EU Cyber Resilience Act (CRA)
The EU CRA policy is currently in Beta. It is usable and reasonably complete, but the control set is still being refined. See Policy Stability.
The EU Cyber Resilience Act (CRA) is a horizontal EU regulation establishing baseline cybersecurity requirements for products with digital elements placed on the EU market. It covers security-by-design, vulnerability handling, conformity assessment, CE marking, and software bill of materials (SBOM). Its Annex I defines the essential cybersecurity requirements, and full compliance becomes mandatory in December 2027.
Focus Areas for Nori Analysis
When azuma nori evaluates a codebase against the CRA, the sub-agents concentrate on the technical, code-visible aspects of Annex I:
- Security-by-Design & Default: Evidence that the product ships with secure defaults — authentication, access control, input validation, and safe configuration out of the box.
- Data Protection: Confidentiality and integrity of stored and transmitted data, including appropriate use of cryptography (cross-referencing the BSI TR-02102 guidelines where relevant).
- Vulnerability Handling: Signals that dependencies are tracked, and that known-vulnerable components and insecure patterns can be identified and remediated.
- Attack-Surface Minimization: Reduction of unnecessary exposure — limited network surfaces, least-privilege defaults, and disabling of non-essential functionality.
Providing Manual Evidence
Much of the CRA is process and governance oriented — conformity assessment, CE marking, coordinated vulnerability disclosure, and the maintenance of an SBOM — which source-code analysis alone cannot demonstrate.
For these requirements, attach your supporting documentation (vulnerability-handling policy, SBOM, disclosure process, conformity records) via the Evidence tab in the Standalone Client. nori synthesizes these with the code findings to produce a complete compliance picture.