CRA References and Resources

How to use these references

This page collects authoritative sources and supporting standards for the CRA tutorial.

• Use the CRA primary sources to verify any legal interpretation or borderline case.
• Use the guidance and standardisation links to track evolving harmonised standards (PT1/PT2/PT3, vertical product standards).
• Use the SDL, vulnerability, SBOM and IoT baseline standards as concrete technical backing for design decisions documented in your CRA technical file.

Each tutorial page in this series links back here when it relies on one of these external documents.

CRA Primary Sources

• Regulation (EU) 2024/2847 — Cyber Resilience Act
  • Publisher: Official Journal of the EU (EUR‑Lex)
  • URL: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32024R2847
  • One‑line: Binding legal text of the CRA.
• Cyber Resilience Act — Commission page
  • Publisher: European Commission (DG CONNECT)
  • URL: https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act
  • One‑line: Central hub with official overview and updates.
• CRA — Summary of the legislative text
  • Publisher: European Commission
  • URL: https://digital-strategy.ec.europa.eu/en/policies/cra-summary
  • One‑line: Plain‑language summary of scope, obligations, annexes.
• CRA — Conformity assessment
  • Publisher: European Commission
  • URL: https://digital-strategy.ec.europa.eu/en/policies/cra-conformity-assessment
  • One‑line: Self vs third‑party assessment; important/critical categories.
• CRA — Standardisation
  • Publisher: European Commission
  • URL: https://digital-strategy.ec.europa.eu/en/policies/cra-standardisation
  • One‑line: Standardisation request to ESOs (CEN/CENELEC/ETSI) for harmonised standards.
• CRA — Reporting obligations
  • Publisher: European Commission
  • URL: https://digital-strategy.ec.europa.eu/en/policies/cra-reporting
  • One‑line: Early warning and incident reporting to ENISA.

CRA Guidance

• CRA Implementation FAQ
  • Publisher: European Commission
  • URL: https://ec.europa.eu/newsroom/dae/redirection/document/122331
  • One‑line: Clarifications on scope, FOSS treatment, reporting.
• STAN4CRA — ESO portal for CRA standardisation
  • Publisher: CEN/CENELEC/ETSI
  • URL: https://www.stan4cra.eu/
  • One‑line: Tracks CRA standardisation deliverables and engagement.
• ETSI Cyber Security — CRA section
  • Publisher: ETSI
  • URL: https://www.etsi.org/technologies/cyber-security#mytoc5
  • One‑line: ETSI activities and drafts relevant to CRA.

Developer Security Practices (SDL)

• NIST SP 800‑218 — Secure Software Development Framework (SSDF) v1.1
  • Publisher: NIST
  • URL: https://csrc.nist.gov/pubs/sp/800/218/final
  • One‑line: Outcome‑based SDL, aligns to CRA Annex I lifecycle controls.
• IEC 62443‑4‑1 — Secure product development lifecycle requirements
  • Publisher: IEC
  • URL: https://webstore.iec.ch/publication/33615
  • One‑line: SDL requirements for industrial/embedded products.

Vulnerability Handling

• ISO/IEC 29147 — Vulnerability disclosure
  • Publisher: ISO/IEC JTC 1/SC 27
  • URL: https://www.iso.org/standard/72311.html
  • One‑line: Coordinated vulnerability disclosure (CVD) practices.
• ISO/IEC 30111 — Vulnerability handling processes
  • Publisher: ISO/IEC JTC 1/SC 27
  • URL: https://www.iso.org/standard/69725.html
  • One‑line: Internal intake, triage, remediation processes.

SBOM and VEX

• SPDX Specification (ISO/IEC 5962)
  • Publisher: Linux Foundation / ISO
  • URL: https://spdx.dev/specifications/
  • One‑line: SBOM format for software components.
• CycloneDX Specification (ECMA‑424)
  • Publisher: OWASP / Ecma International
  • URL: https://cyclonedx.org/specification/overview/
  • One‑line: SBOM with hardware/services support and VEX model.
• Vulnerability Exploitability eXchange (VEX)
  • Publisher: CISA
  • URL: https://www.cisa.gov/sbom/vex
  • One‑line: Communicate exploitability status of known vulnerabilities.

Embedded / IoT Baselines

• ETSI EN 303 645 — Cyber Security for Consumer IoT
  • Publisher: ETSI
  • URL: https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf
  • One‑line: Baseline controls for connected devices.
• IEC 62443‑4‑2 — Technical security requirements for IACS components
  • Publisher: IEC
  • URL: https://webstore.iec.ch/publication/34421
  • One‑line: Technical requirements for embedded/industrial components.
• ENISA — Baseline Security Recommendations for IoT
  • Publisher: ENISA
  • URL: https://www.enisa.europa.eu/publications/baseline-security-recommendations-for-iot
  • One‑line: Practical good practices for IoT/embedded systems.

Notes on Harmonised Standards (Dec 2025)

• As of Dec 2025, CRA harmonised standards have not yet been cited in the OJ. The Commission’s standardisation request to ESOs is in progress. Until citation, manufacturers may rely on robust international/European standards (e.g., IEC 62443‑4‑1/‑4‑2, ETSI EN 303 645) and well‑recognized frameworks (e.g., NIST SSDF). The Commission may adopt common specifications if necessary (CRA Art. 27).