This document is under active development and has not been finalised.
CRA Compliance

English

Deutsch
简体中文

English

Deutsch
简体中文

Appearance

Chapter 9: CRA Compliance Matrix

Complete Mapping: CRA Article → Documentation → Tooling

This matrix maps each relevant CRA requirement to the corresponding documentation and implemented tooling. It serves as the central reference for audits and conformity assessments.

STATUS OVERVIEW

Category✅ Implemented⚠️ Product-Specific❌ OpenTotal
Art. 10 – Manufacturer Obligations84012
Art. 13 – Information Obligations3104
Art. 14 – Reporting Obligations1304
Art. 16 – Authorised Representative1203
Art. 28/29 – Conformity & CE0202
Annex I Part I – Security6107
Annex I Part II – Vulnerabilities8008
Annex II – User Information4408
Annex VII – Technical Documentation3407
Total3421055

Detailed mapping: 9.1 Tooling Map (Tool → CRA Requirement)

Art. 10 – Obligations of Manufacturers

CRA ReferenceRequirementDocumentationToolingStatus
Art. 10(1)Appropriate level of cybersecurity in design, development, productionSecurity ArchitectureSecurity Scans (Trivy, Grype, Snyk), Code Review
Art. 10(2)Conduct cybersecurity risk assessmentRisk Assessment– (manual process + template)⚠️
Art. 10(3)Include risk assessment in documentationTechnical DocumentationGit-versioned⚠️
Art. 10(4)Due diligence for third-party componentsSupply ChainLicense Compliance, Dependency Scan
Art. 10(5)Conduct conformity assessmentConformity Assessment– (manual process + template)⚠️
Art. 10(6)Effectively identify vulnerabilitiesVulnerability ManagementCVE-Monitor, Dependabot, Trivy
Art. 10(7)Provide security updates free of chargePatch ManagementDependabot, Auto-Merge, Release Pipeline
Art. 10(8)No known exploitable vulnerabilitiesCVE-MonitoringCVE-Monitor (daily), Trivy
Art. 10(9)Coordinated vulnerability disclosureDisclosure PolicySECURITY.md, GitHub Advisories
Art. 10(10)Point of contact for vulnerability reportsDisclosure PolicySECURITY.md in each repository
Art. 10(12)Integrity of security updatesSBOM & SigningCosign, SHA256
Art. 10(13)Retain documentation for 10 yearsTechnical DocumentationGit repository (10-year retention)
Art. 10(16)Define and publish support periodSupport & LifecycleSECURITY.md, product page⚠️

Art. 13 – Information Obligations

CRA ReferenceRequirementDocumentationToolingStatus
Art. 13(6)Publish CVD policyDisclosure PolicySECURITY.md
Art. 13(8)Contact details for vulnerability reportsSECURITY.mdRepository SECURITY.md
Art. 13(16)Communicate support periodSupport & Lifecycle⚠️
Art. 13(23)Produce SBOM (machine-readable)SBOM & SigningTrivy/Syft → CycloneDX JSON

Art. 14 – Reporting Obligations

CRA ReferenceRequirementDocumentationToolingStatus
Art. 14(1)Early warning for actively exploited vulnerability (24h)ENISA Reporting ProcessENISA SRP (from 09/2026)⚠️
Art. 14(2)Vulnerability notification (72h)ENISA Reporting ProcessENISA SRP⚠️
Art. 14(3)Final report (14 days)ENISA Reporting ProcessENISA SRP⚠️
Art. 14(8)User notificationCommunication PlanGitHub Advisories, E-Mail

Art. 16 – Authorised Representative (EU Authorized Representative)

CRA ReferenceRequirementDocumentationToolingStatus
Art. 16(1)Appoint authorised representative by written mandate (non-EU manufacturers)Roles & Responsibilities– (contractual process)⚠️
Art. 16(2)Keep conformity documentation available for 10 yearsRoles & ResponsibilitiesGit repository (10-year retention)
Art. 16(2)Cooperation with market surveillance authoritiesRoles & Responsibilities⚠️

Art. 28 – Declaration of Conformity & CE

CRA ReferenceRequirementDocumentationToolingStatus
Art. 28, Annex VIssue EU declaration of conformityEU DoCTemplate⚠️
Art. 29Affix CE markingEU DoC⚠️

Annex I, Part I – Security Requirements

No.RequirementDocumentationToolingStatus
1Appropriate level of cybersecuritySecurity ArchitectureMulti-Engine Security Scanning
2No known exploitable vulnerabilitiesCVE-MonitoringCVE-Monitor, Trivy, Dependabot
3.1Confidentiality protection (data)Security ArchitectureTLS, AES-256
3.2Integrity protection (data)SBOM & SigningCosign, SHA256
3.3Availability protectionSecurity ArchitectureProduct-specific⚠️
4Secure default configurationSecurity ArchitectureSecurity-by-Default
5Protection against unauthorised accessSecurity ArchitectureAuth/Authz
6Minimal attack surfaceSecurity ArchitectureAlpine/Distroless, min. services

Annex I, Part II – Vulnerability Handling

No.RequirementDocumentationToolingStatus
1Identify and document vulnerabilities (SBOM)SBOM & SigningTrivy/Syft, CycloneDX
2Remediate vulnerabilities without undue delayPatch ManagementDependabot, CI/CD
3Regular testing and reviewsSecurity ArchitectureCI/CD Security Scans
4Disclosure of remediated vulnerabilitiesDisclosure PolicyGitHub Security Advisories
5Coordinated vulnerability disclosureDisclosure PolicySECURITY.md, CVD process
6Provide security updatesUpdate MechanismRelease Pipeline, OTA
7Provision without undue delayPatch ManagementSLA-based (P0-P4)
8Designate point of contactSECURITY.mdSECURITY.md, CVD Policy

Annex II – User Information

No.RequirementDocumentationStatus
1Manufacturer name and contactProduct page, SECURITY.md
2Product identificationRelease Notes, Repository
3Intended useProduct Description⚠️
4Security-relevant propertiesUser Information Template⚠️
5Support periodSupport & Lifecycle⚠️
6Installation instructionsREADME, product documentation⚠️
7Contact for vulnerability reportsSECURITY.md
8Changelog of significant changesChangelog, Release Notes

Annex VII – Technical Documentation

No.RequirementDocumentationStatus
1General product descriptionProduct Description⚠️
2Security risk assessmentRisk Assessment⚠️
3Architecture and designSecurity Architecture
4Vulnerability handling proceduresVulnerability Management
5Applied standardsCompliance Matrix
6Conformity assessmentConformity Assessment⚠️
7EU declaration of conformityEU DoC⚠️

Legend

SymbolMeaning
Implemented and documented
⚠️Documentation available, product-specific implementation required
Not yet implemented

Documentation licensed under CC BY-NC 4.0 · Code licensed under MIT

© 2026 BAUER GROUP. Commercial use of the documentation is not permitted.

Documentation licensed under CC BY-NC 4.0 · Code licensed under MIT

© 2026 BAUER GROUP. Commercial use of the documentation is not permitted.