The project at a glance
The CURIUM Compliance Continuum is defined as a modular, end-to-end framework designed to enable European SMEs to achieve, demonstrate, and sustain conformity with the Cyber Resilience Act (CRA) and related EU regulatory obligations. The Continuum integrates risk-based methodologies, modular technical tools, and capacity-building services into a coherent compliance pathway, while preserving flexibility to adapt to diverse SME contexts and sectoral needs.
CURIUM aims to:
- Enhance resilience, security, privacy, and accountability of all hardware and software products with digital elements
- Support European SMEs, particularly micro and small enterprises, in reducing costs and time to certification
CURIUM’s approach:
- Develop a novel Compliance Continuum via tools and services that focus on:
- Cybersecurity information and guidance
- Trustworthy security testing
- Fulfillment of essential cybersecurity requirements outlined in the Cyber Resilience Act (CRA)
Compliance tool description
The finalized Compliance Continuum is structured around three interdependent layers:
1. Core Technical Assessment Tools
- CyReA (Cyber Resilience Assessment): A tool that operationalizes CRA by categorizing digital products into two distinct groups based on their potential cybersecurity risk and criticality.
- DPRA (Digital Product Risk Assessment): A tool which provides cyber risk management capabilities for organization assessing risks of individual elements of ICT products and estimating potential cascading effects and propagated risks.
- DPMA (Digital Product Maturity Assessment): A structured and modular cybersecurity assessment tool designed to help organizations (particularly SMEs, micro-enterprises, and start-ups) evaluate the cybersecurity maturity of their digital products.
- PSTVA (Penetration Self-Testing and Vulnerability Assessment): A customizable vulnerability assessment toolkit able to perform robust security assessments of digital artifacts to support manufacturers, particularly SMEs, in navigating their compliance journey against the CRA.
- CAC (Conformity Assessment and Compliance): A tool which provides conformity assessment outputs, forming the basis of CE marking documentation.
Each tool is modular, interoperable, and deployable either independently or in sequence, allowing organizations to tailor compliance activities to their operational reality.
2. Knowledge and Capacity Services
- Training Activity Catalogue (TAC): Provides educational resources, practical guidelines, and capacity-building modules to enhance SME understanding of CRA requirements.
- Community and Support Functions: Facilitates knowledge sharing and best practices among SMEs, regulators, and industry stakeholders.
3. Central Access Layer
- CURIUM User Interface (CURIUM UI): Serves as the single-entry point for stakeholders, enabling seamless navigation across all tools, services, and outputs.
This modular architecture enables SMEs to engage with the Compliance Continuum either holistically or selectively, ensuring both scalability and adaptability across sectors, and enables future interoperability with possible external (certification) tools, notified bodies, and EU cybersecurity services.
