TY - GEN
T1 - A Mapping Analysis of Requirements Between the CRA and the GDPR
AU - Ruohonen, Jukka
AU - Hjerppe, Kalle
AU - Kang, Eun-Young
PY - 2025/9
Y1 - 2025/9
N2 - A new Cyber Resilience Act (CRA) was recently agreed upon in the European Union (EU). The paper examines and elaborates what new requirements the CRA entails by contrasting it with the older General Data Protection Regulation (GDPR). According to the results, there are overlaps in terms confidentiality, integrity, and availability guarantees, data minimization, traceability, data erasure, and security testing. The CRA’s seven new essential requirements originate from obligations to (1) ship products without known exploitable vulnerabilities and (2) with secure defaults, to (3) provide security patches typically for a minimum of five years, to (4) minimize attack surfaces, to (5) develop and enable exploitation mitigation techniques, to (6) establish a software bill of materials (SBOM), and to (7) improve vulnerability coordination, including a mandate to establish a coordinated vulnerability disclosure policy. With these results and an accompanying discussion, the paper contributes to requirements engineering research specialized into legal requirements, demonstrating how new laws may affect existing requirements.
AB - A new Cyber Resilience Act (CRA) was recently agreed upon in the European Union (EU). The paper examines and elaborates what new requirements the CRA entails by contrasting it with the older General Data Protection Regulation (GDPR). According to the results, there are overlaps in terms confidentiality, integrity, and availability guarantees, data minimization, traceability, data erasure, and security testing. The CRA’s seven new essential requirements originate from obligations to (1) ship products without known exploitable vulnerabilities and (2) with secure defaults, to (3) provide security patches typically for a minimum of five years, to (4) minimize attack surfaces, to (5) develop and enable exploitation mitigation techniques, to (6) establish a software bill of materials (SBOM), and to (7) improve vulnerability coordination, including a mandate to establish a coordinated vulnerability disclosure policy. With these results and an accompanying discussion, the paper contributes to requirements engineering research specialized into legal requirements, demonstrating how new laws may affect existing requirements.
KW - legal requirements
KW - essential requirements
KW - cyber security
KW - regulations
KW - compliance
KW - conformance
KW - redundancy
U2 - 10.1109/REW66121.2025.00034
DO - 10.1109/REW66121.2025.00034
M3 - Article in proceedings
T3 - Proceedings - IEEE International Requirements Engineering Conference Workshops (REW)
SP - 215
EP - 222
BT - 2025 IEEE 33rd International Requirements Engineering Conference Workshops (REW)
PB - IEEE
T2 - 2025 IEEE 33rd International Requirements Engineering Conference Workshops (REW)
Y2 - 1 September 2025 through 5 September 2025
ER -