Login Contact Us Book a Demo
Resources Whitepapers
CRA Compliance Checklist | Sonatype Guide

CRA Compliance Checklist

The Cyber Resilience Act (CRA), covers all products with digital elements that can be connected to a device or a network. The CRA includes eight annexes that provide detailed requirements and standards, including Essential Cybersecurity Requirements (Annex I) and Reporting Obligations of Manufacturers (Article 11). Only products that comply with these requirements will be allowed on the market. Technical documentation proving compliance is necessary, and imported products require a CE mark.

This checklist covers key elements of Annex I and Article 11, and how Sonatype can help support compliance throughout the SDLC.

Questions to Consider Your Preparedness to Comply with CRA Requirements

Risk Assessment

  • Do we have processes to identify, monitor, and manage ICT risks?
  • Are our ICT risk management policies and procedures up-to-date and aligned with regulatory requirements?
  • Do we have a process for continuous monitoring of ICT systems and services?

Incident Response

  • Are there predefined procedures for responding to and recovering from cyber incidents? 
  • Is our incident response plan tested regularly and updated as needed? 
  • Have we established communication plans for internal and external stakeholders in the event of a security incident? 
  • Do you have SBOMs collected for rapid triaging of issues? 

Data Protection

  • Are we taking steps to protect the confidentiality of all sensitive and personal data? 
  • Do we have measures in place to detect and respond to data breaches? 
  • Are adequate security controls in place to protect software and data integrity? 
  • Is encryption used for sensitive data at rest and in transit? 
  • Are regular security audits conducted to ensure compliance with internal and external standards? 

Standards and Policies

  • Do we have a comprehensive cybersecurity policy in place? 
  • Are all employees aware of and trained on these policies? 
  • Do we have a designated person or team responsible for these policies? 

Access Control and Third-Parties

  • Are controls in place to ensure that only authorized personnel can access sensitive systems and data? 
  • Are these access controls regularly reviewed and updated? 
  • Are our suppliers and third-party partners also complying with our cybersecurity requirements? 
  • Do we have agreements in place that mandate cybersecurity standards for third parties? 

Reporting Obligations

  • Is there an established incident response plan for potential security breaches? 
  • Are all software security incidents documented and reported as required by regulatory standards? 
  • Do we automate the production of SBOMs and other evidence to speed up report generation? 

How Sonatype Can Help Optimise and Protect Your Software Supply Chain 

Vulnerability scanning is central to the CRA, and only products that comply with the security and vulnerability management requirements above will be allowed on the market. Products will be presumed to be compliant, but sanctions will apply if they are discovered not to be. The Sonatype platform can help developers gather and report on compliance information, identify vulnerabilities, and meet the reporting requirements. To learn more about how we can help you ensure compliance, download our CRA User’s Guide to Compliance.

img-EU_deep_dive_graphic

See How Sonatype SBOM Manager Can Help You Comply with the CRA

Book a Demo