:PROPERTIES:
:ID:       ce81fefc-b7a8-4be5-912f-55fd30970b6e
:ID:       auto-cra
:CREATED:  [2026-05-23 Sat]
:END:
#+title: CRA (EU Cyber Resilience Act)
#+filetags: :passepartout:compliance:framework:cra:

transaction." First-mover advantage: wallets are being built now; the provider
that integrates with the wallet standard first locks in the identity gate
integration.

** CRA (Cyber Resilience Act)

EU regulation (effective 2025-2027 phased). Mandates cybersecurity requirements
for products with digital elements (hardware and software). Requires: secure-bydesign, vulnerability handling, security updates for minimum 5 years, SBOM
(software bill of materials) disclosure, CE marking for cybersecurity.

Who must comply: Manufacturers, importers, and distributors of connected products
sold in the EU. Categories: default (self-declaration), Class I (third-party
audit), Class II (notified body assessment).

Penalties: Up to 15M EUR or 2.5% of global turnover for non-compliance with
reporting obligations.

Why it matters: CRA's CE marking requirement creates a certification pipeline
that the [[id:84a537b4-4256-50c8-91f5-dd5b4538418f][verification appliance]] can supply. If [[id:28c46769-c14b-42aa-ac7a-69d310157f8f][Passepartout]]'s gate stack is
itself CRA-compliant (verified by the [[id:45258a2d-1675-562c-9024-5d1eb2f1ea56][evaluation harness]]), it becomes the
compliance infrastructure for any product built on it. First-mover advantage:
Class II products require notified body assessment — the bottleneck is notified
body capacity. The gate stack's automated evidence pipeline bypasses the
bottleneck.