This document is under active development and has not been finalised.
CRA Compliance

English

Deutsch
简体中文

English

Deutsch
简体中文

Appearance

Chapter 8: CRA Compliance Matrix

Complete Mapping: CRA Article → Documentation → Tooling

This matrix maps each relevant CRA requirement to the corresponding documentation and implemented tooling. It serves as the central reference for audits and conformity assessments.

STATUS OVERVIEW

Category✅ Implemented⚠️ Product-Specific❌ OpenTotal
Art. 10 – Manufacturer Obligations84012
Art. 13 – Information Obligations3104
Art. 14 – Reporting Obligations1304
Art. 16 – Authorised Representative1203
Art. 28/29 – Conformity & CE0202
Annex I Part I – Security6107
Annex I Part II – Vulnerabilities8008
Annex II – User Information4408
Annex VII – Technical Documentation3407
Total3421055

Detailed mapping: 8.1 Tooling Map (Tool → CRA Requirement)

Obligations by Economic Operator Role

CRA AreaManufacturerImporterDistributor
Cybersecurity by design (Art. 10)✅ Full
Conformity assessment (Art. 10(5))✅ Full
SBOM generation (Art. 13(23))✅ Full
Vulnerability handling (Annex I Part II)✅ Full
Security updates (Art. 10(7))✅ Full
Incident reporting to ENISA (Art. 14)✅ Full
CE marking & EU DoC (Art. 28–29)✅ Full✅ Verify✅ Verify
User information (Annex II)✅ Full✅ Verify✅ Verify
Technical documentation (Annex VII)✅ Full✅ Keep available
Verify conformity before market placement✅ Full (Art. 15)✅ Full (Art. 17)
Inform manufacturer of non-conformity✅ Full✅ Full
Cooperate with market surveillance✅ Full✅ Full✅ Full
Name & address on product/packaging✅ Full✅ Full✅ Full

Role Legend

Manufacturer — Bears primary compliance responsibility. Designs, develops, and produces the product. Importer — Must verify manufacturer's compliance before placing product on EU market. Distributor — Must verify CE marking and declarations exist. Not responsible for content.

Estimated Effort by Product Class

Requirement AreaStandardClass IClass IICriticalAutomation
Security risk assessment20–40h20–40h30–60h40–80hManual
SBOM & signing8–16h8–16h8–16h8–16hAutomated
Vulnerability handling20–40h20–40h20–40h20–40hAutomated
Incident reporting setup16–32h16–32h16–32h16–32hSemi-auto
Technical documentation40–80h40–80h60–120h80–160hManual
CE marking & EU DoC8–16h8–16h8–16h8–16hManual
Conformity assessmentSelf (0h)Self or 40–80h*40–80h80–160hManual
One-off total112–224h112–304h182–364h252–504h
Annual total60–120h60–160h90–200h130–260h

* Class I: self-assessment if harmonised standards are applied in full; third-party assessment otherwise.

BAUER GROUP Approach

Automated tooling (Trivy, Grype, CycloneDX, Cosign, GitHub Actions) reduces actual effort significantly for Standard and Class I products. See Scope Checker for decision guidance.

Art. 10 – Obligations of Manufacturers

CRA ReferenceRequirementDocumentationToolingStatus
Art. 10(1)Appropriate level of cybersecurity in design, development, productionSecurity ArchitectureSecurity Scans (Trivy, Grype, Snyk), Code Review
Art. 10(2)Conduct cybersecurity risk assessmentRisk Assessment– (manual process + template)⚠️
Art. 10(3)Include risk assessment in documentationTechnical DocumentationGit-versioned⚠️
Art. 10(4)Due diligence for third-party componentsSupply ChainLicense Compliance, Dependency Scan
Art. 10(5)Conduct conformity assessmentConformity Assessment– (manual process + template)⚠️
Art. 10(6)Effectively identify vulnerabilitiesVulnerability ManagementCVE-Monitor, Dependabot, Trivy
Art. 10(7)Provide security updates free of chargePatch ManagementDependabot, Auto-Merge, Release Pipeline
Art. 10(8)No known exploitable vulnerabilitiesCVE-MonitoringCVE-Monitor (daily), Trivy
Art. 10(9)Coordinated vulnerability disclosureDisclosure PolicySECURITY.md, GitHub Advisories
Art. 10(10)Point of contact for vulnerability reportsDisclosure PolicySECURITY.md in each repository
Art. 10(12)Integrity of security updatesSBOM & SigningCosign, SHA256
Art. 10(13)Retain documentation for 10 yearsTechnical DocumentationGit repository (10-year retention)
Art. 10(16)Define and publish support periodSupport & LifecycleSECURITY.md, product page⚠️

