Mapping CRA Requirements to Common Criteria Protection Profiles—An Actual Example (C13d)
The new European Union (EU) Cyber Resilience Act (CRA) that went into affect on 10 December 2024 has placed a new set of requirements on hardware and software products (“products with digital elements”) that are made available to the EU market. For individuals such as vendors, CCTLs and SMEs who are in the role of developing Protection Profiles for digital products in countries covered under the CCRA, it will critical that the impact of the new requirements in the CRA be fully understood and internalized for the class of products that they are developing the Protection Profile for so that full CRA compliance can be achieved. One way to understand the impact of the CRA’s requirements is to map the CRA’s requirements to the SFRs and SARs of the current version of a Protection Profile; doing this will provide an understanding of any gaps and what new and modified requirements need to be included in future versions of the Protection Profile to ensure full compliance with the CRA. Hardcopy devices fall under scope of the CRA. This talk will discuss the mapping of the CRA’s requirements to the latest version (Version 2.0) of the Hardcopy Device collaborative Protection Profile (HCD cPP). The talk will show where the HCD cPP meets CRA requirements (and when possible the degree to which they meet the requirements), where the gaps are, and suggestions as to what the next steps are needed for the HCD cPP to achieve full CRA compliance.