Meeting EU AI Act and Cyber Resilience Act Requirements

The EU Cyber Resilience Act (CRA) and AI Act impose strict security and supply chain requirements on software vendors. These regulations apply to any software sold or operated in the EU, regardless of company location.

CleanStart provides built-in compliance features for CRA requirements without additional overhead.

EU Cyber Resilience Act (CRA)

What CRA Requires

Effective Date: September 2024 (compliance deadline: September 2025)

All software vendors must document their security through known vulnerabilities and fixes. They must track all dependencies in their supply chain. They must respond to cybersecurity incidents within 72 hours. They must publicly disclose critical vulnerabilities.

CRA Compliance with CleanStart

1. Vulnerability Documentation

CRA Requirement: "The manufacturer shall make available, in a clear, accessible and concise manner, information on cybersecurity properties, including any known unresolved vulnerabilities."

CleanStart Implementation:

# Generate public vulnerability statementcleanimg-init --cra-compliance --image myapp:1.0.0 \  --generate-vulnerability-statement # Statement includes:# - All known vulnerabilities (CVEs)# - Status of each (affected/not_affected/fixed)# - Timeline for fixes# - Workarounds or mitigations

2. Software Bill of Materials (SBOM)

CRA Requirement: "The software bill of materials shall include all components and dependencies at all levels."

CleanStart Implementation:

# Generate complete SBOM (SPDX 3.0)cleanimg-init --image myapp:1.0.0 --sbom app.spdx # SBOM is automatically:# - Machine-readable (SPDX format)# - Signed (authenticates origin)# - Publicly available (published with product)

3. Incident Response Capability

CRA Requirement: "Respond to cybersecurity incidents within 72 hours"

CleanStart Implementation:

# Enable incident response loggingcleanimg-init --cra-compliance --image myapp:1.0.0 \  --enable-incident-logging # Logs capture:# - Attack attempts (blocked/detected)# - Anomalous behavior# - Security events# - Timestamps for incident response

4. Vulnerability Disclosure Timeline

CRA Requirement: Responsible disclosure for critical vulnerabilities

CleanStart Implementation:

# Document vulnerability fixing processcat > SECURITY.md << 'EOF'# Security Policy ## Reporting Vulnerabilities- Report to: security@company.com- Will confirm receipt within 24 hours- Will provide timeline within 72 hours- Will publish disclosure after fix (or 90 days max) ## Known VulnerabilitiesSee VULNERABILITIES.md for current status of all CVEsEOF

CRA Compliance Checklist

CRA Compliance requires multiple dimensions of documentation and capability. Documentation must articulate security properties that are documented, list all known vulnerabilities with fixes and timelines specified, and provide documentation available in clear, accessible formats.

The SBOM (Software Bill of Materials) must be provided in SPDX 3.0 format, include all components, be signed and verifiable, and be published together with the product.

Incident Response must have the process documented, response capability verified and tested, a maximum response timeline of 72 hours, and logging to support investigation.

Vulnerability Management requires all known vulnerabilities to be assessed, a VEX (Vulnerability Exploitability) document generated, remediation timelines established, and any accepted risks documented.

EU AI Act: Software Supply Chain

AI Act Transparency Requirements

If software contains AI components, organizations must describe the AI model, training data, and behavior. They must document AI-specific risks. They must describe how data is protected and used. They must implement human oversight of AI decisions.

CleanStart for AI Security

# Document AI components in SBOMcleanimg-init --image myapp-ai:1.0.0 \  --sbom app.spdx \  --include-model-metadata # SBOM includes:# - ML model name, version, date trained# - Training data sources (with privacy classification)# - Model type and parameters# - Performance metrics# - Known limitations and biases

AI Risk Assessment Template

# AI Risk Assessment (EU AI Act requirement) ai_component:  model_name: "Credit Risk Classifier"  version: "2.1.0"  type: "Neural Network (Logistic Regression)"  trained_date: "2025-03-01" training_data:  source: "Internal customer database (anonymized)"  samples: 50000  features: 24  labels: ["high_risk", "medium_risk", "low_risk"] risk_assessment:  classification: "Limited Risk"  # EU AI Act classification  accuracy: 0.94  # 94% accuracy  fairness:    gender_bias: 0.02  # 2% disparity    ethnicity_bias: 0.01  # 1% disparity  explainability: "LIME interpretability available"  human_oversight: "All high-risk decisions reviewed by human" mitigation_measures:  - Monthly bias audits  - Regular retraining with new data  - Human review of all high-risk decisions  - Drift detection (retrains if accuracy drops below 0.90)

