gbrain: sync converted org-mode brain files

ideas/compliance/cra.org

@@ -0,0 +1,32 @@
+:PROPERTIES:
+:ID:       auto-cra
+:CREATED:  [2026-05-23 Sat]
+:END:
+#+title: transaction." First-mover advantage: wallets are being built now; the provider
+#+filetags: :passepartout:compliance:framework:cra:
+
+transaction." First-mover advantage: wallets are being built now; the provider
+that integrates with the wallet standard first locks in the identity gate
+integration.
+
+** CRA (Cyber Resilience Act)
+
+EU regulation (effective 2025-2027 phased). Mandates cybersecurity requirements
+for products with digital elements (hardware and software). Requires: secure-bydesign, vulnerability handling, security updates for minimum 5 years, SBOM
+(software bill of materials) disclosure, CE marking for cybersecurity.
+
+Who must comply: Manufacturers, importers, and distributors of connected products
+sold in the EU. Categories: default (self-declaration), Class I (third-party
+audit), Class II (notified body assessment).
+
+Penalties: Up to 15M EUR or 2.5% of global turnover for non-compliance with
+reporting obligations.
+
+Why it matters: CRA's CE marking requirement creates a certification pipeline
+that the verification appliance can supply. If Passepartout's gate stack is
+itself CRA-compliant (verified by the evaluation harness), it becomes the
+compliance infrastructure for any product built on it. First-mover advantage:
+Class II products require notified body assessment — the bottleneck is notified
+body capacity. The gate stack's automated evidence pipeline bypasses the
+bottleneck.
+