Think of this book as a technical guide to translating legal requirements into actionable tickets, design specifications, and test plans. We’ll focus on the sections of the CRA that directly impact developers, security engineers, and product managers, and we’ll try to provide a practical answer to the most crucial questions, like:

• What defines “critical” vs. “non-critical” software?
• What are the required security properties (e.g., security by design)?
• What documentation and logging are legally mandated?
• How long must we provide support and security updates?
• How do we implement a proper SSDLC (Secure Software Development Lifecycle)?
• What do my team need to do to keep things running smoothly on the long term?
• Which are the penalties for non-compliance?

In a few words: its goal is to move past the initial dread of regulatory complexity and empower you to build resilient software with the clarity the CRA demand

Table of contents

Section 1: The global landscape

• 1. Glossary of (not so obvious) terms.
• 2. The Regulatory Thicket..

Section 2: Cybersecurity fundamentals.

• Preamble
• 3. Cybersecurity is a first-class citizen
• 4. Cybersecurity posture.
• 5. Cybersecurity misconceptions.
• 6. The “Defense in Depth” principle
• 7. Software Bill Of Materials (SBOM)
• 8. SemVer 2.0
• 9. Organizations, knowledge bases, standards and data formats.
• 10. IEC 62443.

Section 3: Quality Assurance fundamentals

• 11. Quality Assurance principles.
• 12. VCS and code branch management.
• 13. Structured commits messages.
• 14. SAST & DAST.
• 15. Software Development Lifecycle (SDLC)
• 16. Secure Software Development Lifecycle (SSDLC)
• 17. CI/CD

Section 4: The CRA “TL;DR” (Too Long; Didn’t Read)

• 18. General aspects of the CRA
• 19. The CRA timeline
• 20. Obligations
• 21. Products classification and the certification process.
• 22. The CRA “Modules” for certification
• 23. Technical Documentation
• 24. Risk assessment.
• 25. Vulnerability Handling Policy
• 26. EU Declaration of conformity.
• 27. CE Marking.
• 28. Product lifecycle (simplified view)
• 29. Enforcement
• 30. Sweeps and investigations..
• 31. CRA Penalties for Non-Compliance
• 32. The dual-track of liability..
• 33. Are you “guilty” in case of successful attack to your product?
• 34. How to use NANDO to find authorized testers and Notified Bodies.
• 35. What about Open-Source Software (OSS) Stewards?
• 36. What about custom-tailored products and “one shot” projects?
• 37. Use case 1: connected complex systems and “combined products”
• 38. Use case 2: non-connected complex systems and “combined products.”
• 39. I want to become a Notified Body!.
• Section wrap-up

Section 5: In-depth analysis of the Regulation

• 40. Structure of the Regulation
• 41. Preamble and Recitals
• 42. Chapter I – General provisions
• 43. Chapter II – Obligations of economic operators and provisions in relation to FOSS
• 44. Chapter III – Conformity of the product with digital elements.
• 45. Chapter IV – Notification of conformity assessment bodies
• 46. Chapter V – Market surveillance and enforcement.
• 47. Chapter VI – Delegated powers and committee procedure..
• 48. Chapter VII – Confidentiality and penalties
• 49. Chapter VIII – Transitional and final provisions
• 50. ANNEX I – Essential cybersecurity requirements.
• 51. ANNEX II – Information and instructions to the user.
• 52. ANNEX III – Important products with digital elements.
• 53. ANNEX IV – Critical products with digital elements
• 54. ANNEX V – EU Declaration of conformity.
• 55. ANNEX VI – Simplified EU declaration of conformity.
• 56. ANNEX VII – Content of the technical documentation
• 57. ANNEX VIII – Conformity assessment procedures.