The project at a glance
CURIUM aims to achieve its vision by:
Developing an innovative Compliance Continuum to automate CRA compliance.
Driving widespread adoption with modular, cost-efficient, and open-source solutions tailored to industry needs.
Fostering knowledge and capacity building to support CRA implementation.
Utilizing an agile validation process with continuous feedback loops.
Fostering long-term sustainability by actively engaging industry stakeholders and policymakers in tool development and training.
Through these efforts, CURIUM will contribute to a Trustworthy Certified Digital Valley, strengthening Europe’s cybersecurity ecosystem.
Compliance tool description
The Conformity Assessment and Compliance (CAC) Tool, will support users (SME) in both of (ex-ante and post-market monitoring) activities and support them to meet the rigorous expectation from the market. The first tool capability will be automated self-assessment process with the full visualisation of the whole process which will help SME to understand the requirements and identify possible gaps. Second functionality will be technical documentation management, where the tool will asset and assist the users in the process of creation of technical documentation considering requirements coming from CRA. The tool will also have functionality to import the SBOM, in order to define what are the main components of the product (software). Post market analysis will support SME to see the status of the product, after position on the market. CAC tool will have possibilities to generate few important reports, i.e. Declaration of Conformity, Maturity Status, report about SBOM, technical documentation, etc. Tools functionality will be adapted according to users (SME) needs and feedback from the community.
This tool provides the following key features:
• Explain to the users that only basic tests should be performed to validate the cyber resilience of products with digital elements, for which a 'basic' assurance level has been considered. Products with a 'substantial' assurance level should be well-protected, covering at least vulnerabilities and weaknesses that have been disclosed and can be exploited by attackers with a certain level of expertise and skills. Thus, for the 'substantial' assurance, the testing assessment activities should ensure an adequate level of security. The user will be notified about the need for third party assessment.
• Guide the SME through the process of checking compliance with the CRA and visualize the whole process.
• Guide the SME through the process of uploading technical documentation, as well as “evidence” to justify which security requirements are fulfilled.
• Evaluate digital products based on the uploaded evidence (documentation) with assurance level.
• Generate a Statement of Conformity (DoC) as a certificate attesting to the completion of the evaluation process.
• Generate an enriched report based on the uploaded and required technical documentation, in accordance with the CRA.
• Implement Post-market Analysis/Monitoring capability with notification to the SME about new vulnerabilities or new regulatory/legal changes in CRA.
