Loading EN-304-624.md +30 −3 Original line number Diff line number Diff line Loading @@ -1949,9 +1949,36 @@ b) verify the OCSP response to match the constraints of the OCSP response profil # Annex A Mapping with essential requirements of the CRA    |No |Description | Requirements of Regulation |Clause(s) of the present document |U/C |Condition |---|---|---|---|---|---| |(1)| Identify/document vulnerabilities and components; provide SBOM |(2) | Remediate vulnerabilities without delay; separate security updates from feature updates |(3)| Perform regular testing and reviews of cybersecurity posture |(4)| Disclose fixed vulnerabilities with public advisories |(5)| Enforce coordinated vulnerability disclosure (CVD) policy |(6)| Facilitate third-party vulnerability reporting (contact channels, process) |(7)| Secure update delivery mechanisms |(8)| Updates shall be timely, free of charge, and include user guidance |No |Description | Requirements of Regulation |Clause(s) of the present document |U/C |Condition |---|---|---|---|---|---| |(1) | Design, development, and production must ensure appropriate cybersecurity based on risks |(2)(a)| No known exploitable vulnerabilities at market release |(2)(b) | Secure-by-default configuration |(2)(c) | Vulnerabilities can be addressed via security updates, default to automatic, with opt-out and postponement || |(2)(d)| Protection from unauthorised access via authentication and access control (2)(e)| Confidentiality of data in storage or transit (e.g., encryption) ||| |(2)(f) |Integrity of data, commands, programs, configuration; detect/report manipulation |(2)(g)|Data minimisation — only adequate and necessary data shall be processed |(2)(h)| Ensure availability of essential functions including resilience and DoS protection |(2)(i) |Avoid degradation of other systems’ availability (non-interference) |(2)(j) |Limit attack surfaces including external interfaces |(2)(k)| Include appropriate exploitation mitigation techniques |(2)(l) |Logging and internal monitoring of data/function access, with opt-out |(2)(m) |Allow users to permanently remove data and settings securely Key to columns: Loading Loading
EN-304-624.md +30 −3 Original line number Diff line number Diff line Loading @@ -1949,9 +1949,36 @@ b) verify the OCSP response to match the constraints of the OCSP response profil # Annex A Mapping with essential requirements of the CRA    |No |Description | Requirements of Regulation |Clause(s) of the present document |U/C |Condition |---|---|---|---|---|---| |(1)| Identify/document vulnerabilities and components; provide SBOM |(2) | Remediate vulnerabilities without delay; separate security updates from feature updates |(3)| Perform regular testing and reviews of cybersecurity posture |(4)| Disclose fixed vulnerabilities with public advisories |(5)| Enforce coordinated vulnerability disclosure (CVD) policy |(6)| Facilitate third-party vulnerability reporting (contact channels, process) |(7)| Secure update delivery mechanisms |(8)| Updates shall be timely, free of charge, and include user guidance |No |Description | Requirements of Regulation |Clause(s) of the present document |U/C |Condition |---|---|---|---|---|---| |(1) | Design, development, and production must ensure appropriate cybersecurity based on risks |(2)(a)| No known exploitable vulnerabilities at market release |(2)(b) | Secure-by-default configuration |(2)(c) | Vulnerabilities can be addressed via security updates, default to automatic, with opt-out and postponement || |(2)(d)| Protection from unauthorised access via authentication and access control (2)(e)| Confidentiality of data in storage or transit (e.g., encryption) ||| |(2)(f) |Integrity of data, commands, programs, configuration; detect/report manipulation |(2)(g)|Data minimisation — only adequate and necessary data shall be processed |(2)(h)| Ensure availability of essential functions including resilience and DoS protection |(2)(i) |Avoid degradation of other systems’ availability (non-interference) |(2)(j) |Limit attack surfaces including external interfaces |(2)(k)| Include appropriate exploitation mitigation techniques |(2)(l) |Logging and internal monitoring of data/function access, with opt-out |(2)(m) |Allow users to permanently remove data and settings securely Key to columns: Loading
