- Medical devices (covered by MDR)
- Motor vehicles (covered by vehicle regulations)
- Aviation products
- Open source (non-commercial)
Key Requirements
Security by Design
- Secure development lifecycle
- Vulnerability management
- Security testing
Product Requirements
- No known exploitable vulnerabilities
- Secure default configuration
- Protection of confidentiality and integrity
- Minimal attack surface
Vulnerability Handling
- Coordinated vulnerability disclosure
- Security updates for product lifetime
- Minimum 5-year support period
Documentation
- Technical documentation
- EU declaration of conformity
- User instructions
Using Gover for CRA
1. Add the Framework
- Go to Frameworks → Add Framework
- Select CRA from templates
- Add to your workspace
2. Assess Product Portfolio
Identify products in scope:
- Hardware with digital elements
- Software products
- Connected devices
3. Map Development Controls
Link controls for:
- Secure development lifecycle
- Security testing
- Vulnerability management
- Incident response
4. Document Compliance
Prepare required documentation:
- Technical documentation
- Risk assessments
- Conformity declarations
Compliance Timeline
| Milestone | Date |
|---|---|
| Entry into force | 2024 |
| Reporting obligations | 21 months after |
| Full application | 36 months after |
Product Categories
Default Category
- Self-assessment
- Most products
Important Products (Class I)
- Third-party assessment option
- Identity management, VPNs, etc.
Critical Products (Class II)
- Mandatory third-party assessment
- Operating systems, firewalls, etc.