CRA Compliance Glossary
Key terms and definitions to help you navigate the Cyber Resilience Act with confidence.
Acceptable Risk
Risk that is deemed tolerable for the intended and reasonably foreseeable use of a Product with Digital Elements (PDE), considering the state of the art, health and safety of users, and broader security objectives. Acceptability is determined against defined risk acceptance criteria established during the risk assessment process.
Activity
Advisory
A formal communication issued by a manufacturer, CSIRT (Computer Security Incident Reponse Team), or researcher to inform stakeholders of a known vulnerability, including its potential impact, recommended mitigation, and guidance on remediation. Advisories are central to coordinated vulnerability disclosure (CVD) and must be publicly accessible.
Architecture Review
Asset
Authenticity
Availability
CRA (Cyber Resilience Act)
CE Marking
CI/CD (Continuous Integration / Continuous Delivery)
Confidentiality
Conformity Assessment
The process used to demonstrate that a product meets specific requirements. Who can do this, depends on the product class:
- Class I: Self-assessment by the manufacturer.
- Class II / Critical: Involves a Notified Body (external review)
CVD (Coordinated Vulnerability Disclosure)
CVE (Common Vulnerabilities and Exposures)
DAST (Dynamic Application Security Testing)
(Software) Dependency
DoC (Declaration of Conformity)
EOL (End of Life)
The point at which a manufacturer ceases to provide updates, support, or security patches for a product. Under the CRA:
- EOL must be clearly communicated in user documentation.
- Technical documentation (including final SBOM, risk assessment, and change logs) must be archived and retained for 10 years after the product’s last placement on the market.
ESO (European Standardisation Organisation)
One of the three EU-recognized bodies responsible for developing harmonized standards to support EU legislation. ESOs provide technical specifications that, when cited in the Official Journal of the EU, grant a presumption of conformity with CRA requirements.
The three ESOs are:
- CEN – European Committee for Standardization
- CENELEC – European Committee for Electrotechnical Standardization
- ETSI – European Telecommunications Standards Institute
Essential Requirements (CRA Annex I)
The mandatory cybersecurity requirements that all PDEs must meet under the CRA. These include:
- Secure design and development
- Secure update mechanisms
- Vulnerability handling and disclosure
- Supply chain risk management
- Resilience to cyber threats
All CRA compliance activities, including risk assessments, technical documentation, and conformity assessment, are evaluated against these requirements.
Harmonised Standards
European standards developed by ESOs (e.g., CEN, CENELEC, ETSI) that provide a presumption of conformity with the CRA. Adherence to an applicable harmonized standard simplifies the conformity assessment process and reduces the burden of proof.
Integrity
Lifecycle Security
Likelihood
Notified Body
Online Hosting Location
Patch Management
PDE (Product with Digital Elements)
Presumption of Conformity
Product Control
Remediation
Reporter
Residual Cybersecurity Risk/Residual Risk
Risk Assessment
Risk Register
SAST (Static Application Security Testing)
SBOM (Software Bill of Materials)
Secure-by-Default
Secure-by-Design
Security Control
Security Objective
Security Posture
Shift-left
Software Package
Supply Chain Risk
STRIDE
A lightweight threat modeling framework used in code reviews and architecture analysis:
- Spoofing
- Tampering
- Repudiation
- Information disclosure
- Denial of service
- Elevation of privilege
Technical Documentation
All the internal documentation needed to demonstrate compliance with CRA, including:
- Risk assessments
- Security architecture
- SBOM
- Test reports
- Change logs
Must be maintained and updated throughout the product lifecycle and kept for 10 years after end-of-life.
Threat Modeling
A structured process for identifying potential security threats and vulnerabilities in a system – ideally done early in the design phase. It helps teams think through how attackers might exploit the system and what defenses are needed. Lightweight approaches like STRIDE are often used in CRA-aligned workflows.