Compliance Documentation Generation

Generate CRA Evidence Package

# Create complete CRA compliance packagecleanimg-init --cra-package --image myapp:1.0.0 \  --output cra-compliance-package/ # Package contents include:# - SBOM.spdx.json (Software bill of materials)# - VULNERABILITIES.md (Known vulnerability list)# - SECURITY.md (Security policy)# - INCIDENT_RESPONSE.md (Incident response plan)# - COMPLIANCE_STATEMENT.md (CRA compliance declaration)# - PROVENANCE.json (Build provenance using SLSA)# - SIGNATURES/ directory containing:#   - sbom.sig (SBOM signature)#   - security.sig (Signed commitment)#   - provenance.sig (Build signature)# - EVIDENCE/ directory containing:#   - scan-results.json (Vulnerability scan)#   - test-results.json (Security testing)#   - audit-logs.json (Build audit trail)

Publish CRA Compliance

# Make CRA package publicly available# Option 1: Publish on company websitecurl -u user:pass -F "package=@cra-compliance-package.tar.gz" \  https://security.company.com/cra/myapp/1.0.0/ # Option 2: Publish in GitHub releasesgh release create v1.0.0 \  -n "CRA Compliance Package: See SECURITY.md" \  cra-compliance-package.tar.gz # Option 3: Publish in software registrynpm publish  # npm will include SECURITY.md if present

Vulnerability Timeline Management

Track Vulnerability Fixes

# VULNERABILITIES.md (public record) ## Known Vulnerabilities ### CVE-2025-1234: RCE in API endpoint- **Severity**: Critical (CVSS 9.1)- **Affected**: Versions 1.0.0 - 1.2.0- **Status**: Fixed in v1.2.1 (released 2025-08-15)- **Workaround**: Disable API until patched- **References**: https://nvd.nist.gov/vuln/detail/CVE-2025-1234 ### CVE-2025-5678: Authentication bypass- **Severity**: High (CVSS 8.2)- **Affected**: Versions 1.0.0 - 1.2.2- **Status**: Fix in development, expected v1.3.0 (2025-09-01)- **Timeline**: Will be released within 30 days- **Workaround**: None currently available

Regulatory Penalties

Non-compliance with CRA: Fines up to 4% of annual global turnover. Product ban from EU market. Mandatory security improvements. Public disclosure of non-compliance. Risk: A €10M/year company could face €400K fines per violation.

Implementation Timeline

2025: CRA Compliance (September Deadline)

The CRA compliance timeline spans from March 2025 (current time) to September 2025 (compliance deadline). By March 2025, organizations must audit current supply chain security, generate SBOM for all products, document known vulnerabilities, establish incident response processes, and publish CRA compliance statements. By the September 2025 compliance deadline, all software in the EU market must be compliant with SBOM available, vulnerabilities documented, and incident response capability demonstrated.

2026: AI Act Phase-In (April Expected)

For AI-enabled software, organizations must classify AI risk level, document training data, assess bias and fairness, implement human oversight, and publish an AI risk assessment.

Compliance Checklist for Product Teams

[ ] Audit supply chain dependencies. [ ] Generate SPDX SBOM. [ ] Scan for known vulnerabilities. [ ] Document all CVEs (affected/not_affected/fixed). [ ] Create SECURITY.md with security policy. [ ] Establish incident response process (72-hour SLA). [ ] Sign SBOM and security documentation. [ ] Publish CRA compliance package. [ ] Add vulnerability disclosure to website. [ ] Train team on CRA requirements.

EU CRA Resources

Official CRA Text: https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act. EU AI Act: https://ec.europa.eu/commission/presscorner/detail/en/ip_23_5203. Implementation Guidance: https://www.enisa.europa.eu/.

See Also

SBOM: ../supply-chain-provenance/spdx-sbom.md — Software composition. VEX Documents: ../supply-chain-provenance/vex-documents.md — Vulnerability status. FedRAMP: fedramp-high.md — U.S. compliance requirements. AI Compliance Container Evidence: ai-compliance-container-evidence.md — Comprehensive evidence collection for AI systems under EU AI Act and CRA.