Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

A Mapping Analysis of Requirements Between the CRA and the GDPR

Jukka Ruohonen, Kalle Hjerppe, Eun-Young Kang

TL;DR

The paper analyzes how the EU Cyber Resilience Act (CRA) aligns with and extends the GDPR, identifying overlaps in the CIA triad, data minimization, traceability, data erasure, and security testing. It conducts a mapping analysis to extract seven new essential CRA requirements—no known vulnerabilities, secure defaults, security updates, attack surface minimization, exploitation mitigation, SBOMs, and vulnerability coordination—situated within a risk-based regulatory framework. The methodology emphasizes an interdisciplinary, requirements-engineering approach to legal obligations, highlighting how broad, product-focused cyber security demands can be reconciled with existing data protection principles. The findings suggest that while the CRA builds on familiar security design principles, its wide scope poses sector-specific challenges and opportunities for harmonization with related directives, warranting further case studies and auditing research to guide real-world compliance.

Abstract

A new Cyber Resilience Act (CRA) was recently agreed upon in the European Union (EU). The paper examines and elaborates what new requirements the CRA entails by contrasting it with the older General Data Protection Regulation (GDPR). According to the results, there are overlaps in terms confidentiality, integrity, and availability guarantees, data minimization, traceability, data erasure, and security testing. The CRA's seven new essential requirements originate from obligations to (1) ship products without known exploitable vulnerabilities and (2) with secure defaults, to (3) provide security patches typically for a minimum of five years, to (4) minimize attack surfaces, to (5) develop and enable exploitation mitigation techniques, to (6) establish a software bill of materials (SBOM), and to (7) improve vulnerability coordination, including a mandate to establish a coordinated vulnerability disclosure policy. With these results and an accompanying discussion, the paper contributes to requirements engineering research specialized into legal requirements, demonstrating how new laws may affect existing requirements.

A Mapping Analysis of Requirements Between the CRA and the GDPR

TL;DR

The paper analyzes how the EU Cyber Resilience Act (CRA) aligns with and extends the GDPR, identifying overlaps in the CIA triad, data minimization, traceability, data erasure, and security testing. It conducts a mapping analysis to extract seven new essential CRA requirements—no known vulnerabilities, secure defaults, security updates, attack surface minimization, exploitation mitigation, SBOMs, and vulnerability coordination—situated within a risk-based regulatory framework. The methodology emphasizes an interdisciplinary, requirements-engineering approach to legal obligations, highlighting how broad, product-focused cyber security demands can be reconciled with existing data protection principles. The findings suggest that while the CRA builds on familiar security design principles, its wide scope poses sector-specific challenges and opportunities for harmonization with related directives, warranting further case studies and auditing research to guide real-world compliance.

Abstract

A new Cyber Resilience Act (CRA) was recently agreed upon in the European Union (EU). The paper examines and elaborates what new requirements the CRA entails by contrasting it with the older General Data Protection Regulation (GDPR). According to the results, there are overlaps in terms confidentiality, integrity, and availability guarantees, data minimization, traceability, data erasure, and security testing. The CRA's seven new essential requirements originate from obligations to (1) ship products without known exploitable vulnerabilities and (2) with secure defaults, to (3) provide security patches typically for a minimum of five years, to (4) minimize attack surfaces, to (5) develop and enable exploitation mitigation techniques, to (6) establish a software bill of materials (SBOM), and to (7) improve vulnerability coordination, including a mandate to establish a coordinated vulnerability disclosure policy. With these results and an accompanying discussion, the paper contributes to requirements engineering research specialized into legal requirements, demonstrating how new laws may affect existing requirements.

Paper Structure

This paper contains 25 sections, 5 figures.

Table of Contents

  1. Introduction
  2. Related Work
  3. Concepts and Further Framings
  4. Cyber Security and Data Protection
  5. Requirement Types
  6. Conformance and Compliance
  7. Requirements and Risks
  8. Overlaps
  9. The CIA Triad
  10. Data Minimization
  11. Traceability
  12. Data Erasure
  13. Security Testing
  14. The CRA's New Essential Requirements
  15. No Known Vulnerabilities
  16. ...and 10 more sections

Figures (5)

  • Figure 1: Changes, Ripples, and the Paper's Scope
  • Figure 2: Overlaps Between the CRA's and the GDPR's Requirements
  • Figure 3: The CRA's New Essential Requirements
  • Figure 4: Non-Functional, Functional, and Organizational Requirements Identified from the CRA's Essential Cyber Security Requirements
  • Figure 5: Updating Requirements