Art. 13 – Information Obligations

CRA ReferenceRequirementDocumentationToolingStatus
Art. 13(6)Publish CVD policyDisclosure PolicySECURITY.md
Art. 13(8)Contact details for vulnerability reportsSECURITY.mdRepository SECURITY.md
Art. 13(16)Communicate support periodSupport & Lifecycle⚠️
Art. 13(23)Produce SBOM (machine-readable)SBOM & SigningTrivy/Syft → CycloneDX JSON

Art. 14 – Reporting Obligations

CRA ReferenceRequirementDocumentationToolingStatus
Art. 14(1)Early warning for actively exploited vulnerability (24h)ENISA Reporting ProcessENISA SRP (from 09/2026)⚠️
Art. 14(2)Vulnerability notification (72h)ENISA Reporting ProcessENISA SRP⚠️
Art. 14(3)Final report (14 days)ENISA Reporting ProcessENISA SRP⚠️
Art. 14(8)User notificationCommunication PlanGitHub Advisories, E-Mail

Art. 16 – Authorised Representative (EU Authorized Representative)

CRA ReferenceRequirementDocumentationToolingStatus
Art. 16(1)Appoint authorised representative by written mandate (non-EU manufacturers)Roles & Responsibilities– (contractual process)⚠️
Art. 16(2)Keep conformity documentation available for 10 yearsRoles & ResponsibilitiesGit repository (10-year retention)
Art. 16(2)Cooperation with market surveillance authoritiesRoles & Responsibilities⚠️

Art. 28 – Declaration of Conformity & CE

CRA ReferenceRequirementDocumentationToolingStatus
Art. 28, Annex VIssue EU declaration of conformityEU DoCTemplate⚠️
Art. 29Affix CE markingEU DoC⚠️

Annex I, Part I – Security Requirements

No.RequirementDocumentationToolingStatus
1Appropriate level of cybersecuritySecurity ArchitectureMulti-Engine Security Scanning
2No known exploitable vulnerabilitiesCVE-MonitoringCVE-Monitor, Trivy, Dependabot
3.1Confidentiality protection (data)Security ArchitectureTLS, AES-256
3.2Integrity protection (data)SBOM & SigningCosign, SHA256
3.3Availability protectionSecurity ArchitectureProduct-specific⚠️
4Secure default configurationSecurity ArchitectureSecurity-by-Default
5Protection against unauthorised accessSecurity ArchitectureAuth/Authz
6Minimal attack surfaceSecurity ArchitectureAlpine/Distroless, min. services

Annex I, Part II – Vulnerability Handling

No.RequirementDocumentationToolingStatus
1Identify and document vulnerabilities (SBOM)SBOM & SigningTrivy/Syft, CycloneDX
2Remediate vulnerabilities without undue delayPatch ManagementDependabot, CI/CD
3Regular testing and reviewsSecurity ArchitectureCI/CD Security Scans
4Disclosure of remediated vulnerabilitiesDisclosure PolicyGitHub Security Advisories
5Coordinated vulnerability disclosureDisclosure PolicySECURITY.md, CVD process
6Provide security updatesUpdate MechanismRelease Pipeline, OTA
7Provision without undue delayPatch ManagementSLA-based (P0-P4)
8Designate point of contactSECURITY.mdSECURITY.md, CVD Policy

Annex II – User Information

No.RequirementDocumentationStatus
1Manufacturer name and contactProduct page, SECURITY.md
2Product identificationRelease Notes, Repository
3Intended useProduct Description⚠️
4Security-relevant propertiesUser Information Template⚠️
5Support periodSupport & Lifecycle⚠️
6Installation instructionsREADME, product documentation⚠️
7Contact for vulnerability reportsSECURITY.md
8Changelog of significant changesChangelog, Release Notes

Annex VII – Technical Documentation

No.RequirementDocumentationStatus
1General product descriptionProduct Description⚠️
2Security risk assessmentRisk Assessment⚠️
3Architecture and designSecurity Architecture
4Vulnerability handling proceduresVulnerability Management
5Applied standardsCompliance Matrix
6Conformity assessmentConformity Assessment⚠️
7EU declaration of conformityEU DoC⚠️

Legend

SymbolMeaning
Implemented and documented
⚠️Documentation available, product-specific implementation required
Not yet implemented

Documentation licensed under CC BY-NC 4.0 · Code licensed under MIT

© 2026 BAUER GROUP. Commercial use of the documentation is not permitted.

Documentation licensed under CC BY-NC 4.0 · Code licensed under MIT

© 2026 BAUER GROUP. Commercial use of the documentation is not permitted.